The Chief Information Security Officer is the designated administrator of the Texas A&M University information security program (see TAC §202.71) and is responsible for:

  • Developing, recommending, and establishing policies, procedures, and practices as necessary to protect the university's information resources against unauthorized or accidental modification, destruction, or disclosure;
  • Identifying and implementing proactive and reactive technical measures to detect vulnerabilities and to defend against external and internal security threats;
  • Providing consulting and technical support services to owners, custodians, and users in defining and deploying cost-effective security controls and protections;
  • Establishing, maintaining, and institutionalizing security incident response procedures to ensure that security events are thoroughly investigated, documented, and reported, that damage is minimized, that risks are mitigated, and that remedial actions are taken to prevent recurrence;
  • Establishing and publicizing a security awareness program to achieve and maintain a security-conscious user community;
  • Documenting, maintaining, and obtaining ongoing support for all aspects of the information security program;
  • Monitoring the effectiveness of strategies, activities, measures, and controls designed to protect the university's information resources;
  • Assuring executive management awareness of legal and regulatory changes that might impact the university's information security and privacy policies and practices;
  • Serving as the university's internal and external point of contact for information security matters;
  • Reporting frequently (at least annually) on the status and effectiveness of the information security program as directed by the VPIT (see TAC §202.73(a)); and
  • Having authority for information security for the entire institution (see TAC §202.71(a)(2)).

Risk Management and Policy

The Chief Information Security Officer leads a team of professionals who focus on three key areas of information security management: