11 posts tagged with "policy"

The new System Policy 29.02, Information Security, was released today.

DIR has added seven new security control standards in version 2.2 of their security control standards catalog. These have been incorporated into the A&M System Security Control Standards Catalog, published at https://www.cyber.tamus.edu/catalog/. All controls have a required implementation date of February 28, 2027, and are listed below:

As a result of recent federal and state government requirements and recommendation from General Counsel, the Texas A&M System has implemented a minimum standard of blocked countries for all publicly-accessible system information resources. This standard is reflected in the newly added system required control SC-07(11). The list of blocked countries is published at https://sso.tamus.edu/BlockedCountries.aspx and may be updated as circumstances dictate.

System Regulation 29.01.06 was released last week, which implements what was previously a policy letter from the System CIO to all members addressing covered applications and prohibited technology.

The guidelines page at https://www.cyber.tamus.edu/policy/guidelines/prohibited-technology/ has been updated to reflect these changes. The regulation is also available at https://policies.tamus.edu/29-01-06.pdf.

Today, TAMUS Cybersecurity released updated incident notification guidance for members to report incidents where the confidentiality, integrity, or availability of a member high-impact information system, or a system processing confidential information, is potentially compromised.

The updated guidance is available at https://www.cyber.tamus.edu/policy/guidelines/incident-notification/.

On January 31, 2025, DIR released an update to the prohibited technologies list to include the following software, applications, and developers:

• RedNote *
• Lemon8 *
• DeepSeek **
• Webull
• Tiger Brokers
• Moomoo

We released today a series of administrative changes to the security control standards. The majority of these changes moved TAMUS Implementation Statement language into organizationally-defined parameters (ODP) within each control, as well as implementing control standards that reflect existing system policy and assigning an impact baseline for all TAMUS-required controls.

An updated Covered Applications and Prohibited Technology Plan, as required by Texas DIR and Texas DPS, was issued today. The updated plan incorporates the requirements of Texas Government Code Chapter 620 and revises the plan's language throughout.

The revised plan is available at https://www.cyber.tamus.edu/policy/guidelines/prohibited-technology/.

A revised System Regulation 29.01.03, Information Security, was released today. This revision:

• adds or clarifies language to reflect the reorganization of the Security Operations Center (SOC) to Texas A&M University System Cybersecurity,
• clarifies the purpose of the Texas A&M System Security Control Standards Catalog and eliminates duplicative or redundant reference to the Texas DIR Security Control Standards Catalog,
• adds supporting language that references system requirements to Texas statute or administrative rule,
• establishes a required frequency for performing risk assessments based on the impact of the system being assessed,
• moves detailed guidance for data center consolidation to the A&M System Security Control Standards Catalog, and
• eliminates guidance for member CIO approval of commodity IT services

The revised regulation is available at https://policies.tamus.edu/29-01-03.pdf.

The comment period for new security control standards regarding Identity Proofing (IA-12(02)) and Identity Evidence Validation and Verification (IA-12(03)) has closed and the new standards have been published in the A&M System Security Control Standards Catalog.

Because this is a time-sensitive procedural implementation to address actively-exploited cyber risks, the implementation date is effective September 1.

When developing your member-level procedures to implement this control standard, please also take into consideration distributed systems with user accounts for which organizations other than IT may be responsible (this includes HR for TAMUS SSO accounts, Provost/Enrollment Management/Alumni Affairs for prospective students, alumni, etc.) and ensure those administrators are properly briefed on the control requirement.