University SAPs and Rules

Texas A&M Rules and Standard Administrative Procedures that relate to information technology are listed below. 

• Student Rule 22
  Rules for Responsible Computing
• Student Rules, Appendix V
  Describes the responsibilities of individuals using the university's computing resources or facilities.
• 29.01.99.M1 - Security of Electronic Information
  Describes the responsibility of information resource owners or designees to ensure that adequate security measures are in place and that an annual risk assessment is performed. Supplementary SAPs are provided below:
  
  • .01 - Guidelines on Network Scanning
    Describes restrictions on network scanning.
  • .02 - Acceptable Use
    Identifies relevant policies and procedures that pertain to aspects of acceptable use.
  • .03 - Account Management
    Provides procedures for the secure management of access authorization and associated credentials.
  • .04 - Administrator/Special Access
    Provides procedures for the appropriate management of the creation, use, monitoring, control, and removal of accounts with special access privileges.
  • .05 - Authorized Software
    Informs University computer users of the rules for authorized software on Texas A&M University information resources.
  • .06 - Backup Recovery
    Provides a set of practices for implementing, monitoring, protecting, and testing of backup/recovery procedures.
  • .07 - Change Management
    Provides the components and steps for the appropriate management of changes to information resources.
  • .08 - Email Use
    Addresses expected standards for efficient and reliable use of University email.
  • .09 - Incident Management
    Describes the requirements for dealing with computer security incidents.
  • .10 - Internet/Intranet Use
    Addresses the appropriate management and responsible use of Internet and Intranet resources.
  • .11 - Intrusion Detection
    Describes procedures for monitoring and responding to intrusion on information resources.
  • .12 - Network Access
    Establishes the process for the access to the Texas A&M network infrastructure.
  • .13 - Network Configuration
    Establishes the process for change of the Texas A&M network infrastructure.
  • .14 - Password/Authentication
    Establishes the process for the creation, distribution, safeguarding, termination, and reclamation of the university user authentication mechanisms.
  • .15 - Physical Access
    Establishes the process for granting, controlling, monitoring, and removing physical access to information resource facilities.
  • .16 - Portable Computing
    Provides specific guidance on the responsibilities of information resource owners to adequately protect data residing on portable devices.
  • .17 - Privacy
    Establishes responsibilities and limits for system administrators and users in providing privacy for university information resources.
  • .18 - Security Monitoring
    Provides information about ensuring that information resource security controls are in place, are effective, and are not being bypassed.
  • .19 - Security Awareness and Training
    Describes the requirements for each user of university information resources to receive adequate training on information security issues.
  • .20 - Server Hardening
    Describes the requirements for securely installing a new server  and maintaining the security integrity of the server and application software.
  • .21 - System Development and Acquisition
    Describes the requirements for developing and/or implementing new application software in the University.
  • .22 - Vendor Access
    Provides a set of measures that will mitigate information security risks associated with vendor access.
  • .23 - Malicious Code
    Provide information about improving the resistance to, detection of, and recovery from malicious code.
  • .24 - Notification of Unauthorized Disclosure of Sensitive Personal Information
    Describes the procedure to enact upon discovery or notification that sensitive personal information has been acquired by an unauthorized person.
  • .25 - Use of Peer-to-Peer File Sharing Software
    Describes requirements related to the appropriate use of peer-to-peer (P2P) file-sharing software
  • .26 - Information Security Risk Assessment Reviews
    Assists Texas A&M departments with improving the effectiveness of their use of the ISAAC system and the value and accuracy of their information security risk assessments.
  • .27 - Exclusions from Required Risk Mitigation Measures
    Provides a process for exclusions from the provisions of information technology SAPs while preserving the overall integrity and consistency of the University's security posture.
  • .28 - Security Surveillance
    Establishes transparent processes and controls for using audiovisual surveillance equipment and any resulting recorded material.
  • .29 - Data Classification and Protection
    Provides a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk.
  • .30 - Information Resources - Wireless Access
    Provides procedures for using wireless connectivity to access Texas A&M information resources.
  • .31 - Encryption of Confidential and Sensitive Information
    Provides guidance on the use of encryption to protect Confidential and/or Sensitive information.
  • .32 - Disaster Recovery Planning
    Describes planning and testing required for Disaster Recovery.
  • .33 - Firewalls
    Provides information on where to find expert guidance for administering both host-based and departmental firewalls.
• 29.01.99.M2 - Rules for Responsible Computing
  Addresses Texas A&M University's philosophy about computing use.
  • .01 Employee Email
    Addresses the use and retention of email by Texas A&M Employees.
• 29.01.99.M3 - Incidental Computer Use
  Describes Incidental personal use of computing resources as an exception to the general prohibition against the use of Texas A&M equipment for anything other than official state business.
• 29.01 - Information Resources
  Establishes minimum accessibility and usability standards for official University web pages and encourages web authors to exceed minimum standards.
  • .01 - Accessibility of Electronic and Information Resources
    Requires that new or redesigned official University web pages intended for the public be accessible and usable for all users.
• 32.01.99.M1 - Complaint Procedures for Electronic Information
  Provides for investigation of suspected incidents of inappropriate use of information resources.
  

Employees of the A&M System are required to report factual information suggestive of fraudulent, wasteful or abusive activities that may involve the System or any of its members. To report such activities, employees can call the A&M System Risk & Misconduct Hotline at 1.888.501.3850 or submit a report via the Internet at the System's Risk & Misconduct Hotline. Employees can also call the State Auditor's Office at 1.800.892.8348 or submit a report via the Internet at http://sao.fraud.state.tx.us.