Information Technology Security Plan

Information Technology Security Plan

This document describes the procedures followed [will follow] to protect the operation and data of the listed device(s) in accordance with Texas A&M University’s rules, SAPs and Security Controls Catalog.

Texas A&M Rules and SAPs (29 Information Resources)

rules-saps.tamu.edu/TAMURulesAndSAPs.aspx

Texas A&M Information Security Control Catalog (ISCC)

cio.tamu.edu/Risk_Management_Policy/IT_Policy/Information_Security_Controls_Catalog.php

State and Federal Laws

cio.tamu.edu/Risk_Management_Policy/IT_Policy/State_and_Federal_Laws.php

Notes will be added throughout this document to indicate places where changes may be needed for your particular situation. Remove these notes from your final document.
This template is written toward the case of an individual who administers a single workstation or laptop with no unusual IT-related activities.

Information Resource Description

Administrator/Assessor: ______

Device Name: ______

TAMU Asset Number: ______[or mark “Not Inventoried”]

Serial Number: ______

Operating System:______

Description:______

Purpose of Device(s)

If you have more than one device, you can include all of them above (format the information as appropriate). If some devices have significantly different security profiles you should create separate answers to the questions and make notes for differences between the systems in this document or create a separate one.
For servers or other specialized devices, you should include a description of that special purpose, how the system benefits the mission of the college or university, etc.

Account Management

Describe how you enforce the account management rules for this device such as account creation, password requirements, etc. SeeControl Catalog IA-2, TAMU SAP 29.01.03.M1.14

Audit and Accountability

Describe how you manage and monitor security logs for your devices. See Control Catalog AU-2 Audit Events as well as the NIST questions
Describe your annual security report process.

Configuration Management

Describe any special considerations used for managing changes and configuration for the device. See confirmation management section of NIST questions as well as the Control Catalog CM-1 Configuration Management Policy and Procedures.

Contingency Planning

Describe your backup procedures and how you would recover from a loss of this device. See the “Contigency Planning” section of the NIST questions and the contingency planning section of the Control Catalog (CP-2, CP-4, CP-6)

Data Classification

Describe the types of data that will kept on this computer. In particular, note any confidential data to be stored on your computer. However, be sure to answer the questions regarding confidential data accordingly. Review the A&M data classification policy

to determine the proper classification of data.
If confidential data is stored, then this document needs to address how the data is kept encrypted on the device and when moving data to or from the device.

End of Life

Describe how you will ensure that your device is properly disposed of when you no longer need it. You should be able to jut use the following statement intact. If changes are needed, contact the CEHD ISO to discuss special needs.

I agree to return this device to Technology Services when this device reaches its end-of-life or when I am ready to return this device to the department for a replacement. When returned, Technology Services will re-image the device (or sanitize the hard drive) before it is reallocated to another user or transferred to A&M surplus. I understand this needs to happen whether or not the device is an inventoried item. I also agree not to transfer administrative authority for this device to another person, but that the new person will need to receive approval from the Dean and that the device will need to be returned to Technology Services for the transfer to occur. If special consideration is required, contact the CEHD ISO to discuss needs.

Installed Software

This should include a statement that you will only install legally licensed software and that you will keep documentation for any puchased software.

Network Security

Describe the network security for where your device will be used. See the Sample document for example text.

Social Scecurity Number Scanning

Describe how and when you perform scanning of your computer for SSNs. This must be done annually to be in compliance.

System Planning, Acquisition, Vendors, and Training

Describe the process you use to ensure purchasing and use of 3rd party vendors is done in compliance with TAMU and CEHD policy. (See System and Service Acquisition portion of Control Catalog.)
Also, include your annual IT Security training (e.g., the “Information Security Awareness” from HR)

System Protection

Include a description of how you configure your computer to protect it from security threats. This include Anti-Virus, Firewall settings, system patches, login banner, and any other processes you use.

The information provided in this and accompanying documents are accurate to the best of my knowledge and understanding.

Administrator: ______Date: ______