Statement

WTAMU has a broad system security plan in place and reviews it annually for appropriateness.

Applicability

This Control applies to all West Texas A&M information resources. The DIR “Agency Security Plan” is the “plan” referred to in this control, and the ISO is responsible for preparation and submission of this plan.  Additional internal plan documents may be prepared as well to provide a more details of current risk and mitigation activities.

Implementation

WTAMU shall develop, distribute, review, protect, and update a security plan for the  University that:

• is consistent with the University’s enterprise architecture;
• explicitly defines the authorization boundary for systems;
• describes the operational context of the information system in terms of missions and business processes;
• provides the security categorization of the information system including supporting rationale;
• describes the operational environment for the information system and relationships with or connections to other information systems;
• provides an overview of the security requirements for the system;
• identifies any relevant overlays, if applicable;
• describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and
• is reviewed and approved by the chief information officer and information security officer and submitted to the University President.

The ISO shall

• Distribute a copy of the Security Plan to the appropriate personnel.
• Review the plan at least biennially and submit the report to DIR in even numbered years
• Update the plan to address changes to the information system, environment of operation, or issues identified during plan implementation or security control assessments
• Protect the plan from unauthorized disclosure or modification