PM-1 Information Security Program Plan

Last Review: 10/1/22


The West Texas A&M Information Security Controls Catalog establishes the minimum standards and controls for University information security in accordance with the state's Information Security Standards for Institutions of Higher Education found in Title 1, Chapter 202, Texas Administrative Code (TAC 202).


WTAMU will develop, review, protect, update, and disseminates an approved organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements that:

  • includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is approved by the Chief Information Officer.
  • reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical)

WTAMU will review and updates the information security program plan at least annually taking into account changes in business, technology, threats, incidents, the University missions.


The scope of these regulations and procedures are applicable to all information resources owned or operated by WTAMU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.

Regulations and Procedures

The State of Texas Department of Information Resources (DIR) has chosen to adopt a select number of Program Management Controls as established within the NIST SP 800-53 control family guidelines identified by the DIR Security Control Standards Catalog.  WTAMU shall maintain an acceptable and approved information security program that includes appropriate protections, based on risk, for certain information resources owned, leased, or under the custodianship, including outsourced resources, department, operating unit, or employee of the organization.