Home » Security for Faculty & Staff » Campus Security Tools » Information Security Awareness, Assessment, and Compliance System (ISAAC)

Information Security Awareness, Assessment, and Compliance System (ISAAC)

The ISAAC web site was created to assist Texas A&M University departmental information system representatives (e.g., system administrators) with assessing the security posture of their information systems, and measure compliance with information security standards (both state and local). Additionally, ITIM has created separate ISAAC applications for components of The Texas A&M University System, Texas State Agencies, and The University of Texas System components.

The ISAAC main status screen provides tools to meet compliance in the following areas:

  • Business Continuity/Disaster Recovery Planning
  • Risk Assessment
  • HIPAA Module
  • PCI Module
  • Physical Security
  • Security Awareness Training (TAMU only)
  • Resource Registration

Business Continuity / Disaster Recovery Planning

The Business Continuity Planning module provides a guide for developing a business continuity and disaster recovery plan that will meet state and local information security standards. Included are a detailed guide for departments with dedicated information technology staff and servers, and a simple plan for departments with a only desktop systems.

Risk Assessment

The Risk Assessment module provides an automated tool for both departmental servers and desktop systems. The risk assessment collects the following information: operational environment, asset valuation, in-place safeguards confirmation, and associated action plans for any shortcomings discovered. A full report can be generated once all requirements have been addressed.

HIPAA Module

The Health Insurance Portability and Accountability Act (HIPAA) compliance module was developed based on NIST Special Publication (SP) 800-66. The module addresses all HIPAA Security Rule standards and all associated implementation specifications, both required and addressable. Six of the standards include all the necessary instructions for implementation and have no associated implementation specifications.

PCI Module

The ISAAC tool provides a self-assessment module based on the Payment Card Industry (PCI) Data Security Standard. The PCI module is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

Physical Security

The Physical Security module provides a checklist that can be printed and used as a guide for making a visual inspection of the information systems host site.

Security Awareness Training

The Security Awareness Training module provides links to the Texas A&M Security Awareness Training certification web site, as well as other resources (including some sources for ordering free training materials, computer based training, and video formats).

Resource Registration

The Resource Registration module provides a web form for identifying mission critical and/or confidential information resources. Additionally, the owners of the resources must be identified along with the custodians and user base.

The ISAAC system has been upgraded and designated as version 2008 (7.0). In preparing ISAAC for the upcoming year, several enhancements and improvements were implemented. In an effort to make sure that the risk assessment methodology maintains "best of breed" status, several risk assessment methodologies were reviewed and considered for enhancing the risk assessment module.