ISAAC -The Information Security Awareness, Assessment, and Compliance System
The ISAAC web site was originally created to assist Texas A & M University (TAMU) departmental information system representatives (e.g., system administrators) with assessing the security posture of their information systems, and measure compliance with information security standards (both state and local). DIR has since partnered with TAMU to create separate ISAAC applications for TAMU system components, Texas state agencies and state universities.
The ISAAC main status screen provides tools to meet compliance in the following areas:
Business Continuity / Disaster Recovery Planning
The Business Continuity Planning module provides a guide for developing a business continuity and disaster recovery plan which will meet state and local information security standards. There is a detailed guide for departments with dedicated information technology staff and servers, and a simple plan for departments with a only desktop systems.
The Risk Assessment module provides an automated tool for both departmental servers and desktop systems. The risk assessment collects the following information: operational environment, asset valuation, in-place safeguards confirmation, and associated action plans for any shortcomings discovered. A full report can be generated once all requirements have been addressed.
The HIPAA compliance module was developed based on NIST Special Publication (SP) 800-66. The module addresses all HIPAA Security Rule standards and all associated implementation specifications, both required and addressable. Six of the standards include all the necessary instructions for implementation and have no associated implementation specifications.
The ISAAC tool provides a self-assessment module based on the PCI Data Security Standard. The PCI module is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
The Physical Security module provides a checklist which can be printed and used as a guide for making a visual inspection of the information systems host site.
Security Awareness Training
The Security Awareness Training module provides links to the TAMU Security Awareness Training certification web site, as well as other resources (including some sources for ordering free training materials - computer based training and video formats).
The Resource Registration module provides a web form for identifying mission critical and/or confidential information resources. Additionally, the owners of the resources must be identified along with the custodians, and user base.
The ISAAC system has been upgraded and designated as version 2008 (7.0). Licenses for the tool are provided to state agencies and universities at no cost.
For more information on ISAAC, please visit the ISAAC FAQs page or contact the Office of the CISO.