Part 10.
DEPARTMENT OF INFORMATION RESOURCES
Chapter 201.
PLANNING AND MANAGEMENT OF INFORMATION RESOURCES TECHNOLOGIES
1 TAC §201.5
The Department of Information Resources adopts an amendment
to §201.5, concerning agency planning with no changes to the proposed
text as published in the October 1, 1999 issue of the
Texas Register
(24 TexReg 8397). The amendment requires state agency
information resources managers or agency heads to approve the submission of
biennial operating plans (BOPs) to the department, and deletes the requirement
that such BOPs must be "signed."
No comments were received in response to the proposed rule.
The amendment is adopted under Texas Government Code §2054.052(a),
which authorizes the department to adopt rules as necessary to carry out its
responsibility under the Information Resources Management Act.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on March 14, 2000.
TRD-200001932
C.J. Brandt, Jr.
General Counsel
Department of Information Resources
Effective date: April 3, 2000
Proposal publication date: October 1, 1999
For further information, please call: (512) 475-2153
1 TAC §201.11
The Department of Information Resources adopts the amendment
to §201.11, concerning procedures for adoption of information resources
standards and policies, without changes to the version published in the November
5, 1999, issue of the
Texas Register
(24 TexReg
9731).
The amendment eliminates outdated requirements that rule comments must
be submitted on paper.
The Department received no comments on the proposal.
The amendment is proposed under Texas Government Code §2054.052(a),
which authorizes the department to adopt rules as necessary to carry out its
responsibility under the Information Resources Management Act.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on March 15, 2000.
TRD-200001948
C.J. Brandt, Jr.
General Counsel
Department of Information Resources
Effective date: April 4, 2000
Proposal publication date: November 5, 1999
For further information, please call: (512) 475-2153
1 TAC §201.12
The Department of Information Resources adopts §201.12
concerning state agency web sites, with changes to the proposed text as published
in the November 12, 1999 issue of the
Texas Register
(24 TexReg 9909). The effect of the new rule is to require state agencies
to implement certain standards pertaining to the accessibility of state web
sites, common indexing of web pages, and the protection of citizen's privacy.
The department received nineteen (19) written comments regarding the proposed
rule during the formal comment period. The department held a special meeting
with agencies to discuss the proposed rule, and participated in other meetings
with agencies to address issues and propose changes. A significant number
of the comments addressed the implementation date requirements in paragraphs
(b)(1), (2) and (3), and the impact on agencies' staff and resources. The
department generally agrees with the concerns expressed, and accordingly has
changed the effective date of the rule and narrowed its scope so that the
requirements were limited to a subset of all state agency web pages. The department
also added a provision that for "key public entry points," only new or changed
pages would be subject to the requirements.
Several comments opposed the proposed load time simulation goal and proposed
requirement for a menu options page. The department agrees, and has deleted
these requirements from the adopted rule.
Several comments expressed concern that the proposed requirement for a
text alternative to graphic images would effectively limit or prevent the
use of image maps. The department agrees, and has revised the adopted rule
to provide an exception for geographic information systems, requiring a text
alternative only if the image map does not comply with Web Content Accessibility
Guidelines. In addition, several commenters expressed concern over the proposed
accessibility requirements for document image files. The department agrees
with the comments in some respects, and has revised the rule to provide for
three exceptions from this requirement in addition to the exception for geographic
information systems. The department notes that other document types that may
be problematic under the rule should be addressed in the agency's Information
Resources Strategic Plan, which must identify the agency's plan for receiving
forms or payments electronically.
Several comments expressed the view that the requirement to update a text
version of a frames based page is unnecessary. The department agrees and has
removed the requirement from the rule.
Several comments opposed the requirements for a PICS rating as unnecessary
and burdensome. The department agrees, and has removed the requirement from
the rule as adopted.
One comment questioned the requirement for a link to a privacy policy.
The department disagrees that a link to a privacy policy is unnecessary; however,
specific requirements that appeared in the definitions section have been moved
into the rule text, and the department will publish a detailed guideline to
assist agencies in implementing privacy policies.
Several comments indicated that the proposed pixel width and color setting
requirements were likely to become quickly outdated. The department agrees
and has removed these requirements from the adopted rule.
Several comments addressed the requirement for incorporating TRAIL metadata
on the top-level pages of all state web sites. The department agrees in part,
and has revised the rule to require TRAIL metadata only on the agencies' home
pages.
Several comments addressed the requirements for common links, and noted
that the rule as proposed would have required links in some instances to the
same page being viewed by the site visitor. The department agrees and has
restructured the common links section to address this concern.
Three agencies raised concerns about the proposed requirement to encrypt
certain information transmitted via the Internet to a state agency. The department
agrees in part, since virtually any unencrypted information transmitted over
the Internet is subject to interception. The department has therefore provided
more specific guidance as to information that must be encrypted while in transit.
One commenter opposed adoption of the rule on the assumption that it would
require a common look and feel for all state web sites. The department disagrees
with this comment because the rule is not intended to impose a common look
and feel on all state web sites.
To facilitate suggested changes and improve clarity of the rule, the department
deleted certain definitions as no longer necessary, and revised or added others
for clarification. New definitions were added for the following terms: historical
document; home page; key public entry point; statewide search; and transaction
payment information. Definitions were substantially revised for the following
terms: agency contact information; document image files; generally accessible
Internet site; privacy policy; and state web site.
Names of groups or associations making comments for and against the rule:
For: Governor's Office; Lamar University; Tarleton State University; Teacher
Retirement System; Texas Department of Health; Texas A&M University, Agriculture
Extension Service; Texas A&M University at Galveston; Texas A&M University,
Information Resources; Texas Department of Insurance; Texas Department of
Transportation; Texas Natural Resource Conservation Commission; Texas State
Library and Archives Commission; Texas Tech University; University of North
Texas; University of Texas at Austin.
Against: Texas A&M University; University of Texas, MD Anderson.
The rule is adopted in accordance with Texas Government Code §2054.051(b),
which requires the department to publish information resources technologies
standards, and Texas Government Code §2054.052(a), which provides the
department may adopt rules as necessary to implement its responsibilities.
§201.12.State Web Sites.
(a)
Definitions. The following words and terms, when used in
this section, shall have the following meanings unless the context clearly
indicates otherwise.
(1)
Agency contact information--a list of key personnel and/or
position or program contacts, including public contact telephone numbers,
general e-mail address, and other information deemed necessary by the agency
for facilitating public access.
(2)
alt tag--Alternative tag; an HTML code option associated
with an image file on a Web page that is used to give a text description of
the image. This information will assist a person using a text browser to understand
the page content and navigation directions.
(3)
Document image files--Files published in vendor-specific
file formats (e.g., portable document format (pdf) files) that create an
image of a document.
(4)
Frames--A coding technique used to present information
on a Web page.
(5)
Generally accessible Internet site--A state Web site
that:
(A)
complies with the Web Content Accessibility Guidelines
for persons with visual disabilities promulgated by the W3C;
(B)
contains no priority 1 errors; and
(C)
complies with HTML standards published by the W3C.
(6)
Historical document--either a document dated
prior to 1991 for which the agency does not have the original document in
electronic format, or a document dated prior to 1997 that contains a handwritten
signature.
(7)
Home page--The initial page or entry point to a state
Web site.
(8)
HTML--HyperText Markup Language.
(9)
IETF--the Internet Engineering Task Force.
(10)
Internet--the network of interconnected networks
employing the TCP/IP standards as published by the IETF.
(11)
Key public entry point--A Web page that a state agency
has specifically designed for members of the general public to access official
information (e.g., the governing or authoritative documents) from the agency.
(12)
Meta tag--An HTML code option for identifying information
about a Web page that facilitates locating specific information on Web pages
by search engines.
(13)
P3P--Platform for Privacy Preferences; a technical
specification published by the W3C that enables Web sites to identify their
privacy practices in a manner that can be understood by commercially-available
Web browsers.
(14)
Priority 1 error--An HTML coding error on a Web page
that will cause persons with visual disabilities to be unable to access information
on the page.
(15)
Priority 2 error--An HTML coding error on a Web page
that may make it very difficult for persons with visual disabilities to access
information on the page.
(16)
Privacy Policy--a statement about what information
is collected by a Web site, how the information will be used, and under what
conditions the information may be shared or released to another party. Privacy
Policy guidelines are available at http://www.state.tx.us/Standards/srrpub11-privacy-policy.htm
(17)
Server log software and cookies--Particular methods
employed for the purpose of tracking visitors to Web sites. The information
collected for analysis can include where the request came from, time, pages
visited, and identifiable information about the visitor.
(18)
State Web site--a state agency-owned, -operated,
or -funded Web site connected to the Internet, including a state agency's
home page and any key public entry points.
(19)
SSN--Social Security Number.
(20)
SSL--Secure Sockets Layer; The Internet security
standard for point-to-point, encrypted connections between Web servers and
client browsers.
(21)
Statewide Search--a link to the TRAIL Web site.
(22)
TCP/IP--Transmission Control Protocol/Internet Protocol;
a suite of protocols developed by the IETF and published as Request for Comments
(RFCs).
(23)
Texas home page--http://www.state.tx.us/.
(24)
TRAIL--Texas Records and Information Locator or its
successor. Additional information is available at http://www.tsl.state.tx.us/
(25)
Transaction payment information--bank account and
routing number, credit, debit, or other forms of card-based payment systems.
(26)
Transaction Risk Assessment--An evaluation of the
security and privacy required for an interactive Web session providing public
access to government information and services. Additional information and
guidelines are available at http://www.state.tx.us/Standards/srrpub11.htm
(27)
W3C--World Wide Web Consortium.
(b)
All state agencies will adhere to the following:
(1)
As of July 1, 2000, the home page of all state Web sites,
and any new or changed key public entry points, shall meet the definition
of a generally accessible Internet site and the following guidelines:
(A)
Every image on a state Web site shall use an alt tag with
sufficient information describing the image, or a null for simple images (e.g.,
a dot or bullet), so that a person unable to see the image can understand
the content and meaning for its use. Except for geographic information systems,
if image maps are used that do not comply with the Web Content Accessibility
Guidelines for persons with visual impairments, a text alternative shall be
provided.
(B)
A state agency implementing frames on a state Web site
shall:
(i)
Not have any page that contains priority 1 or 2 accessibility
errors.
(ii)
Drop the frame(s) when indexing or pointing to other non-agency
Web sites.
(C)
A state agency posting document image files to a state
Web site, for which the associated reader does not fully support accessibility,
shall also make available an accessible version of the same information. The
document image version will include a link to obtain a free copy of the associated
reader, and accessibility instructions. Excluded from this provision are:
(i)
Historical documents.
(ii)
Documents for which the agency is not the original author.
(iii)
Document image files of forms that are not currently
designed for electronic use, but for which the use depends on a structured
layout. These forms shall be identified in the section of the agency's Information
Resources Strategic Plan that describes the agency's plans for receiving forms
or payments electronically.
(D)
A state agency shall publish a privacy policy for its Web
site. The privacy policy shall address the following:
(i)
Use of server logs and/or cookies.
(ii)
Information collected by other technologies and processes.
(iii)
Information collected via e-mail and Web-based forms.
A Web-based form shall post a link to the policy. The form may include a provision
for the individual to opt-out of sharing the information with another party,
or a warning that the information may be a public record and therefore subject
to the Texas Public Information Act.
(E)
Web pages designed for children must comply with all applicable
federal and state laws intended to protect minors.
(F)
State agencies shall plan on implementing P3P on the home
page and key public entry points to a state agency Web site.
(G)
All Web pages, whether static or dynamic, must be accessible
using generally available browser software, and be designed with consideration
for the types of Internet connections available to the citizens of Texas.
Standards Review and Recommendation Publication 11 (SRRPUB11) contains additional
information that may assist agencies in the design of their Web sites. The
guideline is available at http://www.state.tx.us/Standards/srrpub11.htm
(2)
As of July 1, 2000, all new or changed HTML documents
on a state agency Web site that meet the criteria of a state publication as
defined by the Texas State Library and Archives Commission shall include the
following meta tags:
(A)
Title--page topic or subject;
(B)
Description--brief description of the subjects covered;
(C)
Keywords--specific to the page subject, and should not
exceed 25 words; and
(D)
Author--State of Texas and state agency name.
(3)
As of July 1, 2000, the home page of a state
Web site shall incorporate TRAIL metadata and shall:
(A)
Provide links to the following State of Texas resources:
(i)
Texas home page; and
(ii)
Statewide Search.
(B)
Provide links to the following agency information:
(i)
Privacy policy;
(ii)
Agency contact information; and
(iii)
Description of the agency's open records policy/procedures.
(4)
As of July 1, 2000, all key public entry
points shall provide links to the following:
(A)
Agency contact information; and
(B)
Agency home page.
(5)
Prior to providing access to information or services
on a state Web site that require user identification, each state agency shall
conduct a transaction risk assessment, and implement appropriate security
and privacy safeguards. At a minimum, state Web sites that require a citizen
to enter the following information shall use an SSL session or equivalent
technology to encrypt the data:
(A)
Both the individual's name and other personal information,
such as an SSN;
(B)
Transaction payment information; or
(C)
An individual's identification code and password. Further
guidance concerning server certificates and encryption key length are contained
in SRRPUB11 at http://www.state.tx.us/Standards/srrpub11.htm
This agency hereby certifies that the adoption
has been reviewed by legal counsel and found to be a valid exercise of the
agency's legal authority.
Filed with the Office of
the Secretary of State on March 14, 2000.
TRD-200001931
C.J. Brandt, Jr.
General Counsel
Department of Information Resources
Effective date: April 3, 2000
Proposal publication date: November 12, 1999
For further information, please call: (512) 475-2153
1 TAC §201.13
The Department of Information Resources adopts amendments
to §201.13(b)(9)(F), concerning information security breaches, with changes
to the proposed text as published in the November 12, 1999 issue of the
The department received eight (8) written comments regarding the proposed
amendments during the formal comment period. The Department subsequently held
a special meeting with agencies to discuss the proposed rule, and participated
in other meetings with agencies to address issues and propose changes.
The majority of comments received focused on the time when reports were
due and the content of such reports. The department agrees that the 2-hour
initial reporting requirement and the 10-day detailed reporting requirement
may have been unnecessarily burdensome, and has therefore revised the rule
accordingly.
Several commenters suggested that reporting "attempts" or "failed attempts"
to gain unauthorized access to information was both unwarranted and unproductive.
The department agrees with this comment and has eliminated such activity from
the description of activities to be reported.
A number of commenters stated that efforts should concentrate on prevention
of security breaches and that agencies should utilize established resources
such as CERT, the SANS Institute, and the FBI. The department agrees with
these comments, but disagrees that use of such resources or precautionary
measures is inconsistent with the rule as adopted. The department views the
rule as complementary to, and not a replacement for, preventive measures and
the use of established resources.
One commenter noted a concern that reporting of detailed information regarding
possible criminal activity could compromise law enforcement activities. The
department agrees with this comment, and the adopted rule requires only summary
information to be reported.
One commenter stated that the phrases "the state agency reasonably believes
such violations may involve criminal activity" and "substantial likelihood"
of propagation to other systems are too vague, and requested more guidance.
The department disagrees with this comment because some discretion must be
left to state agencies in determining the activities to be reported. The same
commenter suggested moving the category of violations that could be propagated
to other systems to a list of reportable activities. The department disagrees
with this comment because the intent of this language is to apply to all reportable
activity and thereby reduce the overall number of potential violations that
must be reported.
One commenter indicated that the rule as proposed could be read more broadly
than intended and thus require reporting of any changes to agency software
configurations. The department agrees that the reporting of such changes,
so long as they are made with the agency's effective consent and do not constitute
criminal violations, is not required. The adopted rule has been amended in
an attempt to make this clearer.
Names of groups or associations making comments for and against the rule:
For: Texas Department of Transportation; Texas Health Care Information Council;
Texas Natural Resource Conservation Commission; University of Texas at Austin;
University of Texas, Southwestern; University of Texas, San Antonio. Against:
Department of Public Safety; Texas A&M University at Galveston; University
of Houston.
The amendments are adopted pursuant to the provisions of Texas
Government Code §2054.051(b), which permits the department to publish
standards relating to information resources technologies, and Texas Government
Code §2054.052(a), which permits the department to adopt rules as necessary
to implement its responsibilities.
§201.13.Information Resource Standards.
(a)
Geographic information systems standards.
(1)
Applicability.
(A)
All digital spatial data users and developers of new geographic
information systems in state agencies and universities must comply with the
technical standards specified in the Standards and Guidelines for Geographic
Information Systems in the State of Texas.
(B)
An institution of higher education, as defined by the Education
Code, §61.003, will be exempted from these standards when geographic
information systems are acquired solely for instructional purposes.
(C)
Currently operating systems which are structurally unable
to comply are not required to retrofit to these standards.
(2)
Waivers.
(A)
A waiver shall be granted to any state agency due to any
order of a court of competent jurisdiction when the ordered period of compliance
is less than 90 days; or any act of exemption by the Texas Legislature.
(B)
Letter applications for waivers will be made in writing
to the department by the agency information resources manager (IRM). Within
10 days after initial receipt of the waiver request, the department will notify
the submitting state agency of all supporting information the department requires
to conduct its review. The date of receipt of the waiver application is either
the initial date of arrival of the request, or the date that any supporting
or other information if requested, is received. Review shall commence on the
date of receipt. The department will conduct its review within 30 days after
the date of its receipt, evaluate the applications, and grant or deny these
waiver requests based on an analysis of the particular circumstances or environment.
Consultation with the Geographic Information Systems Standards Committee will
be included in the waiver process on an as needed basis, and the committee
will review all waivers at their semiannual meetings.
(C)
The acquisition of software which cannot support these
standards will not be grounds for a waiver.
(3)
Adoption by reference. The Standards and Guidelines
for Geographic Information Systems in the State of Texas, herein adopted by
reference, may be obtained from the Department of Information Resources, P.O.
Box 13564, Austin, Texas 78711.
(4)
Submittal procedures. The agency Information Resource
Manager (IRM) will certify that geographic information systems development
in the agency adheres to the "Standards and Guidelines for Geographic Information
Systems in the State of Texas."
(5)
Review procedures.
(A)
The certification will be reviewed by the department and
the Geographic Information Systems Standards Committee to determine compliance
and agency comprehension of the standards. Review procedures and any subsequent
on-site assessment will be consistent with §7 of the Standards and Guidelines
for Geographic Information Systems in the State of Texas.
(B)
The agencies may also request a peer review be performed
at any time during the year. Upon receiving such a request, the department
will schedule a review as soon as possible.
(b)
Information Security Standards.
(1)
Applicability. The following rule constitutes required
minimum security standards for the protection of information resources for
agencies of the State of Texas. All agencies are required to have an information
resources security program consistent with these standards. Copies of this
standard may be obtained from the Department of Information Resources, P.O.
Box 13564, Austin, Texas 78711, or from the Department's Internet web page
at http://www.dir.state.tx.us.
(2)
Definitions. The following words and terms, when used
with this subsection, shall have the following meanings, unless the context
clearly indicates otherwise.
(A)
Access--To approach, view, instruct, communicate with,
store data in, retrieve data from, or otherwise make use of information resources.
(B)
Confidential Information--Information that is excepted
from disclosure requirements under the provisions of the Texas Public Information
Act or other applicable state or federal law.
(C)
Control--A protective action, device, policy, procedure,
technique, or other measure that reduces exposure.
(D)
Custodian of an Information Resource--A person responsible
for implementing owner-defined controls and access to an information resource.
(E)
Information Security Function--The elements, structure,
objectives, and resources that establish an agency-level information resources
security program.
(F)
Mission Critical Information--Information that is defined
by the agency to be essential to the agency's function(s).
(G)
Owner of an Information Resource--A person responsible:
(i)
for a business function; and
(ii)
for determining controls and access to information resources
supporting that business function.
(H)
Security Risk Analysis--The process of identifying and
documenting vulnerabilities and applicable threats to information resources.
(I)
Security Risk Assessment--The process of evaluating the
results of the risk analysis by projecting losses, assigning levels of risk,
and recommending appropriate measures to protect information resources.
(J)
Security Risk Management--Decisions to accept exposures
or to reduce vulnerabilities by either mitigating risks or applying cost effective
controls.
(K)
Security Incident or Breach--An event which results in
unauthorized access, loss, disclosure, modification, or destruction of information
resources whether accidental or deliberate.
(L)
User of an Information Resource--An individual or automated
application authorized to access an information resource in accordance with
the owner-defined controls and access rules.
(3)
Policy. It is the policy of the State of Texas
that:
(A)
Information resources residing in the various agencies
of state government are strategic and vital assets belonging to the people
of Texas. These assets must be available and protected commensurate with the
value of the assets. Measures shall be taken to protect these assets against
accidental or unauthorized access, disclosure, modification or destruction,
as well as to assure the availability, integrity, utility, authenticity and
confidentiality of information. Access to state information resources must
be appropriately managed.
(B)
The agency head is responsible for the protection of information
resources.
(C)
All individuals are accountable for their actions relating
to information resources. Information resources shall be used only for intended
purposes as defined by the agency and consistent with applicable laws.
(D)
Risks to information resources must be managed. The expense
of security safeguards must be commensurate with the value of the assets being
protected.
(E)
The integrity of data, its source, its destination, and
processes applied to it must be assured. Changes to data must be made only
in authorized and acceptable ways.
(F)
Information resources must be available when needed. Continuity
of information resources supporting critical governmental services must be
ensured in the event of a disaster or business disruption.
(G)
Security requirements shall be identified, documented and
addressed in all phases of development or acquisition of information resources.
(H)
Agencies must ensure adequate controls and separation of
duties for tasks that are susceptible to fraudulent or other unauthorized
activity.
(4)
Classification of Information. Owners, with the
agency head's concurrence, are responsible for classifying program information.
Agencies are responsible for defining all information classification categories
except the Confidential Information category, which is defined in paragraph
(2) of this subsection, and establishing the appropriate controls for each.
(5)
Management and Staff Responsibilities. The agency
head or his or her designated representative(s) shall review and approve ownership
and the attendant responsibilities.
(A)
Owners, custodians, and users of information resources.
Owners, custodians and users of information resources shall be identified,
and their responsibilities defined and documented by the agency. In cases
where information resources are used by more than one major program, the owners
shall reach consensus and advise the information security function as to the
designated primary owner. The following distinctions among owner, custodian,
and user responsibilities should guide determination of these roles:
(i)
Owner Responsibilities. Owners are responsible and authorized
to: approve access and formally assign custody of an asset; judge the asset's
value; specify data control requirements and convey them to users and custodians;
and ensure compliance with applicable controls. Owners must specify appropriate
controls, based on risk assessment, to protect the state's information resources
from unauthorized modification, deletion or disclosure. Controls extend to
outsourced contracts. Owners must confirm that controls are in place to ensure
the accuracy and completeness of data. Owners shall assign custody of assets
and provide appropriate authority to implement security controls and procedures.
Owners are the authority on appropriate level of controls and the timing of
their implementation.
(ii)
Custodian responsibilities. Custodians of information
resources, including entities providing outsourced services to state agencies
must:
(I)
implement the controls specified by the owner(s);
(II)
provide physical and procedural safeguards for the information
resources;
(III)
assist owners in evaluating the cost-effectiveness of
controls and monitoring; and
(IV)
implement the monitoring techniques and procedures for
detecting, reporting and investigating breaches in information security.
(iii)
User responsibilities. Users of information resources
shall use the resource only for its defined purposes and comply with established
controls.
(B)
The information security function. Each agency head or
his or her designated representative shall institute an information security
function to administer the agency information security program.
(i)
It shall be the duty and responsibility of this function
to recommend policies and establish procedures and practices, in cooperation
with owners and custodians, necessary to ensure the security of information
assets against unauthorized or accidental modification, destruction or disclosure.
(ii)
The information security function shall document and maintain
an up-to-date information security program. The security program shall include
written descriptions of information resources security responsibilities, assigned
personnel resources, policies, guidelines, data security classification schemes,
standards and procedures for the protection of information resources. The
information security program must be approved by the agency head.
(iii)
The security function is responsible for monitoring the
effectiveness of defined controls for critical information.
(iv)
The security function shall report, at least biennially,
to the agency head or his or her designated representative the status and
effectiveness of information resources security controls.
(C)
A review of the agency's information security program for
compliance with these standards will be performed at least biennially by individual(s)
independent of the information security function and designated by the agency
head or the information resources manager.
(6)
Managing Risks.
(A)
A security risk analysis shall be performed and documented.
The security risk analysis shall be updated at least biennially. Security
risk assessment results shall be presented to the agency head or his or her
designated representative. The agency head shall make the final security risk
management decisions to accept exposures. The agency head must approve the
security risk management plan.
(B)
Each agency shall maintain a disaster recovery plan for
information resources. The disaster recovery plan will:
(i)
contain measures which address the impact and magnitude
of loss or harm that will result from an interruption;
(ii)
identify recovery resources and establish a source for
each;
(iii)
contain step-by-step instructions for implementing the
plan;
(iv)
be maintained to ensure currency; and
(v)
be tested at least annually.
(C)
Mission critical data shall be backed up on a scheduled
basis and stored off site.
(7)
Personnel and Contractor Practices.
(A)
All agency personnel, and employees of independent contractors
who may be deemed to be custodians or users, shall formally acknowledge that
they will comply with the security policies and procedures of the agency.
Information resource users who do not complete a formal acknowledgment shall
not be granted access to information resources. The agency head or their designated
representative will determine the method of acknowledgement and how often
this acknowledgment must be renewed.
(B)
Agencies shall use non-disclosure agreements to document
the acceptance by agency and contractor employees of special agency information
security requirements.
(C)
Agencies shall provide an ongoing information resources
security awareness education program for users whose duties bring them into
contact with mission critical information resources. Scheduled training shall
also be provided by the agency.
(D)
State agencies shall use new employee orientation to introduce
information resource security awareness and inform new employees of information
security policies and procedures. If an employee leaves or changes employment,
security privileges shall be appropriately modified to protect information
resources.
(8)
Physical Security.
(A)
Physical access to mission critical information resource
facilities shall be managed and documented.
(B)
Reviews of physical security measures for compliance with
these standards shall be conducted periodically by the agency head or designated
representatives.
(C)
Information resources shall be protected from environmental
hazards. Designated employees shall be trained to monitor environmental control
procedures and equipment and shall be trained in desired response in case
of emergencies or equipment problems.
(D)
Emergency procedures shall be developed and regularly tested.
(9)
Information Safeguards.
(A)
Access. Access shall be managed to ensure authorized use
of information resources. Security risk assessment shall be the basis of decisions
and policies regarding managed access to information resources.
(B)
Confidentiality of data and systems.
(i)
Confidential information shall be accessible only to authorized
users. Information containing any confidential data shall be identified, documented,
and protected in its entirety.
(ii)
Information resources assigned from one agency to another
shall be protected in accordance with the conditions imposed by the providing
agency.
(C)
Identification/Authentication.
(i)
Each user of information resources shall be assigned a
unique personal identifier or user identification except for situations where
risk analysis demonstrates no need for individual accountability of users.
User identification shall be authenticated before the system may grant that
user access.
(ii)
A user's access authorization shall be removed or appropriately
modified when the user's employment or role status changes.
(iii)
Systems shall contain authentication functions that comply
with documented security risk management decisions.
(iv)
Systems which use passwords shall be based on the existing
federal standard on password usage.
(v)
For written electronic communications sent to a state agency
where the identity of a sender or the contents of a message must be authenticated,
the use of digital signatures is also encouraged. Agencies should refer to
Texas Government Code, §2054.060, §201.14 of this title (relating
to Digital Signatures), and guidelines issued by the Department for further
information.
(D)
Encryption. Encryption techniques for storage and transmission
of information shall be used based on documented agency security risk management
decisions.
(E)
Ability to Audit.
(i)
Automated systems must provide the means whereby authorized
personnel have the ability to audit and establish individual accountability
for any action that can potentially cause access to, generation of, modification
of, or effect the release of confidential information.
(ii)
Appropriate audit trails shall be maintained to provide
accountability for updates to mission critical information, hardware and software
and for all changes to automated security or access rules.
(iii)
Appropriate audit trails shall be maintained for all
changes to automated security or access rules.
(iv)
Based on risk assessment, a sufficiently complete history
of transactions shall be maintained to permit an audit of the system by tracing
the activities of individuals through the system.
(F)
Security breaches.
(i)
Security breaches shall be investigated promptly and documented.
(ii)
If criminal action is suspected, the agency must contact
the appropriate law enforcement and investigative authorities immediately.
(iii)
Each state agency shall provide summary reports to the
department that contain information concerning violations of security policy
of which the agency has become aware. A state agency shall not be required
to report security violations unless the state agency reasonably believes
such violations may involve criminal activity under Texas Penal Code Chapters
33 (Computer Crimes) or 33A (Telecommunications Crimes), and there is a substantial
likelihood that such violations could be propagated to other systems beyond
the control of the state agency. Reports should include:
(I)
Type of activity, including but not limited to:
(-a-)
Unwanted disruption or denial of service;
(-b-)
Unauthorized use of a system for the processing
or storage of data; and
(-c-)
Changes made to system hardware, firmware, or software
without the agency's effective consent.
(II)
Time elapsed between initial detection of incident and
containment of the security breach or full restoration of adversely affected
functions, whichever is later;
(III)
Description of the state agency's response to the incident;
and
(IV)
Estimated total cost incurred by the state agency in containing
the security breach or restoring adversely affected functions.
(iv)
Reports must be sent to the department on a monthly basis
no later than the fifth (5th) working day after the end of the month. Upon
request of the department, each state agency shall provide to the department
any additional information regarding security violations. Information shall
be reported in the form and manner specified by the department at the following
address: http://www.dir.state.tx.us/IRAPC.
(v)
The Department shall establish internal security procedures
regarding the receipt of and maintenance of information pertaining to security
breaches. The Department shall instruct state agencies as to the manner in
which they must report such information. The instructions will specify that
reports must not contain any information which would itself compromise the
security of the reporting agency. The instructions shall be made available
via the world wide web at the following address: http://www.dir.state.tx.us/IRAPC
(vi)
The monthly reporting requirements established under this
subparagraph will automatically expire on August 31, 2001.
(G)
Systems development and testing.
(i)
Test functions shall be kept either physically or logically
separate from production functions. Copies of production data shall not be
used for testing unless the data has been declassified or unless all state
and contractor employees involved in testing are otherwise authorized access
to the data.
(ii)
Appropriate information security and audit controls shall
be incorporated into new systems. Each phase of systems acquisition shall
incorporate and document corresponding development or assurances of security
and auditable controls.
(iii)
All security-related information resource changes shall
be approved by the owner through a quality assurance process before implementation.
(10)
Data Communication Systems.
(A)
Network resource controls shall be implemented commensurate
with the security risk analysis.
(B)
System identification screens shall include warning statements
unless documented security risk analysis indicates otherwise. Warning statements
shall address the following topics:
(i)
unauthorized use is prohibited;
(ii)
usage may be subject to security testing and monitoring;
and
(iii)
misuse is subject to criminal prosecution.
(c)
Use of TEX-AN Network.
(1)
Applicability.
(A)
All state agencies are to use the Texas Agency Network
(TEX-AN) to the fullest extent possible.
(B)
Funds appropriated to state agencies as defined in Texas
Civil Statutes, Article 601b, §1.02(2), shall not be expended for the
acquisition of intercity telecommunications facilities or services until a
determination has been made by the Telecommunications Services Division of
the General Services Commission and the department (DIR) that the agency requirement
for intercity telecommunications cannot be met by the TEX-AN network.
(C)
State agencies shall not enter into or renew contracts
with carriers or other providers of intercity telecommunication facilities
or services without obtaining waivers from the Telecommunications Services
Division and the DIR certifying that the requested intercity telecommunications
requirements cannot be provided at reasonable costs on TEX-AN network.
(2)
Waivers.
(A)
A waiver shall be granted to any state agency upon receipt
of a written request and determination of the Telecommunications Services
Division of the General Services Commission and the DIR that the action is
most cost effective to the entire State of Texas.
(B)
Waivers will be granted for periods not to exceed one fiscal
year from the effective date of the waiver.
(C)
Waivers will automatically expire upon the expiration date
unless an extension is approved by the Telecommunications Services Division
and the DIR.
(D)
Contracts for services obtained under waiver shall not
extend beyond the expiration date of the waiver.
(3)
Review procedures.
(A)
The department and the Telecommunications Services Division
of the General Services Commission will evaluate waiver requests for consistency
with the General Appropriations Act, other legislation, and the priorities
as described in the State Strategic Plan for Information Resources Management,
and for cost-effectiveness to the entire State of Texas.
(B)
The department will grant or deny waiver requests in writing
no later than 30 working days after receipt of the request.
(d)
Standard for data transport networks for computers.
(1)
Definitions.
(A)
For purposes of this section the word "network" will refer
to all data transport networks used primarily to interconnect computers and
networks of computers for the purpose of transporting data, allowing interoperation
of computer applications on more than one computer system, and providing access
to data.
(B)
For purposes of this section the phrase "substantial change"
is defined to mean any change that requires the replacement of physical transport
media, replacement of data transport protocol, or any change in the major
computer systems on the network.
(C)
For purposes of this section "non-adjacent buildings" are
defined as those that are physically separated by property not owned by the
state and where there is no state owned right-of-way connecting the buildings.
(2)
Standard. All networks that span more than one
non-adjacent building, or interconnect more than one agency must adhere to
the following.
(A)
If the network is in existence at the time this rule is
adopted, the network must become compliant with subparagraph (B) of this paragraph
by August 31, 2001.
(B)
All new networks, all extensions to existing networks and
all networks undergoing substantial change must adhere to the TCP/IP standards
as listed in the most recent Request for Comments(RFC) as international standards
promulgated by the Internet Society.
(C)
Agencies may not install new networks or extensions to
existing networks where such installation or extension duplicates existing
state owned network routing that complies with subparagraph (B) of this paragraph.
Agencies must cooperate to share existing facilities; expanding them if necessary.
Where this paragraph conflicts with current or future rules concerning telecommunications
from the General Services Commission, the General Services Commission rule
will prevail.
(e)
Date Standard. Because the Year 2000 could have an impact
on virtually all computer systems due to the use of only the last two digits
of a date field, all state agencies and institutions of higher education will
adhere to the following standard, and will observe the Year 2000 readiness
criteria and complete the Year 2000 risk assessment described in paragraphs
(1)-(4) of this subsection.
(1)
Interchange Standard. Four-digit year elements will be
used for the purposes of electronic data interchange in any recorded form
among state agencies, institutions of higher education and the public. The
year shall encompass a two-digit century that precedes, and is contiguous
with, a two-digit year-of-century (e.g., 1999, 2000, etc.). Applications that
require day and month information will be coded in the following format: CCYYMMDD.
Additional representations for week, hour, minute, and second, if required,
will comply with the international standard ISO 8601:1988, "Data elements
and interchange formats--Information interchange--Representation of dates
and times." If two or more state agencies or institutions of higher education
agree to exchange month and day information based on ordinal dates, the ISO
standard format of CCYYDDD will be used.
(2)
Year 2000 Readiness Criteria. Any data-processing
asset must meet the following four criteria to be century-compliant:
(A)
General integrity: No value for current date will cause
interruptions in desired operation--especially from 20th to 21st centuries.
(B)
Date integrity: All manipulations of time-related data
(dates, durations, days of week, etc.) will produce desired results for all
valid date values within the application domain.
(C)
Explicit century: Date elements in interfaces and data
storage permit specifying century to eliminate date ambiguity.
(D)
Implicit century: For any date element represented without
century, the correct century is unambiguous for all manipulations involving
that element.
(3)
Implementation. State agencies and universities
shall complete a Year 2000 risk assessment of all computer based systems,
telecommunications equipment and data networks in 1996. Specific dates for
completing conversion and reprogramming fixes will depend on each organization's
risk assessment. All new systems acquired shall use four-digit year elements.
Contracts for software and/or hardware shall include Year 2000 protection
and warranty language.
(4)
As of January 1, 1997, all products and services purchased
by state agencies shall meet the requirements of paragraphs (1) and (2) of
this subsection.
(f)
Communications Wiring Standards for State Facilities.
(1)
Definitions. The following words and terms, when used in
this subsection, shall have the following meanings unless the context clearly
indicates otherwise.
(A)
ANSI--The American National Standards Institute.
(B)
EIA--The Electronics Industry Association.
(C)
TIA--The Telecommunications Industry Association.
(2)
All state agencies will adhere to the following
standards when wiring or re-wiring state-owned or state-leased space:
(A)
ANSI/EIA/TIA-568-1995, Commercial Building Telecommunications
Wiring Standard or its most recent successor document. This applies to the
telecommunications wiring for buildings that are office-oriented and when
ANSI/EIA/TIA-570-1991 is not selected. The term "commercial enterprises" is
used in ANSI/EIA/TIA-568-1991 to differentiate between office buildings and
buildings designed for industrial enterprises. ST-type fiber connectors shall
be used for fiber optic terminations.
(B)
ANSI/EIA/TIA-570-1991, Residential and Light Commercial
Building Telecommunications Wiring Standard or its most recent successor document,
when planning and designing premises-wiring systems intended for connecting
one to four exchange access lines to various types of customer-premises equipment
when ANSI/EIA/TIA-568-1991 is not selected.
(C)
ANSI/EIA/TIA-569-1990, Commercial Building Telecommunications
Pathways and Spaces or its most recent successor document, when planning and
designing state-owned and state-leased space to accommodate telecommunications
system wiring.
(D)
ANSI/EIA/TIA-606-1993, Administration Standard for the
Telecommunications Infrastructure of Commercial Buildings or its most recent
successor document, when documenting and administering telecommunications
infrastructures in state-owned and state-leased space.
This agency hereby certifies that the adoption
has been reviewed by legal counsel and found to be a valid exercise of the
agency's legal authority.
Filed with the Office of
the Secretary of State on March 14, 2000.
TRD-200001934
C.J. Brandt, Jr.
General Counsel
Department of Information Resources
Effective date: April 3, 2000
Proposal publication date: November 12, 1999
For further information, please call: (512) 475-2153
1 TAC §201.14
The Department of Information Resources adopts the amendment
to §201.14, concerning digital signatures, with changes to the proposed
text as published in the November 12, 1999, issue of the
Texas Register
(24 TexReg 9912).
The effect of the amendments is to add new definitions and permit the inclusion
of public key infrastructure (PKI) service providers on an approved list on
the basis of an independent review of security practices.
The department received two (2) comments regarding the proposed amendments.
One commenter identified a typographical error in the references to Certification
Authorities. The department agrees and has made the appropriate corrections
in the adopted rule. The commenter also questioned the addition of "if any"
to Subsection (e)(1)(E)(iii) related to a certification practice statement.
The department disagrees that inclusion of this qualifier is unwarranted.
It is the responsibility of the Policy Authority to identify the parties,
scope of business, functional operations, and obligations between and among
PKI Service Providers and End Entities who engage in electronic transactions
in a Public Key Infrastructure. The Policy Authority would also identify,
or accept, the practices, procedures, and controls employed by a Certification
Authority. The department also notes that certain PKI Service Providers such
as Registrars may not be directly involved in the issuance of certificates,
and therefore should not be required to produce a certification practices
statement.
The other comment suggested that the rule would require the use of PKI
and would limit an agency's use of "Pretty Good Privacy" (PGP). The department
disagrees that the rule requires the use of PKI; the rule expressly allows
use of a specific biometric technology, signature dynamics, and allows interested
parties to apply to the department for approval of other technologies. The
department agrees that use of PGP would be limited by the rule, to the extent
that PGP does not conform to ISO X.509 Version 3 standards. The message and
certificate formats for PGP use simple binary encoding. This means that not
only can users of one protocol not communicate with the users of the other,
they also cannot share authentication certificates. The department will continue
to monitor the work on OpenPGP in the Internet Engineering Task Force (IETF),
and will provide notice of when PGP complies with X.509 Version 3 certificate
standards. No amendment to this rule will be required to add PGP to the list
of acceptable technologies when PGP products support the required interoperability
standards.
Names of groups or associations making comments for and against the rule:
For: Texas Department of Insurance, Texas Natural Resource Conservation
Commission
Against: None
The amendments are adopted in accordance with Texas Government
Code §2054.052(a), which provides the department may adopt rules as necessary
to implement its responsibilities, and Texas Government Code §2054.060(a),
which permits the department to adopt rules pertaining to digital signatures.
§201.14. Digital Signatures.
(a)
General.
(1)
This section applies to all written electronic communications
which are sent to a state agency over the Internet or other electronic network
or by another means that is acceptable to the state agency, for which the
identity of the sender or the contents of the message must be authenticated,
and for which no prior agreement between the sender and the receiving state
agency regarding message authentication existed as of the effective date of
this section. This section does not apply to or supersede the use and expansion
of existing systems:
(A)
for the receipt of electronically filed documents pursuant
to the Texas Business and Commerce Code or other applicable statutory law
where the purpose of the written electronic communication is to comply with
statutory filing requirements and the receiving state agency or local government
is not a party to the underlying transaction which is the subject of the communication;
or
(B)
for the electronic approval of payment vouchers under
rules adopted by the comptroller of public accounts pursuant to applicable
law.
(2)
Prior to accepting a digital signature, a state
agency shall ensure that the level of security used to identify the signer
of a message and to transmit the signature is sufficient for the transaction
being conducted. A state agency that accepts digital signatures may not effectively
discourage the use of digital signatures by imposing unreasonable or burdensome
requirements on persons wishing to use digital signatures to authenticate
written electronic communications sent to the state agency.
(3)
A state agency that accepts digital signatures shall
not be required to accept a digital signature that has been created by means
of a particular acceptable technology described in subsection (e) of this
section if the state agency:
(A)
determines that the expense that would necessarily be
incurred by the state agency in accepting such a digital signature is excessive
and unreasonable;
(B)
provides reasonable notice to all interested persons of
the fact that such digital signatures will not be accepted, and of the basis
for the determination that the cost of acceptance is excessive and unreasonable;
and
(C)
files an electronic copy (in html format) of the notice
with the department. The department shall make a copy of such notice available
to the general public via the World Wide Web at the following location: http://www.state.tx.us/Standards/srrpub13.htm.
(4)
A state agency shall review and consider any
applicable guidelines and recommendations that have been adopted by the department
in determining whether and for what purposes the state agency shall accept
a digital signature. A copy of such guidelines and recommendations may be
obtained directly from the department, or may be obtained electronically via
the World Wide Web at the following location: http://www.state.tx.us/Standards/srrpub13.htm.
(5)
A state agency shall ensure that all written electronic
communications received by the state agency and authenticated by means of
a digital signature in accordance with this section, as well as any information
resources necessary to permit access to the written electronic communications,
are retained by the state agency as necessary to comply with applicable law
pertaining to audit and records retention requirements.
(b)
Definitions. The following words and terms, when used
in this section, shall have the following meanings unless the context expressly
indicates otherwise:
(1)
Asymmetric cryptosystem - a computer-based system that
employs two different but mathematically related keys with the following characteristics:
(A)
one key encrypts a given message;
(B)
one key decrypts a given message; and
(C)
the keys have the property that, knowing one key, it is
computationally infeasible to discover the other key.
(2)
Certificate - a message which:
(A)
identifies the certification authority issuing it;
(B)
names or identifies its subscriber;
(C)
contains the subscriber's public key;
(D)
identifies its operational period;
(E)
is digitally signed by the certification authority issuing
it, and
(F)
conforms to ISO X.509 Version 3 standards.
(3)
Certificate Manufacturer - A person that provides
operational services for a Certification Authority or PKI Service Provider.
The nature and scope of the obligations and functions of a Certificate Manufacturer
depend on contractual arrangements between the Certification Authority or
other PKI Service Provider and the Certificate Manufacturer.
(4)
Certificate Policy - A document prepared by a Policy
Authority that describes the parties, scope of business, functional operations,
and obligations between and among PKI Service Providers and End Entities who
engage in electronic transactions in a Public Key Infrastructure.
(5)
Certification Authority - a person who issues a certificate.
(6)
Certification practice statement - Documentation
of the practices, procedures, and controls employed by a Certification Authority.
(7)
Digital signature - an electronic identifier intended
by the person using it to have the same force and effect as the use of a manual
signature, and that complies with the requirements of this section.
(8)
Digitally-signed communication - a message that has
been processed by a computer in such a manner that ties the message to the
individual that signed the message.
(9)
End Entities - Subscribers or Signers and Relying
Parties.
(10)
Escrow agent - a person who holds a copy of a private
key at the request of the owner of the private key in a trustworthy manner.
(11)
Expert - a person with demonstrable skill and knowledge
based on training and experience who would qualify as an expert under Rule
702 of the Texas Rules of Civil Evidence.
(12)
Handwriting measurements - the metrics of the shapes,
speeds and/or other distinguishing features of a signature as the person writes
it by hand with a pen or stylus on a flat surface.
(13)
Key pair - a private key and its corresponding public
key in an
(14)
Local government - a county, municipality, special
district, or other political subdivision of this state or a state that borders
this state, or a combination of two or more of those entities, but excluding
an agency in the judicial branch of local government.
(15)
Message - a digital representation of information.
(16)
Person - an individual, state agency, local government,
corporation, partnership, association, organization, or any other legal entity.
(17)
PKI - Public Key Infrastructure.
(18)
PKI Service Provider - A Certification Authority,
Certificate Manufacturer, Registrar, or any other person that performs services
pertaining to the issuance or verification of certificates.
(19)
Policy Authority - A person with final authority
and responsibility for specifying a Certificate Policy.
(20)
Private key - the key of a key pair used to create
a digital signature.
(21)
Proof of Identification - the document or documents
or other evidence presented to a Certification Authority to establish the
identity of a subscriber.
(22)
Public key - the key of a key pair used to verify
a digital signature.
(23)
Public Key Cryptography - a type of cryptographic
technology that employs an asymmetric cryptosystem.
(24)
Registrar - A person that gathers evidence necessary
to confirm the accuracy of information to be included in a Subscriber's certificate.
(25)
Relying Party - A state agency that has received
an electronic message that has been signed with a digital signature and is
in a position to rely on the message and signature.
(26)
Role-based key - a key pair issued to a person to
use when acting in a particular business or organizational capacity.
(27)
Signature Digest - the resulting bit-string produced
when a signature is tied to a document using Signature Dynamics.
(28)
Signature Dynamics - measuring the way an individual
writes his or her signature by hand on a flat surface and binding the measurements
to a message through the use of cryptographic techniques.
(29)
Signer - the person who signs a digitally signed
communication with the use of an acceptable technology to uniquely link the
message with the person sending it.
(30)
State agency - a department, commission, board,
office, council, or other agency in the executive branch of state government
that is created by the constitution or a statute of this state, including
a university system or institution of higher education as defined by Section
61.003, Education Code.
(31)
Subscriber - a person who:
(A)
is the subject listed in a certificate;
(B)
accepts the certificate; and
(C)
holds a private key which corresponds to a public key
listed in that certificate.
(32)
Technology - the computer hardware and/or software-based
method or process used to create digital signatures.
(33)
Written electronic communication - A message that
is sent by one person to another person.
(c)
Digital Signatures must be Created by an Acceptable Technology.
For a digital signature to be valid for use by a state agency, it must be
created by a technology that is accepted for use by the department pursuant
to this section.
(d)
Criteria for Determining if a Digital Signature Technology
is Acceptable. An acceptable technology must be capable of creating signatures
that conform to requirements set forth in Government Code, §2054.060,
and the requirements of this section.
(e)
List of Acceptable Technologies.
(1)
The technology known as Public Key Cryptography is an
acceptable technology for use by state agencies, provided that the digital
signature is created consistent with the following:
(A)
A public key-based digital signature must be unique to
the person using it. Such a signature may be considered unique to the person
using it if:
(i)
the private key used to create the signature on the message
is known only to the signer or, in the case of a role-based key, known only
to the signer and an escrow agent acceptable to the signer and the state agency;
and
(ii)
the digital signature is created when a person runs a
message through a one-way function, creating a message digest, then encrypting
the resulting message digest using an asymmetric cryptosystem and the signer's
private key; and
(iii)
although not all digitally signed communications will
require the signer to obtain a certificate, the signer is capable of being
issued a certificate to certify that he or she controls the key pair used
to create the signature; and
(iv)
it is computationally infeasible to derive the private
key from knowledge of the public key.
(B)
A public-key based digital signature must be capable of
independent verification. Such a signature may be considered capable of independent
verification if:
(i)
the relying party can verify the message was digitally
signed by using the signer's public key to decrypt the message; and
(ii)
if a certificate is a required component of a transaction
with a state agency, the issuing PKI Service Provider, either through a certification
practice statement, certificate policy, or through the content of the certificate
itself, has identified what, if any, proof of identification it required of
the signer prior to issuing the certificate.
(C)
The private key of public-key based digital signature
must remain under the sole control of the person using it, or in the case
of a role-based key, that person and an escrow agent acceptable to that person
and the state agency. Whether a signature is accompanied by a certificate
or not, the person who holds the key pair, or the subscriber identified in
the certificate, must exercise reasonable care to retain control of the private
key and prevent its disclosure to any person not authorized to create the
subscriber's digital signature.
(D)
The digital signature must be linked to the message of
the document in such a way that it would be computationally infeasible to
change the data in the message or the digital signature without invalidating
the digital signature.
(E)
Acceptable PKI Service Providers.
(i)
The department shall maintain an "Approved List of PKI
Service Providers" authorized to issue certificates for digitally signed communications
sent to state agencies or otherwise provide services in connection with the
issuance of certificates. The list may include, but shall not necessarily
be limited to, Certification Authorities, Certificate Manufacturers, Registrars,
and/or other PKI Service Providers accepted and approved for use in connection
with electronic messages transmitted to other state or federal governmental
entities. A copy of such list may be obtained directly from the department,
or may be obtained electronically via the World Wide Web at the following
location: http://www.state.tx.us/Standards/srrpub13.htm.
(ii)
State agencies shall only accept certificates from PKI
Service Providers that appear on the "Approved List of PKI Service Providers."
(iii)
The department shall place a PKI Service Provider on
the "Approved List of PKI Service Providers" after the PKI Service Provider
provides the Department with a copy of its current certification practice
statement, if any, and a copy of an unqualified performance audit performed
in accordance with standards set in the American Institute of Certified Public
Accountants (AICPA) Statement on Auditing Standards No. 70 (S.A.S. 70) to
ensure that the PKI Service Provider's practices and policies are consistent
with the requirements of the PKI Service Provider's certification practice
statement, if any, and the requirements of this section.
(iv)
In order to be placed on the "Approved List of PKI Service
Providers" a PKI Service Provider that has been in operation for one year
or less shall undergo a SAS 70 Type One audit - A Report of Policies and Procedures
Placed in Operation, receiving an unqualified opinion.
(v)
In order to be placed on the "Approved List of PKI Service
Providers " a PKI Service Provider that has been in operation for longer than
one year shall undergo a SAS 70 Type Two audit - A Report of Policies and
Procedures Placed in Operation and Test of Operating Effectiveness, receiving
an unqualified opinion.
(vi)
In lieu of the audit requirements of (iv) and (v) above,
a PKI Service Provider may be placed on the "Approved List of PKI Service
Providers" upon providing the Department with documentation issued by a person
independent of the PKI Service Provider that is indicative of the security
policies and procedures actually employed by the PKI Service Provider and
that is acceptable to the department in its sole discretion. The Department
may request additional documentation relating to policies and practices employed
by the PKI Service Provider indicating the trustworthiness of the technology
employed and compliance with applicable guidelines published by the Department.
(vii)
To remain on the "Approved List of PKI Service Providers"
a Certification Authority must provide proof of compliance with the audit
requirements or other acceptable documentation to the department every two
years after initially being placed on the list. In addition, a Certification
Authority must provide a copy of any changes to its certification practice
statement to the department promptly following the adoption by the Certification
Authority of such changes.
(viii)
If the department is informed that a PKI Service Provider
has received a qualified or otherwise unacceptable opinion following a required
audit or if the department obtains credible information that the technology
employed by the PKI Service Provider can no longer reasonably be relied upon,
or if the PKI Service Provider's certification practice statement is substantially
amended in a manner that causes the PKI Service Provider to become no longer
in compliance with the audit requirements of this section, the PKI Service
Provider may be removed from the "Approved List of PKI Service Providers"
by the department. The effect of the removal of a PKI Service Provider from
the "Approved List of PKI Service Providers" shall be to prohibit state agencies
from thereafter accepting digital signatures for which the PKI Service Provider
issued a certificate or provided services in connection with such issuance
for so long as the PKI Service Provider is removed from the list. The removal
of a PKI Service Provider from the "Approved List of PKI Service Providers"
shall not, in and of itself, invalidate a digital signature for which a PKI
Service Provider issued the certificate prior to its removal from the list.
(2)
The technology known as "Signature Dynamics"
is an acceptable technology for use by state agencies, provided that the signature
is created consistent with the following provisions:
(A)
A digital signature produced by Signature Dynamics technology
must be unique to the person using it. A signature digest produced by Signature
Dynamics technology may be considered unique to the person using it if:
(i)
the signature digest records the handwriting measurements
of the person signing the message using signature dynamics technology; and
(ii)
the signature digest is cryptographically bound to the
handwriting measurements; and
(iii)
after the signature digest has been bound to the handwriting
measurements, it is computationally infeasible to separate the handwriting
measurements and bind them to a different signature digest.
(B)
A digital signature produced by Signature Dynamics technology
must be capable of independent verification. A signature digest produced by
Signature Dynamics technology may be considered capable of independent verification
if:
(i)
the acceptor of the digitally signed message obtains the
handwriting measurements for purposes of comparison; and
(ii)
if signature verification is a required component of
a transaction with a state agency, the handwriting measurements can allow
an expert handwriting and document examiner to assess the authenticity of
a signature.
(C)
A digital signature produced by Signature Dynamics technology
must remain under the sole control of the person using it. A signature digest
produced by Signature Dynamics technology may be considered to be under the
sole control of the person using it if:
(i)
the signature digest captures the handwriting measurements
and cryptographically binds them to the message directed by the signer and
to no other message; and
(ii)
the signature digest makes it computationally infeasible
for the handwriting measurements to be bound to any other message.
(D)
The signature digest produced by signature dynamics technology
must be linked to the message in such a way that it would be computationally
infeasible to change the data in the message or the digital signature without
invalidating the digital signature.
(f)
Provisions For Adding New Technologies to the List of
Acceptable Technologies.
(1)
Any person may, by providing a written request that includes
a full explanation of a proposed technology which meets the requirements of
subsection (c) of this section, petition the department to review the technology.
If the department determines that the technology is acceptable for use by
state agencies, the department shall draft proposed administrative rules which
would add the proposed technology to the list of acceptable technologies in
subsection (e) of this section.
(2)
The department has 90 days from the date of the request
to review the petition and either accept or deny it. If the Department does
not approve the request within 90 days, the petitioner's request shall be
considered denied. If the department denies the petition, it shall notify
the petitioner in writing of the reasons for denial. The petitioner may appeal
the department's denial of the petition at the next regularly scheduled board
meeting.
This agency hereby certifies that the adoption has been
reviewed by legal counsel and found to be a valid exercise of the agency's
legal authority.
Filed with the Office of
the Secretary of State on March 15, 2000.
TRD-200001947
C.J. Brandt, Jr.
General Counsel
Department of Information Resources
Effective date: April 4, 2000
Proposal publication date: November 12, 1999
For further information, please call: (512) 475-2153