PART 10. DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202. INFORMATION SECURITY STANDARDS
The Texas Department of Information Resources (department) proposes amendments to 1 TAC Chapter 202, §§202.1, 202.20 - 202.26, and 202.70 - 202.76, concerning Information Security Standards.
PART I. PURPOSE, BACKGROUND, AND AUTHORITY
The proposed amendments would clarify and standardize policy requirements for state agencies and institutions of higher education to help protect the State's critical information resources and the security of citizens' information.
The proposed clarifications and additions address three technical areas of security controls: firewalls, encryption, and incident response; and they reflect findings and recommendations of the State Auditor's Office (SAO) as well as improved technical standards.
The following proposed amendments are necessary to address the findings and recommendations of SAO Report No. 08-030 for the department to standardize network controls and firewall configurations and establish minimum security policies for network devices and periodically test firewall security to verify compliance with these policies. The affected security control provisions are:
§202.1(4), (5), (7), (10), (14), (15), and (20);
§202.21 and §202.71: (b), (c)(1)(D) - (F), (H), and (I); (c)(2)(B); (d)(3) and (5);
§202.23 and §202.73: (a) and (b);
§202.24 and §202.74: (a)(1)(A) - (C);
§202.25 and §202.75; (2)(A) and (B); (7)(B), (D), (G), (I), (K), (U), (X), (Z)(iii) and (iv), and (AA); (8) "Intrusion Protection System" state agency and institution of higher education; (8)(A) - (D);
§202.25(8) "Perimeter Security Controls" state agency only.
The following proposed amendments are necessary to clarify and improve the technical standards for encryption. The affected encryption standard change provisions are:
§202.1(9);
§202.25 and §202.75: (4), (4)(A) - (C); (7)(H) and (Z)(ii).
The following proposed amendments are necessary to clarify and improve the technical standards and best practices for reporting security incidents. The affected incident response-related change provisions are:
§202.1(22);
§202.25 and §202.75: (7)(J);
§202.26 and §202.76: (a) - (e).
Additionally, technical corrections in numbering, definitions, terminology, word usage, consistency, and clarifications are also included throughout the rule.
Numbering:
§202.1(7) - (29);
§202.21 and §202.71: (c)(1)(F) - (I);
§202.24 and §202.74: (a)(3) and (4);
§202.25 and §202.75: (7)(E) - (AA).
Definitions, terminology, and technical corrections:
§202.1(1) - (3), (8), (11), (12), (16) - (19), (21), (23) - (29);
§202.20 and §202.70;
§202.21 and §202.71: (c); (c)(1); (c)(1)(G); (c)(2)(A);
§202.22 and §202.72: (a); (a)(1)(B); (c);
§202.24 and §202.74: (a)(2); (b);
§202.25 and §202.75: (3)(C), (D), and (E); (5)(C); (6)(C); (7)(F);
§202.75(7).
Word usage, consistency, and clarifications:
§202.20 and §202.70: (1), (4), (5), (6), and (8);
§202.21 and §202.71: (a); (c)(2); (c)(2)(D); (d)(2);
§202.24 and §202.74: (a); (a)(4)(C) - (E);
§202.25 and §202.75: (1); (5)(A); (6)(A) and (B); (7)(Z)(i); (9)(D).
The amendments are proposed under §2054.052(a), Texas Government Code, which provides the department authority to adopt rules to implement its responsibility for information security.
PART II. EXPLANATION OF INDIVIDUAL PROVISIONS
The proposed amendments to these provisions are as follows:
§202.1(1). Administrative change clarifies the definition of "Access" to more accurately reflect standard terminology.
§202.1(2). Administrative change that clarifies the definition of "Business Continuity Planning" to more consistently reflect standard terminology.
§202.1(3). Administrative change that clarifies the definition of "Confidential Information" to more accurately reflect constitutional, statutory, judicial, and legal requirements.
§202.1(4). Security control change that clarifies the definition of "Control" to more accurately reflect standard terminology.
§202.1(5). Security control change that clarifies the definition of "Custodian of an Information Resource" to more accurately include parties that may act on behalf of a state entity.
§202.1(7) - (29). Administrative change that renumbers to reflect additions and deletions to the list of applicable terms and technologies.
§202.1(7). Security control change that inserts and clarifies the definition of the term "DMZ (Demilitarized Zone)" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies.
§202.1(8). Administrative change that inserts the term "Electronic Communication" in the list of applicable terms and technologies.
§202.1(9). Encryption standard change that inserts the definition of the term "Encryption" in the list of applicable terms and technologies.
§202.1(10). Security control change that inserts and updates the definition of the term "Firewall" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies. The deleted definition "Owner of an Information Resource" is incorporated into the definition of "Information Owner" in §202.1(11).
§202.1(11). Administrative change that renumbers and clarifies the definition of the term "Information Owner" previously listed as "Owner of an Information Resource" at §202.1(10), to more accurately reflect standard terminology.
§202.1(12). Administrative change that renumbers and corrects the definition of the term "Information Resources" that was previously listed as §202.1(7), to accurately reflect the Texas Government Code reference; deletes the previous non-standard term, "Restricted Personal Information."
§202.1(14). Security control change that inserts and clarifies the definition of the term "Intrusion Detection System (IDS)" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies.
§202.1(15). Security control change that inserts the term "Intrusion Prevention System (IPS)" in the list of applicable terms and technologies; deletes the previous non-standard term, "Security Risk Analysis."
§202.1(16). Administrative change that renumbers and clarifies the definition of "Mission Critical Information" that was previously listed as §202.1(9); deletes the previous non-standard term, "Security Risk Assessment" that is now defined as "Risk Assessment" in §202.1(18).
§202.1(17). Administrative change that renumbers the definition of the term "Platform" that was previously listed as §202.1(11); deletes the previous non-standard term, "Security Risk Management" that is now defined as "Risk Management" in §202.1(19).
§202.1(18). Administrative change that renumbers and clarifies the definition of "Risk Assessment" to replace the term "Security Risk Assessment" that was previously listed as §202.1(16).
§202.1(19). Administrative change that renumbers and clarifies the definition of "Risk Management" to replace the term "Security Risk Management" that was previously listed as §202.1(17).
§202.1(20). Security control change that inserts and updates the definition of the term "Router" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies.
§202.1(21). Administrative change that renumbers and clarifies the definition of "Sanitize" that was previously listed as "Sanitized" in §202.1(13) to reflect an update to the referenced sources (U.S. Department of Defense 5220.22-M standards and NIST SP800-88).
§202.1(22). Incident response-related change that renumbers and clarifies the definition of "Security Incident" that was previously listed as §202.1(14); deletes the term "Vulnerability Report".
§202.1(23). Administrative change that inserts the term "Sensitive Personal Information" in the list of applicable terms and technologies.
§202.1(24). Administrative change that renumbers and clarifies the definition of "Storage Device" that was previously listed as §202.1(18); deletes the term "Wireless Security Guidelines."
§202.1(25). Administrative change that renumbers and clarifies the definition of "Test" that was previously listed as §202.1(19).
§202.1(26). Administrative change that inserts the term "Threat" in the list of applicable terms and technologies.
§202.1(27). Administrative change that renumbers and clarifies the definition of "User of an Information Resource" that was previously listed as §202.1(20) to more consistently reflect standard terminology.
§202.1(28). Administrative change that renumbers and clarifies the definition of "Vulnerability Assessment" that was previously listed as §202.1(21) to more consistently reflect Texas Government Code terminology.
§202.1(29). Administrative change that renumbers and updates the definition of "Wireless Access" that was previously listed as §202.1(23); includes the associated references in §202.1(28)(C) that were previously listed in §202.1(24), "Wireless Security Guidelines."
§202.20 and §202.70. Administrative change that aligns risk management terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.
§202.20(1), (4), (5), (6), (8) and §202.70(1), (4), (5), (6), (8). Administrative change for wording consistency.
§202.21(a) and §202.71(a). Administrative change that clarifies wording regarding information ownership and associated responsibilities.
§202.21(b) and §202.71(b). Security control change that clarifies the requirement for the information resource owner to coordinate with the head of the agency/institution of higher education when classifying business functional information.
§202.21(c) and §202.71(c). Administrative change that aligns Information Owner terminology to reflect clarifications to the list of applicable terms and technologies in §202.1 and clarifies Information Security Officer functions.
§202.21(c)(1) and §202.71(c)(1). Administrative change that aligns Information Owner terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.
§202.21(c)(1)(D) and §202.71(c)(1)(D). Security control change that clarifies the responsibility and authority for data owners to specify controls that extend to services as well as to other information resources.
§202.21(c)(1)(E) and §202.71(c)(1)(E). Security control change that clarifies the responsibility for data owners to confirm that controls are in place to ensure data confidentiality as well as data accuracy, authenticity, and integrity.
§202.21(c)(1)(F) and §202.71(c)(1)(F). Security control change that deletes a redundant subparagraph that is incorporated into the previous subparagraphs.
§202.21(c)(1)(F) - (I) and §202.71(c)(1)(F) - (I). Administrative change that reletters subparagraphs to reflect additions and deletions to the list of Information Owner Responsibilities.
§202.21(c)(1)(G) and §202.71(c)(1)(G). Administrative change that aligns risk management terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.
§202.21(c)(1)(H) and §202.71(c)(1)(H). Security control change that adds and clarifies the responsibility and authority for information owners to approve, justify, document, and coordinate agency and institution of higher education exceptions to security controls.
§202.21(c)(1)(I) and §202.71(c)(1)(I). Security control change that adds and clarifies the responsibility and authority for information owners to classify business functional information.
§202.21(c)(2) and §202.71(c)(2). Administrative change that clarifies the responsibilities of information resources custodians to include third party entities.
§202.21(c)(2)(A) and §202.71(c)(2)(A). Administrative change that aligns information owner terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.
§202.21(c)(2)(B) and §202.71(c)(2)(B). Security control change that clarifies custodian responsibility to include technical safeguards for information resources.
§202.21(c)(2)(D) and §202.71(c)(2)(D). Administrative change for word usage.
§202.21(d)(2) and §202.71(d)(2). Administrative change for wording consistency.
§202.21(d)(3). Security control change that aligns the requirement for the state agency Information Security Officer to approve security controls for major information resources projects as specified in §§2054.304 - 2054.307, Texas Government Code. This change does not apply to institutions of higher education.
§202.21(d)(5) and §202.71(d)(5). Security control change that adds and clarifies the responsibility and authority for Information Security Officers to approve, justify, document, and communicate agency and institution of higher education exceptions to information security requirements or controls as part of the security risk assessment process.
§202.22(a) and §202.72(a). Administrative change that aligns risk management terminology to reflect clarifications in the list of applicable terms and technologies in §202.1.
§202.22(a)(1)(B) and §202.72(a)(1)(B). Administrative change that aligns data classification terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.
§202.22(c) and §202.72(c). Administrative change that aligns risk management and risk assessment terminology to reflect clarifications in the list of applicable terms and technologies in §202.1 and corrects a Texas Government Code reference.
§202.23(a) and §202.73(a). Security control change that clarifies the scope of physical security management and documentation responsibilities.
§202.23(b) and §202.73(b). Security control change that clarifies the requirement for conducting a review at least annually of physical security measures for information resources as part of the risk assessment process, rather than as a separate, uncoordinated, or redundant effort.
§202.24(a) and §202.74(a). Administrative change that aligns the "shall" statement requiring the head of a state agency/institution of higher education to approve the Business Continuity Planning documentation with the requirement to maintain the plan.
§202.24(a)(1)(A) - (C) and §202.74(a)(1)(A) - (C). Security control change that updates and consolidates the elements of Business Impact Analysis for Business Continuity Planning using current best practices that were previously described in §202.24(a)(1)(A) - (H) and §202.74(a)(1)(A) - (H) as well as Recovery Strategies that were previously included in §202.24(a)(3) and §202.74(a)(3).
§202.24(a)(2) and §202.74(a)(2). Administrative change that aligns risk assessment terminology to reflect clarifications in the list of applicable terms and technologies in §202.1.
§202.24(a)(3) and §202.74(a)(3). Administrative change that renumbers previously numbered §202.24(a)(4) and §202.74(a)(4).
§202.24(a)(4) and §202.74(a)(4). Administrative change that renumbers previous §202.24(a)(5) and §202.74(a)(5) and clarifies Disaster Recovery Planning event criteria including severity and duration.
§202.24(a)(4)(C) - (E) and §202.74(a)(4)(C) - (E). Administrative changes that clarify word usage, eliminate redundant language (subparagraph (D)), and reletter §202.24(a)(4)(D) and (E) and §202.74(a)(4)(D) and (E).
§202.24(b) and §202.74(b). Administrative change that aligns mission critical information terminology to reflect clarifications in the list of applicable terms and technologies in §202.1.
§202.25 and §202.75. Security control change that aligns Information Resources Security Safeguard requirements with "shall" statements in subordinate paragraph sections. Also clarifies the process to approve, justify, and document exceptions to information security safeguards.
§202.25(1) and §202.75(1). Administrative change for word usage.
§202.25(2)(A) and §202.75(2)(A). Security control change that clarifies the scope of requirement to identify, document, and protect confidential information files or records consistent with the requirements stated in §202.20(1) and §202.70(1).
§202.25(2)(B) and §202.75(2)(B). Security control change that clarifies and updates the responsibility to protect information resources that are assigned to third parties.
§202.25(3)(C), (D) and §202.75(3)(C), (D). Administrative change that aligns risk management terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.
§202.25(3)(E) and §202.75(3)(E). Administrative change that updates the reference for digital signature guidelines.
§202.25(4)(A), (B), (C) and §202.75(4)(A), (B), (C). Encryption standard change that clarifies and updates the technical and procedural standards for encryption. Describes the need to protect portable devices, removable media, and encryption keys. Provides specific encryption requirements for transmitting and storing confidential information and provides options for protecting other data classifications.
§202.25(5)(A) and §202.75(5)(A). Administrative change for wording consistency.
§202.25(5)(C) and §202.75(5)(C). Administrative change that aligns risk assessment terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.
§202.25(6)(A), (B) and §202.75(6)(A), (B). Administrative change that clarifies procedural safeguards for protecting data within test environments.
§202.25(6)(C) and §202.75(6)(C). Administrative change that aligns information owner terminology to reflect clarifications in the list of applicable terms and technologies in §202.1 and for wording consistency.
§202.75(7). Administrative change that aligns risk assessment terminology to reflect clarifications to the list of applicable terms and technologies in §202.1. This change does not apply to §202.25(7).
§202.25(7)(B) and §202.75(7)(B). Security control change that clarifies and updates applicable "Account Management" policy requirements to include user identity and monitoring user access, as well as administering user accounts.
§202.25(7)(D) and §202.75(7)(D). Security control change that adds the recommendation for creating, distributing, and implementing an "Application Security" policy based on applicable risk management decisions and business functions.
§202.25(7)(E) - (AA) and §202.75(7)(E) - (AA). Administrative changes that reletter subparagraphs to reflect updates and additional entries.
§202.25(7)(F) and §202.75(7)(F). Administrative change that reletters and updates "Change Management" to include "Configuration Management" term to reflect standard security terminology.
§202.25(7)(G) and §202.75(7)(G). Security control change that reletters, clarifies and updates applicable "Email" with "Electronic Communication" policy requirements to include electronic messages in addition to email.
§202.25(7)(H) and §202.75(7)(H). Encryption standard change that adds the recommendation for creating, distributing, and implementing an "Encryption" policy based on applicable risk management decisions and business functions.
§202.25(7)(I) and §202.75(7)(I). Security control change that adds the recommendation for creating, distributing, and implementing a "Firewall" management policy based on applicable risk management decisions and business functions. Clauses (i) - (vi) provide suggested topic areas that the firewall policy should address.
§202.25(7)(J) and §202.75(7)(J). Incident response-related change that clarifies and updates "Incident Management" policy requirements to reflect reporting consistency with §202.26 and §202.76.
§202.25(7)(K) and §202.75(7)(K). Security control change that updates and replaces the previous "Password/Authentication" policy recommendation in §202.25(7)(L) and §202.75(7)(L) with "Identification/Authentication" policy requirements for granting access to resources in an information system based on applicable risk management decisions and business functions.
§202.25(7)(U) and §202.75(7)(U). Security control change that reletters, updates, and clarifies the previous "Platform Hardening" term in §202.25(7)(R) and §202.75(7)(R) with applicable "Platform Management" policy requirements to include configuration, patching and monitoring in addition to installing and maintaining the platform.
§202.25(7)(X) and §202.75(7)(X). Security control change that reletters, clarifies, and updates the previous "Vendor Access" policy in §202.25(7)(U) and §202.75(7)(U) with applicable "Third Party Access" policy requirements to include contractors, vendors, and other outside parties that have access to information resources, support services, and responsibilities for protecting state information.
§202.25(7)(Z)(i) and §202.75(7)(Z)(i). Administrative change that reletters, and clarifies word usage the previous §202.25(7)(W)(i) and §202.75(7)(W)(i).
§202.25(7)(Z)(ii) and §202.75(7)(Z)(ii). Encryption standard change that reletters, clarifies and updates the previous "Wireless Access" policy requirements in §202.25(7)(W)(ii) and §202.75(7)(W)(ii) to reflect revised technical encryption standards for transmitting confidential information.
§202.25(7)(Z)(iii), (iv) and §202.75(7)(Z)(iii), (iv). Security control change that reletters the previous §202.25(7)(W)(iii) and (iv) and §202.75(7)(W)(iii) and (iv), and replaces redundant "Wireless Access" in clause (iii) with information storage and transmission policy standards now contained in §202.25(4)(A), (B) and (C) and §202.75(4)(A), (B) and (C). Also clarifies and updates applicable "Wireless Access" policy requirements to include the requirement to periodically monitor compliance.
§202.25(7)(AA) and §202.75(7)(AA). Security control change that reletters, clarifies, and updates the previous §202.25(7)(X) and §202.75(7)(X) with applicable "Vulnerability Assessment" policy requirements to reflect the various types of assessments that can be performed and eliminate redundancy with other sections regarding risk assessments.
§202.25(8). Security control change that clarifies and updates the "Perimeter Security Controls" safeguard to include the department's requirement to provide related external security services for state agencies pursuant to Chapters 2054 and 2059, Texas Government Code. This change does not apply to institutions of higher education.
§202.25(8) and §202.75(8). Security control change that adds Intrusion Protection System (IPS) to the list of components that may be included as part of perimeter security controls; the IPS description is included at §202.1(14).
§202.25(8)(A), (B), (C), (D) and §202.75(8)(A), (B), (C), (D). Security control change that moves and updates the perimeter security component descriptions and definitions (DMZ, Firewall, IDS, Router) in the list of applicable terms and technologies (§202.1(7), (10), (13), and (19)).
§202.25(9)(D) and §202.75(9)(D). Administrative change that clarifies the requirement for system Logon Banners to specify that the no expectation of privacy statement applies to system users.
§202.26(a) and §202.76(a). Incident response-related change that clarifies and updates agency and institution of higher education reporting requirements for security incidents based on the business and technical impact of the incident. Also defines the types of security incidents that require timely reporting to department.
§202.26(b) and §202.76(b). Incident response-related change that clarifies and updates requirements for responding to security incidents in ways that comply with law enforcement notification and evidence handling requirements.
§202.26(c) and §202.76(c). Incident response-related change that clarifies and streamlines incident reporting requirements. Also clarifies the security incident reporting responsibilities of vendors and other third parties with respect to the agencies and institutions of higher education that they support.
§202.26(d) and §202.76(d). Incident response-related change that clarifies the monthly summary reporting requirements for state agencies, institutions of higher education, and supporting third parties.
§202.26(e) and §202.76(e). Incident response-related change that incorporates this requirement that Department of Information Resources provide additional reporting instructions into §202.26(c) and (d) and §202.76(c) and (d).
PART III. IMPACT STATEMENTS, PUBLIC BENEFITS AND COSTS
William A. Perez, State of Texas Chief Information Security Officer, has determined that for the first five-year period the rules are in effect there will be minimal fiscal implications for state government. There is no impact on local government as a result of enforcing or administering the rules. The fiscal implication of each provision is discussed below.
Mr. Perez has also determined that for each year of the first five year period the rules are in effect, the public benefit anticipated will be improved protection of confidential information, including sensitive personal information, by state agencies, including institutions of higher education; improved clarity in state agency and institution of higher education firewall policy and clear security standards for all state agency and institution of higher education employees to observe. Other than the positive impact of improved security of citizen information held by state agencies and institutions of higher education, there will be no effect on small businesses, micro-businesses or individuals and no taking of private property for public use.
A. Standardize network controls including firewall configurations.
The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.
There are no costs to state agencies and institutions of higher education when implementing standard best practices for the recommended provisions for security controls including firewall management using existing IT, security, and management staff.
Annual risk assessments are required internal functions for state agencies and institutions of higher education as addressed in §202.23(b) and §202.73(b). To assist in this effort, the department has funded the licensing for a web-based risk assessment tool that Texas A&M University developed for state agency and institution of higher education compliance with these rules and other risk assessment best practices. The annual cost to the department for user licenses, annual upgrades, and maintenance of the Information Security Awareness Assessment compliance (ISAAC) tool is $75,000. There is no additional cost to state agencies or institutions of higher education that elect to use the available licenses and web-based training.
Although each state agency and institution of higher education can implement testing and verification controls using manual and other no-cost, automated tools, the department provides annual controlled penetration tests that assess external security controls at no cost to state agencies. In fiscal 2008, the department delivered a total of 163 technical network vulnerability security assessments. Of this total, 112 assessments were complex controlled penetration tests and two were wireless network assessments for eligible state entities. The department also offers these services to institutions of higher education at nominal cost based on proportionate usage (no more than $15,000 per engagement) to the extent approved by the Information Technology Council for Higher Education and as required by §2059.052 and §2059.151, Texas Government Code. These costs are not applicable to state agencies and are optional expenditures for institutions of higher education.
B. Encryption.
The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.
There are no costs when agencies and institutions of higher education develop policies that prohibit the storing or transmission of confidential information on certain media or devices. For those state entities that must store and transmit confidential information on portable devices, via wireless networks or via Internet, the proposed provisions provide reasonable assurance that this information will be protected from unauthorized exposure. The cost of encryption installed on portable devices will vary depending on the type of encryption employed. Some encryption can be installed without cost.
In a FY 2006 assessment of twenty-eight of the State's largest agencies, the department found that twelve had wireless implementations with a total of 826 wireless users. This number has continued to grow through the implementation of additional wireless technologies and business continuity contingency planning for remote computing. The ongoing emphasis on mobility and collaboration has made encryption a top priority to protect data. When properly prioritized and implemented, encryption investments can not only meet legislative mandates and compliance-driven regulations, they reinforce customer confidence in e-government services.
Between January 2005 and December 2008, thirty-four of the ninety-two incidents reported for Texas-based organizations were attributed to state government entities (Identity Theft Resource Center, "2008 Breach List" and Privacy Rights Clearing House, "Chronology of Data Breaches," 2008). The number of individual records exposed totaled over 3 million, which is over twelve percent of the state's population. The estimated cost of this type of security breach is at an all-time high of $202 per record exposed (Ponemon Institute "Cost of a Data Breach" for the year 2008).
To assist state entities with their data protection efforts and to avoid the costs cited above, particularly for confidential data on mobile devices, the department issued a Buyers' Alert for a Whole Disk Encryption product in the fourth quarter of FY 2008 that was subsequently extended into FY 2009. This encryption solution satisfies all current and proposed state and federal data encryption compliance requirements. As a result of this offering, State entities increased their acquisition of Whole Disk Encryption licenses from 500 in FY 2007 to almost 60,000 in 2008. Department-managed "Go Direct" contracts for these types of products increased from $87,000 in FY 2007 to over $730,000 FY 2008 and the first quarter of FY 2009. This type of enhanced security for confidential information stored on mobile devices is available at low, commodity pricing (approximately $11.50 per license) via multiple vendors on department-managed contracts. State entities can also avoid the risk to confidential information and the associated direct and indirect costs by adopting mobile computing and other information security policies that do not place confidential information at high risk of unauthorized disclosure.
C. Incident Reporting
The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.
There are no costs when agencies and institutions of higher education provide security incident reporting to the department using existing IT, security, and management staff. The department received a $250,000 allocation of State Homeland Security Program (SHSP) funds in fiscal year 2008 through the Texas State Administrative Agency (SAA) and the Governor's Division of Emergency Management (GDEM) to develop a sustainable Texas Computer Security Incident Response Team (CSIRT) program. The CSIRT development, training, and certification program is conducted in partnership with Carnegie Mellon University. To be effective, the department and agency CSIRT members need to receive timely reporting of significant security incidents as well as comprehensive monthly summary reports. The first two CSIRT training phases were completed in FY 2008. The third phase for the first class has been completed and a new training cycle will begin in the forth quarter of FY 2009. The department sponsors CSIRT activities at no cost to state agencies.
For monthly summary reporting, the department provides a web-based Security Incident Reporting System (SIRS) for the use of all state entities that are required to provide monthly summary reports of security events. The department maintains, updates and provides training for the SIRS reporting tool at no cost to state agencies and institutions of higher education. Additionally, the department coordinates with supporting vendors to provide compatible security incident reporting using automated network security monitoring tools to ease the work load of state security personnel at no cost to state agencies and institutions of higher education.
D. Technical corrections in numbering, definitions, terminology, word usage, consistency, and clarifications
The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.
There are no costs for agencies and institutions of higher education to implement these administrative changes.
PART IV. COMMENTS; AGENCY CERTIFICATION
Comments on the proposed rule changes may be submitted to Renee Mauzy, General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701, or to renee.mauzy@dir.state.tx.us. Comments will be accepted for 30 days after publication in the Texas Register.
SUBCHAPTER A. DEFINITIONS
The amendments are proposed pursuant to §2054.052(a), Texas Government Code, which authorizes the department to adopt rules as necessary to implement its responsibilities under Chapter 2054, Texas Government Code.
No other statutes, codes, or articles are affected by this proposal.
§202.1.Applicable Terms and Technologies for Information Security.
The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise.
(1) Access--The physical or logical capability
to [To approach,] interact with, or otherwise make
use of information resources.
(2) Business Continuity Planning--The process of identifying mission critical data systems and business functions, analyzing the risks and probabilities of service disruptions and developing procedures to restore those systems and functions.
(3) Confidential Information--Information that
must be protected from unauthorized disclosure or public release based
on state or federal law (e.g. the Texas Public Information Act, and
other constitutional, statutory, judicial, and legal agreement requirements).
[Information that is excepted from disclosure requirements
under the provisions of applicable state or federal law, e.g. the
Texas Public Information Act.]
(4) Control--A safeguard or protective action,
device, policy, procedure, technique, or other measure prescribed
to meet security requirements (i.e., confidentiality, integrity, and
availability) that may be specified for a set of information resources.
Safeguards may include security features, management constraints,
personnel security, and security of physical structures, areas, and
devices. [Any action, device, policy, procedure, technique,
or other measure that improves security.]
(5) Custodian of an Information Resource--A person responsible for implementing the information owner-defined controls and access to an information resource. Custodians may include state employees, vendors, and any third party acting as an agent of, or otherwise on behalf of the state entity.
(6) Department--The Department of Information Resources.
(7) DMZ--A network area created between the public Internet and internal private network(s). This neutral zone is usually delineated by some combination of routers, firewalls, and other hosts. A DMZ usually includes devices that are accessible to Internet traffic.
(8) Electronic Communication--A process used to convey a message or exchange information via electronic media. It includes the use of electronic mail (email), Internet access, Instant Messaging (IM), Short Message Service (SMS), facsimile transmission, and other paperless means of communication.
(9) Encryption (encrypt, encipher, or encode)--The conversion of plaintext information into a code or cipher text using a variable, called a "key" and processing those items through a fixed algorithm to create the encrypted text that conceals the data's original meaning.
(10) Firewall--A software or hardware device or system that filters communications between networks that have different security domains based on a defined set of rules. A firewall may be configured to deny, permit, encrypt, decrypt, or serve as an intermediary (proxy) for network traffic.
(11) Information Owner--A person with statutory or operational authority for specified information (e.g., supporting a specific business function) and responsibility for establishing the controls for its generation, collection, processing, access, dissemination, and disposal. The Information Owner may also be responsible for other information resources including personnel, equipment, and information technology that support the Information Owner's business function.
(12) [(7)] Information Resources--Is
defined in §2054.003(7), Government Code and/or other applicable
state or federal legislation.
(13) [(8)] Information Security
Program--The elements, structure, objectives, and resources that establish
an information resources security function within an institution of
higher education, or state agency.
(14) Intrusion Detection System (IDS)--Hardware or a software application that can be installed on network devices or host operating systems to monitor network traffic and host log entries for signs of known and likely methods of intruder activity and attacks. Suspicious activities trigger administrator alarms and other configurable responses.
(15) Intrusion Prevention System (IPS)--Hardware or a software application that can be installed on a network or host operating system to monitor network and/or system activities for malicious or unwanted behavior and can automatically block or prevent those activities. (Firewalls, routers, IDS devices, and anti-virus gateways all may have IPS capabilities). IPS can make access control decisions based on application content.
(16) [(9)] Mission Critical Information--Information
that [is confidential or] is defined by the institution
of higher education, or state agency to be essential to the institution
of higher education, or state agency function(s).
[(10) Owner of an Information Resource--A
person responsible:]
[(A) For a business function; and]
[(B) For determining controls and access to information resources supporting that business function.]
(17) [(11)] Platform--The foundation
technology of a computer system. The hardware and systems software
that together provide support for an application program. (Ref: Practices
for Protecting Information Resources Assets.)
(18) Risk Assessment--The process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information system on an organization's mission, functions, image, reputation, assets, or individuals. Risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls.
(19) Risk Management--Decisions to accept risk exposures or to reduce vulnerabilities and to align information resources risk exposure with the organization's risk tolerance.
(20) Router--A device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks to which it is connected. A router is located at any intersection where one network meets another.
(21) Sanitize--A Process to remove information from media such that data recovery is not possible. It includes removing all confidential labels, markings, and activity logs as specified in applicable National Institute of Standards and Technology Special Publication (NIST SP) 800-88 or U.S. Department of Defense 5220.22-M guidelines and standards for media sanitization.
[(12) Restricted Personal Information--Includes
an individual's social security number, or data protected under state
or federal law (e.g., financial, medical or student data).]
[(13) Sanitized--Overwriting data
using software tools and procedures to comply with the U.S. Department
of Defense 5220.22-M standard for disk-sanitization. For specific
types storage media see Department of Defense 5220.22-M §8-500.
Software and Data, Table 1 Clearing and Sanitization Data Storage]
(22) [(14)] Security Incident--An
event which results in accidental or deliberate unauthorized
access, loss, disclosure, modification, disruption, or destruction
of information resources [whether accidental or deliberate].
(23) Sensitive Personal Information--A category of personal identity information as defined by §521.002(a)(2), Business and Commerce Code.
[(15) Security Risk Analysis--The
process of identifying and documenting vulnerabilities and applicable
threats to information resources.]
[(16) Security Risk Assessment--The
process of evaluating the results of the risk analysis by projecting
losses, assigning levels of risk, and recommending appropriate measures
to protect information resources.]
[(17) Security Risk Management--Decisions
to accept exposures or to reduce vulnerabilities.]
(24) [(18)] Storage Device--Any
fixed or removable device that contains data and maintains the data
after power is removed from the device, such as a DVD/CD-ROM,
external or internal hard drive, Universal Serial Bus (USB) flash
drive, memory card, or media player.
(25) [(19)] Test--A simulated
or, otherwise documented event ["real-live"
incident] for which results and records are kept
[of the incident].
(26) Threat--Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
(27) [(20)] User of an Information
Resource--An individual or automated application authorized to access
an information resource in accordance with the information
owner-defined controls and access rules.
(28) [(21)] Vulnerability Assessment--A
documented evaluation containing information described in §2054.077(b),
Government Code [measurement of vulnerability] which
includes the susceptibility of a particular system to a specific attack
[and the opportunities available to a threat agent to mount that
attack].
[(22) Vulnerability Report--A computer
related report containing information described in §2054.077(b),
Government Code, as that section may be amended from time to time.]
(29) [(23)] Wireless Access--Using
one or more of the following technologies to access the information
resources systems of a state agency or institution of higher education:
(A) Wireless Local Area Networks--Based on the IEEE 802.11 family of standards.
(B) Wireless Personal Area Networks--Based on the Bluetooth and/or InfraRed (IR) technologies.
(C) Wireless Handheld Devices--Includes text-messaging devices, Personal Digital Assistant (PDAs), and smart phones. NIST SP 800-48 provides an overview of Wireless Network Security 802.11 technologies and provides guidelines to reduce the risks associated Bluetooth and Handheld Devices.
[(24) Wireless Security Guidelines--The
National Institute of Standards and Technology Special Publication
800-48, Wireless Network Security 802.11, Bluetooth and Handheld Devices.]
This agency hereby certifies that the proposal has been reviewed by legal counsel and found to be within the agency's legal authority to adopt.
Filed with the Office of the Secretary of State on May 21, 2009.
TRD-200901999
Renee Mauzy
General Counsel
Department of Information Resources
Earliest possible date of adoption: July 5, 2009
For further information, please call: (512) 475-4750
The amendments are proposed pursuant to §2054.052(a), Texas Government Code, which authorizes the department to adopt rules as necessary to implement its responsibilities under Chapter 2054, Texas Government Code.
No other statutes, codes, or articles are affected by this proposal.
§202.20.Security Standards Policy.
The following are policies of the State of Texas that apply
to all state agencies. Each state agency should apply the Security
Standards Policy based on documented [security
] risk management decisions:
(1) Information resources residing in the various state
agencies of state government are strategic and vital assets belonging
to the people of Texas. These assets shall [must]
be available and protected commensurate with the value of the assets.
Measures shall be taken to protect these assets against unauthorized
access, disclosure, modification or destruction, whether accidental
or deliberate, as well as to assure the availability, integrity, utility,
authenticity, and confidentiality of information. Access to state
information resources shall [must
] be appropriately managed.
(2) All state agencies are required to have an information resources security program consistent with these standards, and the state agency's head is responsible for the protection of information resources.
(3) All individuals are accountable for their actions relating to information resources. Information resources shall be used only for intended purposes as defined by the state agency and consistent with applicable laws.
(4) Risks to information resources shall [must
] be managed. The expense of security safeguards shall [
must] be commensurate with the value of the assets being protected.
(5) The integrity of data, its source, its destination,
and processes applied to it shall [must] be
assured. Changes to data shall [must] be made
only in an authorized manner.
(6) Information resources shall [must]
be available when needed. Continuity of information resources supporting
critical governmental services must be ensured in the event of a disaster
or business disruption.
(7) Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources.
(8) State agencies shall [must]
ensure adequate controls and separation of duties for tasks that are
susceptible to fraudulent or other unauthorized activity.
§202.21.Management and Staff Responsibilities.
(a) The state agency head or his or her designated
representative(s) shall review and approve information ownership
and associated responsibilities to include personnel, equipment, or
information technology hardware and software. [ownership
of information resources and their associated responsibilities.]
(b) [The owner of an information resource, with
the state agency head's or his or her designated representative's(s')
concurrence, is responsible for classifying business functional information.
] State agencies are responsible for defining all information
classification categories except the Confidential Information category,
which is defined in Subchapter A of this chapter, and establishing
the appropriate controls for each.
(c) Information owners [Owners],
custodians, and users of information resources shall be identified,
and their responsibilities defined and documented by the state agency.
In cases where information resources are used by more than one major
business function, the owners shall reach consensus and advise the
information security officer [function] as to
the designated owner with responsibility for the information resources.
The following distinctions among owner, custodian, and user responsibilities
should guide determination of these roles:
(1) Information Owner Responsibilities.
The owner or his or her designated representative(s) [
representatives(s)] are responsible for and authorized to:
(A) Approve access and formally assign custody of an
information resources asset.[;]
(B) Determine the asset's value.[;]
(C) Specify data control requirements and convey them
to users and custodians.[;]
(D) Specify appropriate controls, based on a risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources and services outsourced by the state agency.
(E) Confirm that controls are in place to ensure the
confidentiality, integrity, and availability of data and other assigned
information resources [accuracy, authenticity, and integrity
of data].
[(F) Ensure compliance with applicable controls;]
(F) [(G)] Assign custody of information
resources assets and provide appropriate authority to implement security
controls and procedures.
(G) [(H)] Review access lists based on documented [
security] risk management decisions.
(H) Approve, justify, document, and be accountable for exceptions to security controls. The information owner shall coordinate exceptions to security controls with the agency information security officer or other person(s) designated by the state agency head.
(I) The information owner, with the concurrence of the state agency head or his or her designated representative(s), is responsible for classifying business functional information.
(2) Custodian responsibilities. Custodians of information
resources, including third party entities providing outsourced
information resources services to state agencies shall [
must]:
(A) Implement the controls specified by the information owner(s);
(B) Provide physical, technical, and procedural safeguards for the information resources;
(C) Assist owners in evaluating the cost-effectiveness of controls and monitoring; and
(D) Implement [the] monitoring techniques
and procedures for detecting, reporting, and investigating incidents.
(3) User responsibilities. Users of information resources shall use the resources only for defined purposes and comply with established controls.
(d) The Information Security Officer. Each state agency head or his or her designated representative(s) shall designate an information security officer to administer the state agency information security program. The Information Security Officer shall report to executive level management.
(1) It shall be the duty and responsibility of this individual to develop and recommend policies and establish procedures and practices, in cooperation with owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure.
(2) The Information Security Officer shall document
and maintain an up-to-date information security program. The information
security program shall [must] be approved by
the state agency head or his or her designated representative(s).
(3) The Information Security Officer is responsible for monitoring the effectiveness of defined controls for mission critical information and shall verify that appropriate security controls are in place for all major information resources projects, including those projects being provided for a state agency, in whole or in part, by a state agency contractor, as required by §§2054.304 - 2054.307, Government Code.
(4) The Information Security Officer shall report, at least annually, to the state agency head or his or her designated representative(s) the status and effectiveness of information resources security controls.
(5) The Information Security Officer with the approval of the state agency head or his or her designated representative may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.
(e) A review of the state agency's information security program for compliance with these standards will be performed at least annually, based on business risk management decisions, by individual(s) independent of the information security program and designated by the state agency head or his or her designated representative(s).
§202.22.Managing Security Risks.
(a) A [security] risk assessment [
analysis] of information resources shall be performed and documented.
The [security] risk assessment [analysis
] shall be updated based on the inherent risk. The inherent risk and
frequency of the [security] risk assessment [
analysis] will be ranked, at a minimum, as either "High," "Medium,"
or "Low," based primarily on the following criteria:
(1) High Risk-annual assessment--Information resources
that:[;]
(A) Involve large dollar amounts or significantly important transactions, such that business or government processes would be hindered or an impact on public health or safety would occur if the transactions were not processed timely and accurately, or
(B) Contain confidential or other [sensitive
] data such that unauthorized disclosure would cause real damage
to the parties involved, or
(C) Impact a large number of people or interconnected systems.
(2) Medium Risk-biennial assessment--Information resources
that:[;]
(A) Transact or control a moderate or low dollar value, or
(B) Data items that could potentially embarrass or create problems for the parties involved if released, or
(C) Impact a moderate proportion of the customer base.
(3) Low Risk-biennial assessment--Information resources
that:[;]
(A) Publish generally available public information, or
(B) Result in a relatively small impact on the population.
(b) A system change could cause the overall classification to move to another risk level.
(c) Risk [Security risk] assessment
results, vulnerability reports, and similar information shall be documented
and presented to the state agency head or his or her designated
representative(s) [representative
]. The state agency head or his or
her designated representative(s) shall make the final [security]
risk management decisions to either accept exposures or protect the
data according to its value/sensitivity. The state agency head or
his or her designated representative(s) shall [must]
approve the security risk management plan. This information may be
exempt from disclosure under §2054.077(c) [
§2054.77(c)], Government Code.
§202.23.Managing Physical Security.
(a) The agency head or his or her designated representative(s) shall document and manage physical access to mission critical information resources facilities to ensure the protection of information resources from unlawful or unauthorized access, use, modification or destruction.
(b) The state agency head or designated representative(s) shall reviews physical security measures for information resources at least annually as part of the risk assessment process.
[(a) Physical access to mission critical
information resources facilities shall be managed and documented by
the state agency head or his or her designated representative(s).]
[(b) Reviews of physical security
measures for information resources shall be conducted annually by
the state agency head or designated representative(s).]
(c) Information resources shall be protected from environmental hazards. Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.
(d) Written emergency procedures shall be developed, updated, and tested at least annually.
(e) State agencies will refer to the State Office of Risk Management for applicable rules and guidelines.
§202.24.Business Continuity Planning.
(a) Business Continuity Planning covers all business
functions of a state agency. It [and it] is
a business management responsibility. State agencies shall maintain
written Business Continuity Plans that address information resources
so that the effects of a disaster will be minimized, and the state
agency will be able either to maintain or quickly resume mission-critical
functions. [should maintain a written Business Continuity
Plan so that the effects of a disaster will be minimized, and the
state agency will be able to either maintain or quickly resume mission-critical
functions.] The state agency head or his or her designated representative(s) shall approve the plan [Plan]. The
plan [Plan
] shall be distributed to key personnel and a copy stored
offsite. Elements of the plan [Plan] for information
resources shall include:
(1) Business Impact Analysis to systematically assess
the potential impacts of a loss of business functionality due to an
interruption of computing and/or infrastructure support services resulting
from various events or incidents. The analysis shall identify
the following elements [address maximum tolerable downtime
for time-critical support services and resources including, but not
limited to]:
(A) Mission Critical Information Resources (specific system resources required to perform critical functions) to include:
(i) Internal and external points of contact for personnel that provide or receive data or support interconnected systems.
(ii) Supporting infrastructure such as electric power, telecommunications connections, and environmental controls.
(B) Disruption impacts and allowable outage times to include:
(i) Effects of an outage over time to assess the maximum allowable time that a resource may be denied before it prevents or inhibits the performance of an essential function.
(ii) Effects of an outage across related resources and dependent systems to assess cascading effects on associated systems or processes.
(C) Recovery priorities that consider geographic areas, accessibility, security, environment, and cost and may include a combination of:
(i) Preventive controls and processes such as backup power, excess capacity, environmental sensors and alarms.
(ii) Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities.
[(A) Personnel;]
[(B) Facilities;]
[(C) Technology platforms (all computer systems);]
[(D) Software;]
[(E) Information resources security utilities;]
[(F) Data networks and equipment;]
[(G) Voice networks and equipment;]
[(H) Vital electronic records and/or data.]
(2) [Security] Risk Assessment to weigh
the cost of implementing preventative measures against the risk of
loss from not taking action.
[(3) Recovery Strategy to appraise
recovery alternatives and alternative cost-estimates which shall be
presented to management.]
(3) [(4)] Implementation, testing,
and maintenance management program addressing the initial and ongoing
testing and maintenance activities of the plan [Plan].
(4) [(5)] Disaster Recovery Plan--Each
state agency shall maintain a written disaster recovery plan for
major or catastrophic events that deny access to
information resources for an extended period
. Information learned from tests conducted
since the plan was last updated will be used in updating the disaster
recovery plan. The disaster recovery plan will:
(A) Contain measures which address the impact and magnitude of loss or harm that will result from an interruption;
(B) Identify recovery resources and a source for each;
(C) Contain step-by-step implementation instructions
[for implementing the Plan];
(D) Include provisions for annual testing.
[(D) Be maintained to ensure currency; and]
[(E) Be tested either formally or
informally at least annually.]
(b) Mission critical information [data]
shall be backed up on a scheduled basis and stored off site in a secure,
environmentally safe, locked facility accessible only to authorized
state agency representatives.
§202.25.Information Resources Security Safeguards.
State agencies shall apply the following Information Resources
Security Safeguards based on documented risk management decisions.
Any exception to the following safeguards shall be approved, justified
and documented in accordance with §202.21(c)(1)(H) and (d)(5)
of this chapter. [The following Information Resources Security
Safeguards should apply to state agencies based on documented security
risk management decisions.]
(1) Manage access [Access] to
information resources [shall be managed
] to ensure authorized use.
(2) Confidentiality of data and systems.
(A) Confidential information shall be accessible only
to authorized users. An information file or record [
Information] containing any confidential
information [data]
shall be identified, documented, and protected in its entirety
in accordance with §202.20(1) of this chapter.
(B) Information resources assigned from one state agency to another, or from a state agency to a contractor or other third party, shall be protected in accordance with the conditions imposed by the providing state agency.
(3) Identification/Authentication.
(A) Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access.
(B) A user's access authorization shall be appropriately modified or removed when the user's employment or job responsibilities within the state agency change.
(C) Information resources systems shall contain authentication
controls that comply with documented state agency [
security] risk management decisions.
(D) Information resources systems which use passwords
shall be based on industry best practices on password usage and documented
state agency [security] risk management decisions.
(E) For electronic communications where the identity
of a sender or the contents of a message shall [must]
be authenticated, the use of digital signatures is encouraged. Agencies
should refer to guidelines and rules issued by the department for
further information. (Ref. 1 TAC [T.A.C.,] Chapter
203[. Additional information and guidelines are included in PART
2: Risks Pertaining to Electronic Transactions and Signed Records
in "The Guidelines for the Management of Electronic Transactions and
Signed Records" that are available at http://www.dir.state.tx.us/UETA_Guideline.htm].)
(4) Encryption. Encryption requirements for information
storage devices and data transmissions, as well as specific requirements
for portable devices, removable media, and encryption key standards
and management shall be based on documented state agency risk management
decisions. [Encryption for storage and transmission of
information shall be used based on documented state agency security
risk management decisions.]
(A) Confidential information that is transmitted through a public network (e.g., Internet) shall be encrypted.
(B) Confidential information should not to be copied to, or stored on, a portable computing device, removable media, or a non-agency owned computing device that is not encrypted.
(C) An agency may also choose to implement additional protections for other data classifications that may include encryption.
(5) Auditing.
(A) Information resources systems shall [must
] provide the means whereby authorized personnel have the ability
to audit and establish individual accountability for any action that
can potentially cause access to, generation of, modification of, or
effect the release of confidential information.
(B) Appropriate audit trails shall be maintained to provide accountability for updates to mission critical information, hardware and software and for all changes to automated security or access rules.
(C) Based on the [security] risk assessment,
a sufficiently complete history of transactions shall be maintained
to permit an audit of the information resources system by logging
and tracing the activities of individuals through the system.
(6) Systems development, acquisition, and testing.
(A) Test environments [functions]
shall be kept either physically or logically separate from production
environments [functions]. Copies of production data
shall not be used for testing unless the data has been
authorized for public release [declassified
] or unless all custodians [
state and independent contractor employees] involved
in testing are otherwise authorized access to the data.
(B) Information security, security testing, and audit controls shall be included in all phases of the system development lifecycle or acquisition process.
(C) All security-related information resources changes
shall be approved by the information owner through a
change control [quality assurance
] process. Approval shall [must
] occur prior to implementation by the state
agency or independent contractors.
(7) Security Policies. Each state agency head or his/her designated representative and information security officer shall create, distribute, and implement information security policies. The following policies are recommended; however, state agencies may elect not to implement some of the policies based on documented risk management decisions and business functions. These policies are not all inclusive and may be combined topically.
(A) Acceptable Use--Defines scope, behavior, and practices; compliance monitoring pertaining to users of information resources.
(B) Account Management--Defines the rules for
establishing user identity, administering user accounts, and establishing
and monitoring user access to information resources. [
Establishes the rules for administration of user accounts.]
(C) Administrator/Special Access--Establishes rules for the creation, use, monitoring, control, and removal of accounts with special access privileges.
(D) Application Security--Establishes processes and coding practices to ensure development, deployment, and maintenance of secure applications.
(E) [(D)] Backup/Recovery--Establishes
the rules for the backup, storage, and recovery of electronic information.
(F) [(E)] Change or Configuration
Management--Establishes the process for controlling modifications
to hardware, software, firmware, and documentation to ensure the information
resources are protected against improper modification before, during,
and after system implementation.
(G) [(F)] Electronic Communication--Establishes
prudent and acceptable practices regarding the use of electronic communications
for the sending, receiving, or storing of electronic messages. [
Email--Establishes prudent and acceptable practices regarding the
use of email for the sending, receiving, or storing of electronic
mail.] Ensures compliance with applicable statutes, regulations,
and mandates. [The policy shall prohibit sending an individual's
name along with any restricted personal information unless the data
(individual's name and restricted personal information) is encrypted.]
(H) Encryption--Establishes encryption controls for agency-specified data classifications (e.g., confidential information), portable devices, removable media, transmission security, and encryption key standards and management.
(I) Firewall--Describes how to manage and update the handling of network traffic coming into and going out of the security domain. The firewall policy should address:
(i) Virtual and physical architecture;
(ii) Protocols and applications that are permitted through the firewall, both inbound and outbound;
(iii) Traffic monitoring rule set;
(iv) Assignment of responsibility for monitoring and enforcing the firewall policy, and approval process for updating or changing rule sets;
(v) Approval process for updating or changing rule sets; and
(vi) Auditing and testing to verify a firewall's configuration, rule set accuracy, and effectiveness.
(J) [(G)] Incident Management--Describes
the requirements for dealing with computer security incidents including
prevention, detection, response, [and] remediation
, and reporting.
(K) Identification/Authentication--Establishes the rules for verifying the identity of a user, process, or device, as a prerequisite for granting access to resources in an information system, e.g., something you know (password), something you have (coded identity card), or something you are (biometric information).
(L) [(H)] Internet/Intranet Use--Establishes
prudent and acceptable practices regarding the use of the Internet
and Intranet.
(M) [(I)] Intrusion Detection--Establishes
requirements for auditing, logging, and monitoring to detect attempts
to bypass the security mechanisms of information resources.
(N) [(J)] Network Access--Establishes
the rules for the access and use of the network infrastructure.
(O) [(K)] Network Configuration--Establishes
the rules for the maintenance, expansion, and use of the network infrastructure.
[(L) Password/Authentication--Establishes
the rules for the creation, use, distribution, safeguarding, termination,
and recovery of user authentication mechanisms.]
(P) [(M)] Physical Access--Establishes
the rules for the granting, control, monitoring, and removal of physical
access to information resources.
(Q) [(N)] Portable Computing--Establishes
the rules for the use of mobile computing devices and their connection
to the network.
(R) [(O)] Privacy--Methodologies
used to establish the limits and expectations regarding privacy for
the users of information resources.
(S) [(P)] Security Monitoring--Defines
a process that ensures information resources security controls are
in place, are effective, and are not being bypassed.
(T) [(Q)] Security Awareness
and Training--Establishes the requirements to ensure each user of
information resources receives adequate training on computer security issues.
(U) Platform Management--Establishes the requirements and the procedures for installing, configuring, maintaining, patching, and monitoring the integrity of a platform in a secure fashion.
[(R) Platform Hardening--Establishes
the requirements for installing and maintaining the integrity of a
platform in a secure fashion.]
(V) [(S)] Authorized Software--Establishes
the rules for software use on information resources.
(W) [(T)] System Development
and Acquisition--Describes the security and business continuity requirements
in the systems development and acquisition life cycle.
(X) Third Party Access--Establishes the rules for contractor, vendor, and other third party access to information resources, support services and responsibilities for protection of information.
[(U) Vendor Access--Establishes the
rules for vendor access to information resources, support services
(Air Conditioning, Universal Power Supply, Power Distribution Unit,
fire suppression, etc.), and vendor responsibilities for protection
of information.]
(Y) [(V)] Malicious Code--Describes
the requirements for prevention, detection, response, and recovery
from the effects of malicious code (including but not limited to viruses,
worms, Trojan Horses, and unauthorized code used to circumvent safeguards[
.]).
(Z) [(W)] Wireless Access--Establishes
the requirements and security restrictions for installing or providing
access to the state agency information resources systems. Using the
Wireless Security Guidelines identified in §202.1(29) of this
chapter [wireless security guidelines], the policy
shall address the following topic [topics] areas:
(i) [For] Wireless Local Area Networks
. Ensure[, ensure] that Service Set Identifiers (SSID)
values are changed from the manufacturer default setting. Some networks
should not include organizational or location information in the SSID.
Additional equipment configuration recommendations are included in
the Wireless Security Guidelines.
(ii) Types of information that may be transmitted via
wireless networks and devices with or without encryption including
mission critical information or sensitive personal information.
State agencies shall not transmit confidential information via
a wireless connection to, or from a portable computing device unless
encryption methods, such as a Virtual Private Network (VPN), Wi-Fi
Protected Access, or other secure encryption protocols that meet appropriate
protection or certification standards, are used to protect the information.
[allow access to confidential information, mission critical
information or restricted personal information unless the cryptographic
keys used are larger than 80-bits (See §3.3 Security of 802.11
Wireless LANs in the Wireless Security Guidelines).]
[(iii) Types of information that may
be stored on laptop computers or wireless handheld devices with or
without encryption.]
(iii) [(iv)] Prohibit and
periodically monitor any unauthorized installation or use [the
installation] of Wireless Personal Area Networks on state agency
IT systems by individuals without the approval of the state agency
information resources manager.
(AA) [(X)] Vulnerability Assessment--Establishes
the requirements to conduct periodic work, operating system,
and application vulnerability assessments. [information
vulnerability assessments and specific focus areas for the assessments
based on the results of the security risk assessment.]
(8) Perimeter Security Controls. Each state agency
head or his/her designated representative and information security
officer shall establish a security strategy that includes perimeter
protection. The department will provide security information management
services to include external network monitoring, scanning, and alerting
for each agency that utilizes State information resources as specified
in Chapters 2054 and 2059, Government Code. Perimeter security controls
may include some or all of the following components: DMZ, firewall,
intrusion detection or prevention system, or router. [perimeter
protection strategy to include some or all of the following components:]
[(A) DMZ (Demilitarized Zone)--The
DMZ is the network area created between the public Internet and internal
private network(s). This neutral zone is usually delineated by some
combination of routers, firewalls, and bastion hosts. Typically, the
DMZ contains devices accessible to Internet traffic, such as Web (HTTP)
servers, FTP servers, SMTP (email) servers, and DNS servers.]
[(B) Firewall--A system designed to
prevent unauthorized access to or from a private network. Firewalls
can be implemented in both hardware and software, or a combination
of both and are used to prevent unauthorized Internet users from accessing
private networks connected to the Internet, especially Intranets.
They can also regulate traffic between networks within the same state
agency.]
[(C) Intrusion Detection System--Hardware
and/or software which is installed on a network and compares network
traffic and host log entries to the known and likely methods of attackers.
Suspicious activities trigger administrator alarms and other configurable
responses.]
[(D) Router--A device or, in some
cases, software in a computer, that determines the next network point
to which a packet should be forwarded toward its destination. The
router is connected to at least two networks and decides which way
to send each information packet based on its current understanding
of the state of the networks to which it is connected. A router is
located at any gateway where one network meets another.]
(9) System Identification/Logon Banner. System identification/logon banners shall have warning statements that include the following topics:
(A) Unauthorized use is prohibited;
(B) Usage may be subject to security testing and monitoring;
(C) Misuse is subject to criminal prosecution; and
(D) Users have no [No] expectation
of privacy except as otherwise provided by applicable privacy laws.
§202.26.Security Incidents.
(a) Each state agency shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident, e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks. Security incidents shall be promptly reported to immediate supervisors and the agency Information Security Officer. Security incidents that require timely reporting to the department include those events that are assessed to:
(1) Propagate to other state systems;
(2) Result in criminal violations that shall be reported to law enforcement; or
(3) Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in §521.002(a)(2), Business and Commerce Code, and other applicable laws that may require public notification.
(b) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Chapters 33, Penal Code (Computer Crimes) or Chapter 33A, Penal Code (Telecommunications Crimes)), the security incident shall be investigated, reported, and documented in a manner that restores operation promptly while meeting the legal requirements for handling of evidence.
(c) Depending on the criticality of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams should continue to report information to the department as it is collected. The department shall instruct state agencies as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency.
(d) Summary reports of security-related events shall be sent to the department on a monthly basis no later than nine (9) calendar days after the end of the month. Agencies shall submit summary security incident reports in the form and manner specified by the department. Supporting vendors or other third parties that report security incident information to an agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency.
[(a) Security incidents shall be promptly
investigated and documented. Security incidents shall be reported
to the department within twenty-four hours if there is a substantial
likelihood that such incidents are critical in nature and could be
propagated to other state systems beyond the control of the state
agency.]
[(b) If criminal action is suspected,
the state agency must contact the appropriate law enforcement and
investigative authorities immediately.]
[(c) Each state agency shall provide
summary reports to the department that contain information concerning
violations of security policy of which the state agency has become
aware. A state agency shall not be required to report security incidents
unless it reasonably believes such incidents may involve criminal
activity under Texas Penal Code Chapters 33 (Computer Crimes) or 33A
(Telecommunications Crimes). Reports should include:]
[(1) Type of activity, including but not limited to:]
[(A) Unwanted disruption or denial of service;]
[(B) Unauthorized use of a system for the processing or storage of data; and]
[(C) Changes made to system hardware, firmware, data or software without the state agency's effective consent.]
[(2) Time elapsed between initial detection of incident and containment of the security breach or full restoration of adversely affected functions, whichever is later;]
[(3) Description of the state agency's response to the incident; and]
[(4) Estimated total cost incurred by the state agency in containing the security incident or restoring adversely affected functions.]
[(d) Reports must be sent to the department
on a monthly basis no later than nine (9) calendar days after the
end of the month. Information shall be reported in the form and manner
specified by the department.]
[(e) The department shall establish
internal security procedures regarding the receipt and maintenance
of information pertaining to security incidents. The department shall
instruct state agencies as to the manner in which they must report
such information.]
This agency hereby certifies that the proposal has been reviewed by legal counsel and found to be within the agency's legal authority to adopt.
Filed with the Office of the Secretary of State on May 21, 2009.
TRD-200902000
Renee Mauzy
General Counsel
Department of Information Resources
Earliest possible date of adoption: July 5, 2009
For further information, please call: (512) 475-4750
The amendments are proposed pursuant to §2054.052(a), Texas Government Code, which authorizes the department to adopt rules as necessary to implement its responsibilities under Chapter 2054, Texas Government Code.
No other statutes, codes, or articles are affected by this proposal.
§202.70.Security Standards Policy.
The following are policies of the State of Texas that apply
to all state institutions of higher education. Each institution of
higher education should apply the Security Standards Policy based
on documented [security] risk management decisions:
(1) Information resources residing in the various institutions
of higher education of state government are strategic and vital assets
belonging to the people of Texas. These assets shall [must
] be available and protected commensurate with the value of
the assets. Measures shall be taken to protect these assets against
unauthorized access, disclosure, modification or destruction, whether
accidental or deliberate, as well as to assure the availability, integrity,
utility, authenticity, and confidentiality of information. Access
to state information resources shall [must]
be appropriately managed.
(2) All institutions of higher education are required to have an information resources security program consistent with these standards, and the institution of higher education head is responsible for the protection of information resources.
(3) All individuals are accountable for their actions relating to information resources. Information resources shall be used only for intended purposes as defined by the institution of higher education and consistent with applicable laws.
(4) Risks to information resources shall [must
] be managed. The expense of security safeguards shall [
must] be commensurate with the value of the assets being protected.
(5) The integrity of data, its source, its destination,
and processes applied to it shall [must] be
assured. Changes to data shall [must] be made
only in an authorized manner.
(6) Information resources shall [must]
be available when needed. Continuity of information resources supporting
critical governmental services shall [must]
be ensured in the event of a disaster or business disruption.
(7) Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources.
(8) Institutions of higher education shall [must
] ensure adequate controls and separation of duties for
tasks that are susceptible to fraudulent or other unauthorized activity.
§202.71.Management and Staff Responsibilities.
(a) The institution of higher education head or his
or her designated representative(s) shall review and approve information
ownership and associated responsibilities to include personnel, equipment,
or information technology hardware and software [ownership
of information resources and their associated responsibilities].
(b) [The owner of an information resource, with
the institution of higher education head's or his or her designated
representative(s') concurrence, is responsible for classifying business
functional information.] Institutions of higher education are
responsible for defining all information classification categories
except the Confidential Information category, which is defined in
Subchapter A of this chapter, and establishing the appropriate
controls for each.
(c) Information owners [Owners],
custodians, and users of information resources shall be identified,
and their responsibilities defined and documented by the institution
of higher education. In cases where information resources are used
by more than one major business function, the owners shall reach consensus
and advise the information security officer [function]
as to the designated owner with responsibility for the information
resources. The following distinctions among owner, custodian, and
user responsibilities should guide determination of these roles:
(1) Information Owner Responsibilities.
The owner or his or her designated representative(s) [
representatives(s)] are responsible for and authorized to:
(A) Approve access and formally assign custody of an
information resources asset.[;]
(B) Determine the asset's value.[;]
(C) Specify data control requirements and convey them
to users and custodians.[;]
(D) Specify appropriate controls, based on a risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources and services outsourced by the institution of higher education.
(E) Confirm that controls are in place to ensure the
confidentiality, integrity, and availability of data and other assigned
information resources [accuracy, authenticity, and integrity
of data].
[(F) Ensure compliance with applicable controls;]
(F) [(G)] Assign custody of information
resources assets and provide appropriate authority to implement security
controls and procedures.
(G) [(H)] Review access lists
based on documented security risk management decisions.
(H) Approve, justify, document, and be accountable for exceptions to security controls. The information owner shall coordinate exceptions to security controls with the information security officer or other person(s) designated by the state institution of higher education head.
(I) The information owner, with the concurrence of the institution of higher education head or his or her designated representative(s), is responsible for classifying business functional information.
(2) Custodian responsibilities. Custodians of information
resources, including third party entities providing outsourced
information resources services to state institutions of higher education
shall [must]:
(A) Implement the controls specified by the information owner(s);
(B) Provide physical, technical, and procedural safeguards for the information resources;
(C) Assist information owners in evaluating the cost-effectiveness of controls and monitoring; and
(D) Implement [the] monitoring techniques
and procedures for detecting, reporting, and investigating incidents.
(3) User responsibilities. Users of information resources shall use the resources only for defined purposes and comply with established controls.
(d) The Information Security Officer. Each institution of higher education head or his or her designated representative(s) shall designate an information security officer to administer the institution of higher education information security program. The Information Security Officer shall report to executive management.
(1) It shall be the duty and responsibility of this individual to develop and recommend policies and establish procedures and practices, in cooperation with information owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure.
(2) The Information Security Officer shall document
and maintain an up-to-date information security program. The information
security program shall [must] be approved by
the institution of higher education head or his or her designated
representative(s).
(3) The Information Security Officer is responsible for monitoring the effectiveness of defined controls for mission critical information.
(4) The Information Security Officer shall report, at least annually, to the institution of higher education head or his or her designated representative(s) the status and effectiveness of information resources security controls.
(5) The Information Security Officer with the approval of the institution of higher education head or his or her designated representative may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented, and communicated as part of the risk assessment process.
(e) A review of the institution of higher education's information security program for compliance with these standards will be performed at least biennially, based on business risk management decisions, by individual(s) independent of the information security program and designated by the institution of higher education head or his or her designated representative(s).
§202.72.Managing Security Risks.
(a) A [security] risk assessment [
analysis] of information resources shall be performed and documented.
The [security] risk assessment [analysis]
shall be updated based on the inherent risk. The inherent risk and
frequency of the [security] risk assessment [
analysis] will be ranked, at a minimum, as either "High," "Medium,"
or "Low," based primarily on the following criteria:
(1) High Risk-annual assessment--Information resources
that:[;]
(A) Involve large dollar amounts or significantly important transactions, such that business or government processes would be hindered or an impact on public health or safety would occur if the transactions were not processed timely and accurately, or
(B) Contain confidential or other [sensitive
] data such that unauthorized disclosure would cause real damage
to the parties involved, or
(C) Impact a large number of people or interconnected systems.
(2) Medium Risk-biennial assessment--Information resources
that:[;]
(A) Transact or control a moderate or low dollar value, or
(B) Data items that could potentially embarrass or create problems for the parties involved if released, or
(C) Impact a moderate proportion of the customer base.
(3) Low Risk-biennial assessment--Information resources
that:[;]
(A) Publish generally available public information, or
(B) Result in a relatively small impact on the population.
(b) A system change could cause the overall classification to move to another risk level.
(c) Risk [Security risk] assessment
results, vulnerability reports, and similar information shall be documented
and presented to the institution of higher education head or his or
her designated representative. The institution of higher education
head or his or her designated representative(s) shall make the final
[security
] risk management decisions to either accept exposures
or protect the data according to its value/sensitivity. The institution
of higher education head or his or her designated representative(s)
shall [must] approve the security risk management
plan. This information may be exempt from disclosure under
§2054.077(c) [§2054.77(c)], Government Code.
§202.73.Managing Physical Security.
(a) The institution of higher education head or his or her designated representative(s) shall document and manage physical access to mission critical information resources facilities to ensure the protection of information resources from unlawful or unauthorized access, use, modification or destruction.
(b) The institution of higher education head or designated representative(s) shall reviews physical security measures for information resources at least annually as part of the risk assessment process.
[(a) Physical access to mission critical
information resources facilities shall be managed and documented by
the institution of higher education head or his or her designated
representative(s).]
(b) Reviews of physical security measures
for information resources shall be conducted annually by the institution
of higher education head or designated representative(s).]
(c) Information resources shall be protected from environmental hazards. Designated employees shall be trained to monitor environmental control procedures and equipment and shall be trained in desired response in case of emergencies or equipment problems.
(d) Written emergency procedures shall be developed, updated, and tested at least annually.
(e) Institutions of higher education will refer to the State Office of Risk Management for applicable rules and guidelines.
§202.74.Business Continuity Planning.
(a) Business Continuity Planning covers all business
functions of an institution of higher education. It [and it] is a business management responsibility. Institutions of
higher education shall maintain written Business Continuity Plans
that address information resources so that the effects of a disaster
will be minimized, and the institution of higher education will be
able to either maintain or quickly resume mission-critical functions.
[should maintain a written Business Continuity Plan so that the effects
of a disaster will be minimized, and the institution of higher education
will be able to either maintain or quickly resume mission-critical
functions.] The institution of higher education head or his
or her designated representative(s) shall approve the plan [
Plan]. The plan [Plan] shall be distributed
to key personnel and a copy stored offsite. Elements of the plan [
Plan] for information resources shall include:
(1) Business Impact Analysis to systematically assess
the potential impacts of a loss of business functionality due to an
interruption of computing and/or infrastructure support services resulting
from various events or incidents. The analysis shall identify
the following elements [address maximum tolerable downtime
for time-critical support services and resources including, but not
limited to]:
(A) Mission Critical Information Resources (specific system resources required to perform critical functions) to include:
(i) Internal and external points of contact for personnel that provide or receive data, or support interconnected systems.
(ii) Supporting infrastructure such as electric power, telecommunications connections, and environmental controls.
(B) Disruption impacts and allowable outage times to include:
(i) Effects of an outage over time to assess the maximum allowable time that a resource may be denied before it prevents or inhibits the performance of an essential function.
(ii) Effects of an outage across related resources and dependent systems to assess cascading effects on associated systems or processes.
(C) Recovery priorities that consider geographic areas, accessibility, security, environment, and cost and may include a combination of:
(i) Preventive controls and processes such as backup power, excess capacity, environmental sensors and alarms.
(ii) Recovery techniques and technologies such as backup methodologies, alternate sites, software and hardware equipment replacement, implementation roles and responsibilities.
[(A) Personnel;]
[(B) Facilities;]
[(C) Technology platforms (all computer systems);]
[(D) Software;]
[(E) Information resources security utilities;]
[(F) Data networks and equipment;]
[(G) Voice networks and equipment;]
[(H) Vital electronic records and/or data]
(2)[Security] Risk Assessment to weigh
the cost of implementing preventative measures against the risk of
loss from not taking action.
[(3) Recovery Strategy to appraise
recovery alternatives and alternative cost-estimates which shall be
presented to management.]
(3) [(4)] Implementation, testing,
and maintenance management program addressing the initial and ongoing
testing and maintenance activities of the plan [Plan].
(4) [(5)] Disaster Recovery Plan--Each
institution of higher education shall maintain a written disaster
recovery plan for major or catastrophic events that deny access to
information resources for an extended period.
Information learned from tests conducted since the plan was last updated
will be used in updating the disaster recovery plan. The disaster
recovery plan will:
(A) Contain measures which address the impact and magnitude of loss or harm that will result from an interruption;
(B) Identify recovery resources and a source for each;
(C) Contain step-by-step implementation instructions; and
[for implementing the Plan;]
(D) Include provisions for annual testing.
[(D) Be maintained to ensure currency; and]
[(E) Be tested either formally or
informally at least annually.]
(b) Mission critical information [data]
shall be backed up on a scheduled basis and stored off site in a secure,
environmentally safe, locked facility accessible only to authorized
institution of higher education representatives.
§202.75.Information Resources Security Safeguards.
State institutions of higher education shall apply the
following Information Resources Security Safeguards based on documented
risk management decisions. Any exception to the following safeguards
shall be approved, justified and documented in accordance with §202.71(c)(1)(H) and (d)(5) of this chapter. [
The following Information
Resources Security Safeguards should apply to state institutions of
higher education based on documented security risk management decisions.]
(1) Manage access [Access] to
information resources [shall be managed] to ensure authorized
use.
(2) Confidentiality of data and systems.
(A) Confidential information shall be accessible only
to authorized users. An information file or record containing
any confidential information shall be identified, documented, and
protected in its entirety in accordance with §202.70(1) of this
chapter. [Information containing any confidential information
shall be identified, documented, and protected in accordance with
1 TAC §202.70(1).]
(B) Information resources assigned from one institution of higher education to another, or from an institution of higher education to a contractor or other third party, shall be protected in accordance with the conditions imposed by the providing institution of higher education.
(3) Identification/Authentication.
(A) Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access.
(B) A user's access authorization shall be appropriately modified or removed when the user's employment or job responsibilities within the institution of higher education change.
(C) Information resources systems shall contain authentication
controls that comply with documented institution of higher education
[security] risk management decisions.
(D) Information resources systems which use passwords
shall be based on industry best practices on password usage and documented
institution of higher education [security] risk management
decisions.
(E) For electronic communications where the identity
of a sender or the contents of a message must be authenticated, the
use of digital signatures is encouraged. Institutions of higher education
should refer to guidelines and rules issued by the department for
further information. (Ref. 1 TAC Chapter 203[. Additional information
and guidelines are included in PART 2: Risks Pertaining to Electronic
Transactions and Signed Records in "The Guidelines for the Management
of Electronic Transactions and Signed Records" that are available
at http://www.dir.state.tx.us/UETA_Guideline.htm].)
(4) Encryption. Encryption requirements for information
storage devices and data transmissions, as well as specific requirements
for portable devices, removable media, and encryption key standards
and management shall be based on documented institution of higher
education risk management decisions. [Encryption for storage
and transmission of information shall be used based on documented
institution of higher education security risk management decisions.]
(A) Confidential information that is transmitted through a public network (e.g., Internet) shall be encrypted.
(B) Confidential information should not to be copied to, or stored on, a portable computing device, removable media, or a non-state owned computing device that is not encrypted.
(C) An institution of higher education may also choose to implement additional protections for other data classifications that may include encryption.
(5) Auditing.
(A) Information resources systems shall [must
] provide the means whereby authorized personnel have the ability
to audit and establish individual accountability for any action that
can potentially cause access to, generation of, modification of, or
effect the release of confidential information.
(B) Appropriate audit trails shall be maintained to provide accountability for updates to mission critical information, hardware and software and for all changes to automated security or access rules.
(C) Based on the [security] risk assessment,
a sufficiently complete history of transactions shall be maintained
to permit an audit of the information resources system by logging
and tracing the activities of individuals through the system.
(6) Systems development, acquisition, and testing.
(A) Test environments [functions]
shall be kept either physically or logically separate from production
environments [functions]. Copies of production data
shall not be used for testing unless the data has been authorized
for public release [declassified] or unless all
custodians [state and independent contractor employees
] involved in testing are otherwise authorized access to the data.
(B) Information security, security testing, and audit controls shall be included in all phases of the system development lifecycle or acquisition process.
(C) All security-related information resources changes
shall be approved by the information owner through a
change control [quality assurance] process. Approval
shall [must
] occur prior to implementation by the institution
of higher education or independent contractors.
(7) Security Policies. Each institution of higher education
head or his/her designated representative and information security
officer shall create, distribute, and implement information security
policies. The following policies are recommended; however, institutions
of higher education may elect not to implement some of the policies
based on documented [security] risk management decisions
and business functions. These policies are not all inclusive and may
be combined topically.
(A) Acceptable Use--Defines scope, behavior, and practices; compliance monitoring pertaining to users of information resources.
(B) Account Management--Defines the rules for
establishing user identity, administering user accounts, and establishing
and monitoring user access to information resources. [
Establishes the rules for administration of user accounts.]
(C) Administrator/Special Access--Establishes rules for the creation, use, monitoring, control, and removal of accounts with special access privileges.
(D) Application Security--Establishes processes and coding practices to ensure development, deployment, and maintenance of secure applications.
(E) [(D)] Backup/Recovery--Establishes
the rules for the backup, storage, and recovery of electronic information.
(F) [(E)] Change or Configuration
Management--Establishes the process for controlling modifications
to hardware, software, firmware, and documentation to ensure the information
resources are protected against improper modification before, during,
and after system implementation.
(G) Electronic communication--Establishes prudent and acceptable practices regarding the use of electronic communications for the sending, receiving, or storing of electronic messages. Ensures compliance with applicable statutes, regulations, and mandates.
(H) Encryption--Establishes encryption controls for institution of higher education-specified data classifications (e.g., confidential information), portable devices, removable media, transmission security, and encryption key standards and management.
(I) Firewall--Describes how to manage network traffic coming into and going out of the security domain. The firewall policy should address:
(i) Virtual and physical architecture;
(ii) Protocols and applications that are permitted through the firewall, both inbound and outbound;
(iii) Traffic monitoring rule set;
(iv) Assignment of responsibility for monitoring and enforcing the firewall policy;
(v) Approval process for updating or changing rule sets; and
(vi) Auditing and testing to verify a firewall's configuration, rule set accuracy, and effectiveness.
[(F) Email--Establishes prudent and
acceptable practices regarding the use of email for the sending, receiving,
or storing of electronic mail. Ensures compliance with applicable
statutes, regulations, and mandates. The policy shall prohibit sending
an individual's name and restricted personal information unless the
data is encrypted.]
(J) [(G)] Incident Management--Describes
the requirements for dealing with computer security incidents including
prevention, detection, response, [and] remediation,
and reporting.
(K) Identification/Authentication--Establishes the rules for verifying the identity of a user, process, or device, as a prerequisite for granting access to resources in an information system, e.g., something you know (password), something you have (coded identity card), or something you are (biometric information).
(L) [(H)] Internet/Intranet Use--Establishes
prudent and acceptable practices regarding the use of the Internet
and Intranet.
(M) [(I)] Intrusion Detection--Establishes
requirements for auditing, logging, and monitoring to detect attempts
to bypass the security mechanisms of information resources.
(N) [(J)] Network Access--Establishes
the rules for the access and use of the network infrastructure.
(O) [(K)] Network Configuration--Establishes
the rules for the maintenance, expansion, and use of the network infrastructure.
[(L) Password/Authentication--Establishes
the rules for the creation, use, distribution, safeguarding, termination,
and recovery of user authentication mechanisms.]
(P) [(M)] Physical Access--Establishes
the rules for the granting, control, monitoring, and removal of physical
access to information resources.
(Q) [(N)] Portable Computing--Establishes
the rules for the use of mobile computing devices and their connection
to the network.
(R) [(O)] Privacy--Methodologies
used to establish the limits and expectations regarding privacy for
the users of information resources.
(S) [(P)] Security Monitoring--Defines
a process that ensures information resources security controls are
in place, are effective, and are not being bypassed.
(T) [(Q)] Security Awareness
and Training--Establishes the requirements to ensure each user of
information resources receives adequate training on computer security issues.
(U) Platform Management--Establishes the requirements and the procedures for installing, configuring, maintaining, patching, and monitoring the integrity of a platform in a secure fashion.
[(R) Platform Hardening--Establishes
the requirements for installing and maintaining the integrity of a
platform in a secure fashion.]
(V) [(S)] Authorized Software--Establishes
the rules for software use on information resources.
(W) [(T)] System Development
and Acquisition--Describes the security and business continuity requirements
in the systems development and acquisition life cycle.
(X) Third Party Access--Establishes the rules for contractor, vendor, and other third party access to information resources, support services and responsibilities for protection of information.
[(U) Vendor Access--Establishes the
rules for vendor access to information resources, support services
(Air Conditioning, Universal Power Supply, Power Distribution Unit,
fire suppression, etc.), and vendor responsibilities for protection
of information.]
(Y) [(V)] Malicious Code--Describes
the requirements for prevention, detection, response, and recovery
from the effects of malicious code (including but not limited to viruses,
worms, Trojan Horses, and unauthorized code used to circumvent safeguards.)
(Z) [(W)] Wireless Access--Establishes
the requirements and security restrictions for installing or providing
access to the institution of higher education information resources
systems. Using the
Wireless Security Guidelines identified in §202.1(29)
of this chapter [wireless security guidelines], the
policy shall address the following topic [topics] areas:
(i) [For] Wireless Local Area Networks.Ensure[
, ensure] that Service Set Identifiers (SSID)
values are changed from the manufacturer default setting. Some networks
should not include organizational or location information in the SSID.
Additional equipment configuration recommendations are included in
the Wireless Security Guidelines.
(ii) Types of information that may be transmitted via
wireless networks and devices with or without encryption including
mission critical information or sensitive personal information. Institutions
of higher education shall not transmit confidential information via
a wireless connection to, or from a portable computing device unless
encryption methods, such as a Virtual Private Network (VPN), Wi-Fi
Protected Access, or other secure encryption protocols that meet appropriate
protection or certification standards, are used to protect the information.
[Institutions of higher education shall not allow access
to confidential information, mission critical information or restricted
personal information unless the cryptographic keys used are larger
than 80-bits (See §3.3 Security of 802.11 Wireless LANs in the
Wireless Security Guidelines).]
[(iii) Types of information that may
be stored on laptop computers or wireless handheld devices with or
without encryption.]
(iii) [(iv)] Prohibit and
periodically monitor any unauthorized installation or use [the
installation] of Wireless Personal Area Networks on institution
of higher education IT systems by individuals without the approval
of the institution of higher education information resources manager.
(AA) [(X)] Vulnerability Assessment--Establishes
the requirements to conduct periodic network, operating system,
and application vulnerability assessments. [information
vulnerability assessments and specific focus areas for the assessments
based on the results of the security risk assessment.]
(8) Perimeter Security Controls. Each institution of higher education head or his/her designated representative and information security officer shall establish a perimeter protection strategy to include some or all of the following components: DMZ, firewall, intrusion detection or prevention system, or router.
[(A) DMZ (Demilitarized Zone)--The
DMZ is the network area created between the public Internet and internal
private network(s). This neutral zone is usually delineated by some
combination of routers, firewalls, and bastion hosts. Typically, the
DMZ contains devices accessible to Internet traffic, such as Web (HTTP)
servers, FTP servers, SMTP (email) servers, and DNS servers.]
[(B) Firewall--A system designed to
prevent unauthorized access to or from a private network. Firewalls
can be implemented in both hardware and software, or a combination
of both and are used to prevent unauthorized Internet users from accessing
private networks connected to the Internet, especially Intranets.
They can also regulate traffic between networks within the same institution
of higher education.]
[(C) Intrusion Detection System--Hardware
and/or software which is installed on a network and compares network
traffic and host log entries to the known and likely methods of attackers.
Suspicious activities trigger administrator alarms and other configurable
responses.]
[(D) Router--A device or, in some
cases, software in a computer, that determines the next network point
to which a packet should be forwarded toward its destination. The
router is connected to at least two networks and decides which way
to send each information packet based on its current understanding
of the state of the networks to which it is connected. A router is
located at any gateway where one network meets another.]
(9) System Identification/Logon Banner. System identification/logon banners shall have warning statements that include the following topics:
(A) Unauthorized use is prohibited;
(B) Usage may be subject to security testing and monitoring;
(C) Misuse is subject to criminal prosecution; and
(D) Users have no [No] expectation
of privacy except as otherwise provided by applicable privacy laws.
§202.76.Security Incidents.
(a) Each institution of higher education shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident, e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks. Security incidents shall be promptly reported to immediate supervisors and the institution of higher education Information Security Officer. Security incidents that require timely reporting to the department include those events that are assessed to:
(1) Propagate to other state systems;
(2) Result in criminal violations that shall be reported to law enforcement; or
(3) Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in §521.002(a)(2), Business and Commerce Code, and other applicable laws that may require public notification.
(b) If criminal action is suspected (e.g., violations of Chapter 33, Penal Code (Computer Crimes) or Chapter 33A, Penal Code (Telecommunications Crimes)), the institution of higher education shall contact the appropriate law enforcement and investigative authorities immediately. Such security incidents shall be investigated and documented in a manner that restores operation promptly while meeting the legal requirements for handling of evidence.
(c) Depending on the criticality of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams should continue to report information to the department as it is collected. The department shall instruct institutions of higher education as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education.
(d) Summary reports of security-related events shall be sent to the department on a monthly basis no later than nine calendar day after the end of the month. Institutions of higher education shall submit summary security incident reports in the form and manner specified by the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education.
[(a) Security incidents shall be promptly
investigated and documented. Security incidents shall be reported
to the department within twenty-four hours if the institution determines
that there is a substantial likelihood that such incidents are critical
in nature and could be propagated to other state systems beyond the
control of the institution of higher education.]
[(b) If criminal action is suspected,
the institution of higher education must contact the appropriate law
enforcement and investigative authorities immediately.]
[(c) Each institution of higher education
shall provide summary reports to the department that contain information
concerning violations of security policy of which the institution
of higher education has become aware. An institution of higher education
shall not be required to report security incidents unless it reasonably
believes such incidents may involve criminal activity under Texas
Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications
Crimes). Reports should include:]
[(1) Type of activity, including but not limited to:]
[(A) Unwanted disruption or denial of service;]
[(B) Unauthorized use of a system for the processing or storage of data; and]
[(C) Changes made to system hardware, firmware, data or software without the institution of higher education's effective consent.]
[(2) Time elapsed between initial detection of incident and containment of the security breach or full restoration of adversely affected functions, whichever is later;]
[(3) Description of the institution of higher education's response to the incident; and]
[(4) Estimated total cost incurred by the institution of higher education in containing the security incident or restoring adversely affected functions.]
[(d) Reports must be sent to the department
on a monthly basis no later than the ninth (9th) calendar day after
the end of the month. Information shall be reported in the form and
manner specified by the department.]
[(e) The department shall establish
internal security procedures regarding the receipt and maintenance
of information pertaining to security incidents. The department shall
instruct institutions of higher education as to the manner in which
they must report such information.]
This agency hereby certifies that the proposal has been reviewed by legal counsel and found to be within the agency's legal authority to adopt.
Filed with the Office of the Secretary of State on May 21, 2009.
TRD-200902001
Renee Mauzy
General Counsel
Department of Information Resources
Earliest possible date of adoption: July 5, 2009
For further information, please call: (512) 475-4750