1 TAC §201.13
The Department of Information Resources (department) proposes
deleting subsection (a) of §201.13 concerning geographic information
system standards. This amendment is proposed so that the rule relating to
geographic information standards is a separate rule rather than a part of §201.13,
which is already a lengthy rule dealing with information resource standards.
Due to extensive revisions to the content of subsection (a), the department
will propose new rule §201.6 concerning geographic information standards
for comment in a separate proposed rulemaking.
The remaining amendment to §201.13 is not substantive. It merely
renumbers existing subsections (b), (c) and (d) as subsections (a),(b) and
(c), respectively.
The proposed amendment to delete §201.13(a) is proposed in accordance
with Texas Government Code §2054.052(a), which provides the department
may adopt rules as necessary to implement its responsibilities and Water Code §16.021(b),
which requires the department to develop rules related to statewide geo-spatial
data and technology standards.
Mr. Eddie Esquivel, director of the Enterprise Operations Division, has
determined that for each year of the first five years the amended rule will
be in effect, there will be no fiscal implications for state government as
a result of enforcing or administering the proposed amendment to delete subsection
(a) of §201.13. There will be no fiscal implications for local government
as a result of enforcing or administering the proposed rule.
Mr. Esquivel has determined that for each year of the first five years
the amended rule will be in effect, the benefit to the public will be clarification
of §201.13 through the shortening of the rule. There will be no effect
on small businesses. Mr. Esquivel believes that there is no additional anticipated
economic cost to persons who are required to comply with the amended rule.
Comments on the proposed amendment to §201.13 may be submitted to
Renee Mauzy, General Counsel, Department of Information Resources, via mail
to P.O. Box 13564, Austin, Texas 78711, or electronically to renee.mauzy@dir.state.tx.us
no later than 5:00 p.m., within 30 days after publication.
The proposed amendment to delete subsection a of §201.13
is proposed under Texas Government Code §2054.052(a), which authorizes
the department to adopt rules as necessary to carry out its responsibility
under the Information Resources Management and Water Code, §16.021(b),
which requires the department to develop rules related to statewide geo-spatial
data and technology standards.
Water Code §16.021(b) is affected by the proposed amendment.
§201.13.Information Resource Standards.
[
(a)
Geographic information systems
standards.]
[
(1)
Applicability.]
[
(A)
All digital spatial data users and developers
of new geographic information systems in state agencies and universities must
comply with the technical standards specified in the Standards and Guidelines
for Geographic Information Systems in the State of Texas.]
[
(B)
An institution of higher education, as defined
by the Education Code, §61.003, will be exempted from these standards
when geographic information systems are acquired solely for instructional
purposes.]
[
(C)
Currently operating systems which are structurally
unable to comply are not required to retrofit to these standards.]
[
(2)
Waivers.]
[
(A)
A waiver shall be granted to any state agency
due to any order of a court of competent jurisdiction when the ordered period
of compliance is less than 90 days; or any act of exemption by the Texas Legislature.]
[
(B)
Letter applications for waivers will be made
in writing to the department by the agency information resources manager (IRM).
Within 10 days after initial receipt of the waiver request, the department
will notify the submitting state agency of all supporting information the
department requires to conduct its review. The date of receipt of the waiver
application is either the initial date of arrival of the request, or the date
that any supporting or other information if requested, is received. Review
shall commence on the date of receipt. The department will conduct its review
within 30 days after the date of its receipt, evaluate the applications, and
grant or deny these waiver requests based on an analysis of the particular
circumstances or environment. Consultation with the Geographic Information
Systems Standards Committee will be included in the waiver process on an as
needed basis, and the committee will review all waivers at their semiannual
meetings.]
[
(C)
The acquisition of software which cannot support
these standards will not be grounds for a waiver.]
[
(3)
Adoption by reference. The Standards and Guidelines
for Geographic Information Systems in the State of Texas, herein adopted by
reference, may be obtained from the Department of Information Resources, P.O.
Box 13564, Austin, Texas 78711.]
[
(4)
Submittal procedures. The agency Information
Resource Manager (IRM) will certify that geographic information systems development
in the agency adheres to the "Standards and Guidelines for Geographic Information
Systems in the State of Texas."]
[
(5)
Review procedures.]
[
(A)
The certification will be reviewed by the department
and the Geographic Information Systems Standards Committee to determine compliance
and agency comprehension of the standards. Review procedures and any subsequent
on-site assessment will be consistent with §7 of the Standards and Guidelines
for Geographic Information Systems in the State of Texas. ]
[
(B)
The agencies may also request a peer review
be performed at any time during the year. Upon receiving such a request, the
department will schedule a review as soon as possible.]
(a)
[
(b)
] Information Security Standards.
(1)
Applicability. The following rule constitutes required
minimum security standards for the protection of information resources for
agencies of the State of Texas. All agencies are required to have an information
resources security program consistent with these standards. Copies of this
standard may be obtained from the Department of Information Resources, P.O.
Box 13564, Austin, Texas 78711, or from the Department's Internet web page
at http://www.dir.state.tx.us.
(2)
Definitions. The following words and terms, when used with
this subsection, shall have the following meanings, unless the context clearly
indicates otherwise.
(A)
Access--To approach, view, instruct, communicate with,
store data in, retrieve data from, or otherwise make use of information resources.
(B)
Confidential Information--Information that is excepted
from disclosure requirements under the provisions of the Texas Public Information
Act or other applicable state or federal law.
(C)
Control--A protective action, device, policy, procedure,
technique, or other measure that reduces exposure.
(D)
Custodian of an Information Resource--A person responsible
for implementing owner-defined controls and access to an information resource.
(E)
Information Security Function--The elements, structure,
objectives, and resources that establish an agency-level information resources
security program.
(F)
Mission Critical Information--Information that is defined
by the agency to be essential to the agency's function(s).
(G)
Owner of an Information Resource--A person responsible:
(i)
for a business function; and
(ii)
for determining controls and access to information resources
supporting that business function.
(H)
Security Risk Analysis--The process of identifying and
documenting vulnerabilities and applicable threats to information resources.
(I)
Security Risk Assessment--The process of evaluating the
results of the risk analysis by projecting losses, assigning levels of risk,
and recommending appropriate measures to protect information resources.
(J)
Security Risk Management--Decisions to accept exposures
or to reduce vulnerabilities by either mitigating risks or applying cost effective
controls.
(K)
Security Incident or Breach--An event which results in
unauthorized access, loss, disclosure, modification, or destruction of information
resources whether accidental or deliberate.
(L)
User of an Information Resource--An individual or automated
application authorized to access an information resource in accordance with
the owner-defined controls and access rules.
(3)
Policy. It is the policy of the State of Texas that:
(A)
Information resources residing in the various agencies
of state government are strategic and vital assets belonging to the people
of Texas. These assets must be available and protected commensurate with the
value of the assets. Measures shall be taken to protect these assets against
accidental or unauthorized access, disclosure, modification or destruction,
as well as to assure the availability, integrity, utility, authenticity and
confidentiality of information. Access to state information resources must
be appropriately managed.
(B)
The agency head is responsible for the protection of information
resources.
(C)
All individuals are accountable for their actions relating
to information resources. Information resources shall be used only for intended
purposes as defined by the agency and consistent with applicable laws.
(D)
Risks to information resources must be managed. The expense
of security safeguards must be commensurate with the value of the assets being
protected.
(E)
The integrity of data, its source, its destination, and
processes applied to it must be assured. Changes to data must be made only
in authorized and acceptable ways.
(F)
Information resources must be available when needed. Continuity
of information resources supporting critical governmental services must be
ensured in the event of a disaster or business disruption.
(G)
Security requirements shall be identified, documented and
addressed in all phases of development or acquisition of information resources.
(H)
Agencies must ensure adequate controls and separation of
duties for tasks that are susceptible to fraudulent or other unauthorized
activity.
(4)
Classification of Information. Owners, with the agency
head's concurrence, are responsible for classifying program information. Agencies
are responsible for defining all information classification categories except
the Confidential Information category, which is defined in paragraph (2) of
this subsection, and establishing the appropriate controls for each.
(5)
Management and Staff Responsibilities. The agency head
or his or her designated representative(s) shall review and approve ownership
and the attendant responsibilities.
(A)
Owners, custodians, and users of information resources.
Owners, custodians and users of information resources shall be identified,
and their responsibilities defined and documented by the agency. In cases
where information resources are used by more than one major program, the owners
shall reach consensus and advise the information security function as to the
designated primary owner. The following distinctions among owner, custodian,
and user responsibilities should guide determination of these roles:
(i)
Owner Responsibilities. Owners are responsible and authorized
to: approve access and formally assign custody of an asset; judge the asset's
value; specify data control requirements and convey them to users and custodians;
and ensure compliance with applicable controls. Owners must specify appropriate
controls, based on risk assessment, to protect the state's information resources
from unauthorized modification, deletion or disclosure. Controls extend to
outsourced contracts. Owners must confirm that controls are in place to ensure
the accuracy and completeness of data. Owners shall assign custody of assets
and provide appropriate authority to implement security controls and procedures.
Owners are the authority on appropriate level of controls and the timing of
their implementation.
(ii)
Custodian responsibilities. Custodians of information
resources, including entities providing outsourced services to state agencies
must:
(I)
implement the controls specified by the owner(s);
(II)
provide physical and procedural safeguards for the information
resources;
(III)
assist owners in evaluating the cost-effectiveness of
controls and monitoring; and
(IV)
implement the monitoring techniques and procedures for
detecting, reporting and investigating breaches in information security.
(iii)
User responsibilities. Users of information resources
shall use the resource only for its defined purposes and comply with established
controls.
(B)
The information security function. Each agency head or
his or her designated representative shall institute an information security
function to administer the agency information security program.
(i)
It shall be the duty and responsibility of this function
to recommend policies and establish procedures and practices, in cooperation
with owners and custodians, necessary to ensure the security of information
assets against unauthorized or accidental modification, destruction or disclosure.
(ii)
The information security function shall document and maintain
an up-to-date information security program. The security program shall include
written descriptions of information resources security responsibilities, assigned
personnel resources, policies, guidelines, data security classification schemes,
standards and procedures for the protection of information resources. The
information security program must be approved by the agency head.
(iii)
The security function is responsible for monitoring the
effectiveness of defined controls for critical information.
(iv)
The security function shall report, at least biennially,
to the agency head or his or her designated representative the status and
effectiveness of information resources security controls.
(C)
A review of the agency's information security program for
compliance with these standards will be performed at least biennially by individual(s)
independent of the information security function and designated by the agency
head or the information resources manager.
(6)
Managing Risks.
(A)
A security risk analysis shall be performed and documented.
The security risk analysis shall be updated at least biennially. Security
risk assessment results shall be presented to the agency head or his or her
designated representative. The agency head shall make the final security risk
management decisions to accept exposures. The agency head must approve the
security risk management plan.
(B)
Each agency shall maintain a disaster recovery plan for
information resources. The disaster recovery plan will:
(i)
contain measures which address the impact and magnitude
of loss or harm that will result from an interruption;
(ii)
identify recovery resources and establish a source for
each;
(iii)
contain step-by-step instructions for implementing the
plan;
(iv)
be maintained to ensure currency; and
(v)
be tested at least annually.
(C)
Mission critical data shall be backed up on a scheduled
basis and stored off site.
(7)
Personnel and Contractor Practices.
(A)
All agency personnel, and employees of independent contractors
who may be deemed to be custodians or users, shall formally acknowledge that
they will comply with the security policies and procedures of the agency.
Information resource users who do not complete a formal acknowledgment shall
not be granted access to information resources. The agency head or their designated
representative will determine the method of acknowledgement and how often
this acknowledgment must be renewed.
(B)
Agencies shall use non-disclosure agreements to document
the acceptance by agency and contractor employees of special agency information
security requirements.
(C)
Agencies shall provide an ongoing information resources
security awareness education program for users whose duties bring them into
contact with mission critical information resources. Scheduled training shall
also be provided by the agency.
(D)
State agencies shall use new employee orientation to introduce
information resource security awareness and inform new employees of information
security policies and procedures. If an employee leaves or changes employment,
security privileges shall be appropriately modified to protect information
resources.
(8)
Physical Security.
(A)
Physical access to mission critical information resource
facilities shall be managed and documented.
(B)
Reviews of physical security measures for compliance with
these standards shall be conducted periodically by the agency head or designated
representatives.
(C)
Information resources shall be protected from environmental
hazards. Designated employees shall be trained to monitor environmental control
procedures and equipment and shall be trained in desired response in case
of emergencies or equipment problems.
(D)
Emergency procedures shall be developed and regularly tested.
(9)
Information Safeguards.
(A)
Access. Access shall be managed to ensure authorized use
of information resources. Security risk assessment shall be the basis of decisions
and policies regarding managed access to information resources.
(B)
Confidentiality of data and systems.
(i)
Confidential information shall be accessible only to authorized
users. Information containing any confidential data shall be identified, documented,
and protected in its entirety.
(ii)
Information resources assigned from one agency to another
shall be protected in accordance with the conditions imposed by the providing
agency.
(C)
Identification/Authentication.
(i)
Each user of information resources shall be assigned a
unique personal identifier or user identification except for situations where
risk analysis demonstrates no need for individual accountability of users.
User identification shall be authenticated before the system may grant that
user access.
(ii)
A user's access authorization shall be removed or appropriately
modified when the user's employment or role status changes.
(iii)
Systems shall contain authentication functions that comply
with documented security risk management decisions.
(iv)
Systems which use passwords shall be based on the existing
federal standard on password usage.
(v)
For written electronic communications sent to a state agency
where the identity of a sender or the contents of a message must be authenticated,
the use of digital signatures is also encouraged. Agencies should refer to
Texas Government Code, §2054.060, §201.14 of this title (relating
to Digital Signatures), and guidelines issued by the Department for further
information.
(D)
Encryption. Encryption techniques for storage and transmission
of information shall be used based on documented agency security risk management
decisions.
(E)
Ability to Audit.
(i)
Automated systems must provide the means whereby authorized
personnel have the ability to audit and establish individual accountability
for any action that can potentially cause access to, generation of, modification
of, or effect the release of confidential information.
(ii)
Appropriate audit trails shall be maintained to provide
accountability for updates to mission critical information, hardware and software
and for all changes to automated security or access rules.
(iii)
Appropriate audit trails shall be maintained for all
changes to automated security or access rules.
(iv)
Based on risk assessment, a sufficiently complete history
of transactions shall be maintained to permit an audit of the system by tracing
the activities of individuals through the system.
(F)
Security breaches.
(i)
Security breaches shall be investigated promptly and documented.
(ii)
If criminal action is suspected, the agency must contact
the appropriate law enforcement and investigative authorities immediately.
(iii)
Each state agency shall provide summary reports to the
department that contain information concerning violations of security policy
of which the agency has become aware. A state agency shall not be required
to report security violations unless the state agency reasonably believes
such violations may involve criminal activity under Texas Penal Code Chapters
33 (Computer Crimes) or 33A (Telecommunications Crimes), and there is a substantial
likelihood that such violations could be propagated to other systems beyond
the control of the state agency. Reports should include:
(I)
Type of activity, including but not limited to:
(-a-)
Unwanted disruption or denial of service;
(-b-)
Unauthorized use of a system for the processing or storage
of data; and
(-c-)
Changes made to system hardware, firmware, or software
without the agency's effective consent.
(II)
Time elapsed between initial detection of incident and
containment of the security breach or full restoration of adversely affected
functions, whichever is later;
(III)
Description of the state agency's response to the incident;
and
(IV)
Estimated total cost incurred by the state agency in containing
the security breach or restoring adversely affected functions.
(iv)
Reports must be sent to the department on a monthly basis
no later than the fifth (5th) working day after the end of the month. Upon
request of the department, each state agency shall provide to the department
any additional information regarding security violations. Information shall
be reported in the form and manner specified by the department at the following
address: http://www.dir.state.tx.us/IRAPC.
(v)
The Department shall establish internal security procedures
regarding the receipt of and maintenance of information pertaining to security
breaches. The Department shall instruct state agencies as to the manner in
which they must report such information. The instructions will specify that
reports must not contain any information which would itself compromise the
security of the reporting agency. The instructions shall be made available
via the world wide web at the following address: http://www.dir.state.tx.us/IRAPC
(vi)
The monthly reporting requirements established under this
subparagraph will automatically expire on August 31, 2001.
(G)
Systems development and testing.
(i)
Test functions shall be kept either physically or logically
separate from production functions. Copies of production data shall not be
used for testing unless the data has been declassified or unless all state
and contractor employees involved in testing are otherwise authorized access
to the data.
(ii)
Appropriate information security and audit controls shall
be incorporated into new systems. Each phase of systems acquisition shall
incorporate and document corresponding development or assurances of security
and auditable controls.
(iii)
All security-related information resource changes shall
be approved by the owner through a quality assurance process before implementation.
(10)
Data Communication Systems.
(A)
Network resource controls shall be implemented commensurate
with the security risk analysis.
(B)
System identification screens shall include warning statements
unless documented security risk analysis indicates otherwise. Warning statements
shall address the following topics:
(i)
unauthorized use is prohibited;
(ii)
usage may be subject to security testing and monitoring;
and
(iii)
misuse is subject to criminal prosecution.
(b)
[
(c)
] Standard for data transport
networks for computers.
(1)
Definitions.
(A)
For purposes of this section the word "network" will refer
to all data transport networks used primarily to interconnect computers and
networks of computers for the purpose of transporting data, allowing interoperation
of computer applications on more than one computer system, and providing access
to data.
(B)
For purposes of this section the phrase "substantial change"
is defined to mean any change that requires the replacement of physical transport
media, replacement of data transport protocol, or any change in the major
computer systems on the network.
(C)
For purposes of this section "non-adjacent buildings" are
defined as those that are physically separated by property not owned by the
state and where there is no state owned right-of-way connecting the buildings.
(2)
Standard. All networks that span more than one non-adjacent
building, or interconnect more than one agency must adhere to the following.
(A)
If the network is in existence at the time this rule is
adopted, the network must become compliant with subparagraph (B) of this paragraph
by August 31, 2001.
(B)
All new networks, all extensions to existing networks and
all networks undergoing substantial change must adhere to the TCP/IP standards
as listed in the most recent Request for Comments(RFC) as international standards
promulgated by the Internet Society.
(C)
Agencies may not install new networks or extensions to
existing networks where such installation or extension duplicates existing
state owned network routing that complies with subparagraph (B) of this paragraph.
Agencies must cooperate to share existing facilities; expanding them if necessary.
Where this paragraph conflicts with current or future rules concerning telecommunications
from the General Services Commission, the General Services Commission rule
will prevail.
(c)
[
(d)
]Communications Wiring Standards
for State Facilities.
(1)
Definitions. The following words and terms, when used in
this subsection, shall have the following meanings unless the context clearly
indicates otherwise.
(A)
ANSI--The American National Standards Institute.
(B)
EIA--The Electronics Industry Association.
(C)
TIA--The Telecommunications Industry Association.
(2)
All state agencies will adhere to the following standards
when wiring or re-wiring state-owned or state-leased space:
(A)
ANSI/EIA/TIA-568-1995, Commercial Building Telecommunications
Wiring Standard or its most recent successor document. This applies to the
telecommunications wiring for buildings that are office-oriented and when
ANSI/EIA/TIA-570-1991 is not selected. The term "commercial enterprises" is
used in ANSI/EIA/TIA-568-1991 to differentiate between office buildings and
buildings designed for industrial enterprises. ST-type fiber connectors shall
be used for fiber optic terminations.
(B)
ANSI/EIA/TIA-570-1991, Residential and Light Commercial
Building Telecommunications Wiring Standard or its most recent successor document,
when planning and designing premises-wiring systems intended for connecting
one to four exchange access lines to various types of customer-premises equipment
when ANSI/EIA/TIA-568-1991 is not selected.
(C)
ANSI/EIA/TIA-569-1990, Commercial Building Telecommunications
Pathways and Spaces or its most recent successor document, when planning and
designing state-owned and state-leased space to accommodate telecommunications
system wiring.
(D)
ANSI/EIA/TIA-606-1993, Administration Standard for the
Telecommunications Infrastructure of Commercial Buildings or its most recent
successor document, when documenting and administering telecommunications
infrastructures in state-owned and state-leased space.
This agency hereby certifies that the proposal
has been reviewed by legal counsel and found to be within the agency's legal
authority to adopt.
Filed with the Office of
the Secretary of State, on February 12, 2001.
TRD-200100863
Renee Mauzy
General Counsel
Department of Information Resources
Earliest possible date of adoption: April 1, 2001
For further information, please call: (512) 475-2153