Part 10.
DEPARTMENT OF INFORMATION RESOURCES
Chapter 201.
PLANNING AND MANAGEMENT OF INFORMATION RESOURCES TECHNOLOGIES
1 TAC §201.12
The Department of Information Resources (department) adopts
the repeal of 1 T.A.C.§201.12, concerning state web sites. The repeal
is adopted without changes to the proposed text as published in the March
15, 2002,
Texas Register
, (27 TexReg 1960).
Simultaneous with the repeal, the department is adopting new §206.1,
concerning definitions applicable to state web sites; new §206.2, concerning
accessibility and usability of state web sites; new §206.3, concerning
privacy and security of state web sites; new §206.4, concerning state
web site link and privacy policy; and new §206.5, linking and indexing
of state web sites.
No comments were received in response to publication of the proposed repeal.
The repeal of §201.12 is adopted pursuant to §2054.052(a),
Government Code, which provides the department may adopt rules as necessary
to implement its responsibilities.
§2054.051, Government Code, is affected by the repeal of 1 T.A.C.§201.12.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 29, 2002.
TRD-200203318
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 18, 2002
Proposal publication date: March 15, 2002
For further information, please call: (512) 475-2153
1 TAC §201.13
The Department of Information Resources (department) adopts
the repeal of §201.13, concerning information resource standards. The
repeal is adopted without changes to the proposed text published in the March
8, 2002
Texas Register
, (27 TexReg 1599).
Simultaneous with adoption of the repeal, the department is adopting new §§202.1,
concerning information resources security standards definitions; 202.2, concerning
information resources security standards policy; 202.3, concerning management
and staff responsibilities for information resources security standards; 202.4,
concerning managing security risks; 202.5 Received: from DIR-MTA by tigger.dir.state.tx.us
w5, concerning personnel and contractor security practices; 202.6, concerning
managing physical security risks; 202.7, concerning information resources
security safeguards; and 202.8, concerning information resources security
standards for data communications systems. The foregoing new sections replace
repealed §201.13(a), concerning information security standards. Concomitant
with this repeal, the department is also adopting new chapter 208, §208.1,
concerning definitions applicable to communications wiring standards for state
facilities, and §208.2, concerning communications wiring standards for
state facilities. New chapter 208 replaces repealed §201.13(c).
No comments were received in response to the proposed repeal of 1 T.A.C. §201.13.
The repeal of §201.13 is adopted pursuant to Texas Government
Code §2054.052(a), which provides the department may adopt rules as necessary
to implement its responsibilities.
Texas Government Code §2054.051 is affected by the proposed repeal.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 29, 2002.
TRD-200203319
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 18, 2002
Proposal publication date: March 8, 2002
For further information, please call: (512) 475-2153
1 TAC §201.16
The Department of Information Resources (department) adopts
the repeal of §201.16, concerning minimum standards for meetings held
by videoconference. The repeal is adopted without changes to the proposed
text as published in the March 8, 2002,
Texas Register
, (27 TexReg 1600). Simultaneous with this repeal, the department is
adopting new §209.1, concerning definitions applicable to minimum standards
for meetings held by videoconference, and new §209.2, concerning videoconference
standards. Both new adopted §§209.1 and 209.2, which replace the
repealed §201.16, contain subReceived: from DIR-MTA by tigger.dir.state.tx.us
wstantive changes from the provisions of §201.16. The new rules update
the videoconference standards to incorporate changes required by §551.127(i),
Government Code.
No comments were received in response to the proposed repeal.
Repeal of §201.16 is adopted pursuant to §2054.052(a),
Government Code, which provides the department may adopt rules as necessary
to implement its responsibilities.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 29, 2002.
TRD-200203322
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 18, 2002
Proposal publication date: March 8, 2002
For further information, please call: (512) 475-2153
1 TAC §§202.1 - 202.8
The Department of Information Resources (department) adopts
new §202.1, security standards definitions; 202.2, security standards
policy; 202.3, management and staff responsibilities; 202.4, managing security
risks; 202.5, managing physical security; 202.6, business continuity planning;
202.7, information resources security safeguards; and 202.8, user security
practices. Sections 202.1, 202.3, 202.4, 202.6 and 202.7 are adopted with
changes to the proposed text as published in the March 22, 2002, issue of
the
Texas Register
(27 TexReg 2144). Sections
202.2, 202.5 and 202.8 are adopted without changes and will not be republished.
Simultaneous with adoption of these rules, the department is adopting the
repeal of §201.13 information resource standards, so that all information
security standards are transferred from chapter 201, §201.13(a) to chapter
202, §202.1-202.8 of Title 1.
Implementation of the new rules by state agencies will increase the security
of state agency information resources in an era of increased likelihood of
cyberterrorism. Section 202.1 contains the definitions applicable within chapter
202. Section 202.2 sets forth security standards policy. Section 202.3 identifies
management and staff responsibilities for information resources, including
the requirements in subsection (d) for designation of an information security
officer to administer the agency information security program. This individual
must report to executive level management thereby assuring appropriate executive
level management attention to information resources security. Section 202.3(e)
requires an annual compliance review of each agency's information security
program to maintain adequate security measures. Section 202.4 addresses the
management of security risks. It requires that security risk analyses be updated
based on inherent risk. Inherent risk and frequency of the security risk analysis
will be ranked, at a minimum, as "high," "medium," or "low" based on defined
criteria. Security risk assessment results, vulnerability reports and similar
information must be documented and presented to the agency head or his or
her representative. The agency head must make the final security risk management
decisions regarding accepting exposures or protecting data according to the
value and sensitivity of the data. Adoption of these provisions links the
frequency and nature of security risk analyses to the relative risk of a particular
security risk. The criteria are based on security standards adopted by the
U.S. Treasury in its Treasury Electronic Authentication Policy.
Section 202.5 strengthens physical security management of information resources
as required by the terrorist attacks on the U.S. in the past eight months.
Management and documentation of physical access to mission critical information
resources facilities are the responsibility of the agency head or his or her
representative. Physical security measures must be reviewed annually. Section
202.5(d) specifies that emergency procedures must be in writing, and must
be developed, updated and tested at least annually. Implementation of these
requirements will help ensure that physical security is up to date. Pursuant
to §202.5(e), agencies are to refer to the State Office of Risk Management
for applicable physical security rules and guidelines. Section 202.6(a) provides
that agencies should maintain written business continuity plans, a copy of
which must be maintained off-site, to minimize the effects of a disaster and
so that mission critical functions can be maintained during or quickly resumed
after the disaster. Elements of the business continuity plan are laid out
in this section. The presence of a written disaster recovery plan is a required
element of each business continuity plan. Section 202.6(b) provides for the
scheduled back-up and off-site storage of mission critical data in a secure,
environmentally safe, locked facility that is accessible only to authorized
agency representatives. Section 202.7 concerns security safeguards applicable
to information resources. Section 202.7(c)(4) requires that information resources
systems which use passwords shall be based on documented agency security risk
management decisions and industry best practices. Section 202.7(e)(3) requires
that, based upon a security risk assessment, a sufficiently complete history
of transactions be maintained to permit an audit of the information resources
system by logging and tracing the activities of the individuals through the
system. The department believes that activation of the logging function should
assist law enforcement in criminal investigations, should such investigations
be necessary. Section 202.7(g) adds the requirement that information security
and audit controls be included in all phases of the system development lifecycle
or acquisition process.
Section 202.7(h) requires each agency head, or his or her representative,
and information security officer to create, distribute and implement information
security policies. Policies to be included within such policy are set forth
in §202.7(h)(1) through (22). Subsection (i) requires each agency to
establish a perimeter protection strategy to include some or all of the components
set forth in §202.7(i)(1) through (4). Subsection (j) requires that system
identification/logon banners include warning statements addressing the areas
set forth in §202.7(j)(1) through (4). Section 202.8 requires authorized
users of information resources to formally acknowledge they will comply with
the security policies and procedures of the agency or they will not be granted
access to the information resources. Devices designated for public access
shall be configured to enforce security policies and procedures without the
requirement of formal acknowledgement. Section 202.8(c) requires the agency
executive director, or his or her designee, to consider requiring execution
of non-disclosure agreements to protect information from disclosure by employees
and contractors, and subsection (d) requires agencies to provide an ongoing
information security awareness education program for all users. New employees
shall be introduced to information security awareness and information security
policies and procedures at new employee orientation.
In accordance with §2001(a)(1), Government Code, the department's
reasoned justification for adopting these rules is set out in the order adopting
the rules. The order includes, by reference, this preamble and the rules adopted
in §202.1-202.8. The department's reasoned justification for adoption
of the rules is contained throughout this preamble, including why the rules
are appropriate, the factual, policy and legal bases for the rules, a summary
of comments received from interested organizations, including whether each
organization was for or against adoption of the rules, names of the organizations
that commented, and the reasons the department disagrees with some of the
comments.
In developing the new security rules, the department extensively reviewed
and analyzed security standards as well as the comments submitted to the department
in response to publication of the proposed rules. The rules strengthen the
security requirements applicable to state agencies in the wake of the events
of September 11, 2001 while limiting, to the extent prudent, the costs associated
with increased information resources security by making some of the requirements
applicable only if the state agency determines, through risk assessment, that
certain controls or processes are necessary to protect information resources
from unauthorized or accidental modification, destruction or disclosure.
Changes from the rules as proposed and published in the March 22, 2002,
The word "disruption" has been added to §202.1(12) to more fully define
"security incident." "Information Resources Manager" is changed to "his or
her designated representative" in §202.3(e) for clarification and consistency
within the rule. In §202.4(a)(1), 202.4(a)(2), and 202.4(a)(3) the word
"systems" has been replaced by "information resources" for clarification and
consistency throughout the rule. Section 202.7(f)(1) has been rewritten to
better clarify what types of incidents should be reported to the department
within a 24 hour period. The sentence now reads "Security incidents shall
be promptly investigated and documented. Security incidents shall be reported
to the department within twenty-four hours if there is a substantial likelihood
that such incidents could be propagated to other systems beyond the control
of the agency." In §202.6(a) the sentence "Business Continuity Planning
covers all business functions of an agency, and it is a business management
responsibility" was added to clarify that it is the responsibility of the
entire agency, rather than the responsibility of the information resource
function within an agency, to provide business continuity planning.
In §202.7(f)(3) the words "and there is a substantial likelihood that
such incidents could be propagated to other systems beyond the control of
the agency" have been moved to §202.7(f)(1) for clarity. Sections 202.7(h),
202.7(i) and 202.7(j) were renumbered to conform to standard structure. For
clarity, the second sentence of §202.7(h) has changed from "The following
policies shall be required, but not limited," to "At a minimum, the following
policies will be developed and published." In §202.7(h)(21) the acronyms
"A/C, UPS, and PDU" were spelled out to read "Air Conditioning, Universal
Power Supply, and Power Distribution Unit" for clarification. Section 202.7(j)(4),
concerning having a warning statement on system identification and logon banners
relating to "no expectation of privacy" has been amended in response to a
comment received, to clarify that there is no expectation of privacy for users
of state information resources other than as is provided by applicable privacy
laws.
Comments on the rules were received from the Office of the Attorney General,
which did not state a position on the rules and requested several clarifications
and offered several wording changes. Comments were received from the State
Auditor's Office, which did not state a position on the rules, but had several
suggestions it believed would strengthen the rules. Comments were received
from the University of Texas at Austin. These comments indicated support for
parts of the rules and opposition to parts of the rules. The department received
comments from the University of Texas Medical Branch at Galveston requesting
clarification in some areas and suggested narrowing and broadening different
parts of the rules. The University of Texas at San Antonio submitted comments
opposing parts of the rules, requesting that parts of the rules be clarified
and pointing out some differences between most state agencies and large universities
that have cost implications. The University of Texas at San Antonio Health
Science Center submitted comments identical to those submitted by the University
of Texas at San Antonio. The Department of Insurance submitted comments in
opposition to §202.6 relating to business continuity planning.
The department received the following comments concerning the proposed
rules:
COMMENT: For §202.1(3) a commenter suggested that the definition of
"confidential information" be revised.
RESPONSE: The department disagrees. The definition of "confidential information"
in the rule is broad enough to cover the revisions suggested.
COMMENT: For §202.1(7) a commenter suggested that the definition for
"information resources" include the word "data." Another agency suggested
that the definition include the words "telecommunications and Personal Data
Assistant."
RESPONSE: The department disagrees with the comments. The definition of
information resources in Texas Government Code §2054.003(7) is broad
enough to include all the terms suggested. The definition implies that data
is protected when hardware, software, and equipment protect the perimeter.
In addition, telecommunications and Personal Data Assistants are included
in hardware, software and equipment.
COMMENT: For §202.1(12) commenters suggested that the word "disruption"
be added to the definition of "Security Incident" for clarification.
RESPONSE: The department agrees and the definition of "security incident"
was changed to include "disruption" for additional clarification.
COMMENT: For §202.3 a commenter suggested that the department include
a template in the security guidelines to assist agencies with data classification;
that confidential information should be included in §202.3(b) information
classification categories; and that appropriate controls should be established
in §202.7(b).
RESPONSE: The department disagrees. The rule does not exclude confidential
information from the classification categories. The rule states "Agencies
are responsible for defining all information classification categories except
the "confidential information" category, which is defined in §202.1((3)."
Confidential information is defined by law. It is not subject to a different
classification scheme by agencies than is established by law.
COMMENT: For §202.3 a commenter noted that the department's reference
to information resources manager in this section is confusing, because the
term "information resources manager" is not used elsewhere in the rule. A
commenter suggested that the standards should state the responsibility of
the information resources manager.
RESPONSE: The department agrees with the first comment. It has deleted
the reference to "information resource manager" in §202.3(e) and has
added "or his/her designated representative" for consistency within the rule.
The department disagrees with the second comment, because it believes that
agency heads need flexibility in defining lines of authority and responsibility
within their organizations. The responsibilities of information resources
managers, except as otherwise controlled by law, should be within the discretion
of the particular agency head to establish.
COMMENT: Regarding §202.3 a commenter suggested that the standards
should clarify the role of the information resource manager and the information
resources manager should be referenced instead of the agency head.
RESPONSE: The department disagrees with the comment. By removing the reference
to "information resource manager" in §202.3(e) the department has obviated
the need for the term to be defined.
COMMENT: Commenters suggested that §202.1 of the rule should include
a definition for "executive" and should define the reporting structure of
the information security officer.
RESPONSE: The department disagrees, because it believes that the needs
of agencies are better served by allowing the flexibility for each agency
to determine the meaning of "executive" and the reporting structure of employees,
within the agency.
COMMENT: For §202.3(e) an agency commented that an agency's internal
auditor should be involved in the agency's security program compliance review.
RESPONSE: No changes are needed to the rule. The rule does not preclude
an agency's internal auditor from being involved in the compliance review
of information resources security.
COMMENT: Commenters suggested that "system" be defined in §202.4.
RESPONSE: The department eliminated the references to "system" throughout
the rule, replacing them with "information resources." Section 202.4(a), 202.4(b)
and 202.4(c) were changed to delete references to "system," therefore, there
is no need to define "system."
COMMENT: A commenter indicated that §202.4 did not offer enough guidance
to complete a risk assessment.
RESPONSE: The department disagrees. The rule establishes the minimum requirement
to perform a risk assessment. The section is not intended to serve as guidelines.
The criteria used in the rule are based on security standards adopted by the
U.S. Treasury in its Treasury Electronic Authentication Policy.
COMMENT: Commenters indicated that §202.4(c) does not clarify the
exemptions from the Texas Public Information Act for vulnerability reports.
RESPONSE: Agencies should look to Texas Government Code, 2054.077 and Texas
Government Code, chapter 552, to determine what may be withheld from disclosure
under the Texas Public Information Act. The department cannot make the determination
by rule.
COMMENT: For §202.5(e) commenters indicate the rule needs to clarify
the exact State Office of Risk Management guidelines to be used.
RESPONSE: The department disagrees, because the State Office of Risk Management
publishes a guide for physical security. The guide is listed on the State
Office of Risk Management's website.
COMMENT: Commenters disagreed with §202.6(a), indicating (1), a business
continuity plan covers all phases of business and this should be an agency-wide
responsibility not just an information technology issue or function. A commenter
contended that by putting business continuity planning in the rule it becomes
an information technology function; (2) the State Office of Risk Management
should be responsible for business continuity planning, and this rule should
be transferred to the State Office of Risk Management; (3) the rule was not
clear as to whether it is a requirement to complete a business continuity
plan. Another commenter indicated that the rule should be stronger, that business
continuity planning is essential and suggested that the rule should require
agencies to complete business continuity plans.
RESPONSE: The department agrees that business continuity planning is an
agency-wide process which covers all business functions. The department has
clarified this by adding the wording "business continuity planning covers
all business functions of an agency and is a business management responsibility."
The department believes that the State Office of Risk Management currently
does not have rules or guidelines for business continuity planning. The department
will work with the State Office of Risk Management to assist with the guidelines.
The department disagrees with making business continuity planning a requirement.
It believes that agencies' risks are different and each agency should define
its own level of risk. The risk assessment should determine whether a business
continuity plan is necessary and a prudent business practice.
COMMENT: Regarding §202.7(e) commenters indicated that the statement
requiring encryption for storage and transmission of information is too broad,
and that there is no provision for escrow or key recovery if the agency needs
to un-encrypt the information.
RESPONSE: The department disagrees. It is up to each agency to decide based
on its risk decisions whether to include escrow or key recovery in the agency's
encryption policy.
COMMENT: Regarding §202.7(e)(3) a commenter recommended that the rule
cite a definite period of time for keeping systems logs.
RESPONSE: The department disagrees. The rule states it is a risk based
decision, and it is up to each agency to determine its schedule for retaining
logs based on its record retention policy. Agencies are required to follow
state records retention rules set by the Texas State Library and Archive Commission.
COMMENT: With respect to §202.7(h) a commenter indicated that the
provision requiring agencies to implement suggested security policies was
not worded well and suggested alternative language.
RESPONSE: The department agrees with the comment and has changed the wording
to clarify the rule.
COMMENT: A commenter suggested that §202.7(h)(21) spell out the acronyms
A/C, UPS, and PDU.
RESPONSE: The department agrees, and the acronyms were changed to "Air
Conditioning, Universal Power Supply, and Power Distribution Unit."
COMMENT: Concerning §202.7(i)(4) a commenter requested that the provision
concerning "routers" be changed to include additional wording that would require
security features activated.
RESPONSE: The department disagrees. The requested change would place unnecessary
additional requirements on the agencies. The rule does not preclude an agency
from activating security features on routers.
COMMENT: Concerning §202.7(f)(1) a commenter noted that the rule did
not make clear the types of security incidents that must be reported in the
24-hour reporting requirement to the department and asked if the department
is prepared to receive incident reporting 24X7.
RESPONSE: The department agreed and added the following to clarify the
24-hour reporting requirements: "incidents that pose a substantial threat
to other agencies or could propagate to other agencies' systems beyond the
control of the agencies shall be reported to the department within 24 hours."
The change eliminates the requirement to report every incident. In addition,
the department has taken steps to develop a process to receive notifications
on critical incidents on a 24X7 schedule.
COMMENT: Also, in §202.7(f)(1) commenters opposed the requirement
to report within 24 hours stating that it would be problematic.
RESPONSE: The department clarified the reporting requirement in response
to these comments. Under the revised rule, only "incidents that pose a substantial
threat to other agencies or could propagate to other agencies' systems beyond
the control of the agencies shall be reported to the department within 24
hours." The change eliminates the need to report every incident, thereby reducing
the reporting obligation for agencies.
COMMENT: A commenter inquired if monthly incident reports are necessary
under §202.7(f) since the rule requires prompt investigation.
RESPONSE: Monthly incident reports are necessary. As indicated above, the
department has reduced the 24-hour reporting requirements, and monthly reports
continue to be necessary so that all incidents are covered and reported.
COMMENT: For §202.7(j)(4) a commenter indicated that the proposed
provision would compromise the integrity and credibility of universities if
personal information was subject to a banner statement that there is no expectation
of privacy with respect to use of the information resource.
RESPONSE: The department agrees that certain laws provide certain privacy
rights, however, the department disagrees with removing the requirement that
system identification and logon banners address that users of state information
resources should have no expectation of privacy. In response to the comment
received, the department modified the language of §202.7(j)(4) to provide
that system identification/logon banners shall include the warning that there
is no expectation of privacy except as otherwise provided by applicable privacy
law.
COMMENT: Comments were made that the rules should differentiate between
institutions of higher education and other state agencies due to differing
missions and operating environments.
RESPONSE: The department disagrees and has tried to accommodate all agencies,
including institutions of higher education. The department believes the rules
are prudent business practices that all agencies, including institutions of
higher education, must follow to protect both state resources and private
data held electronically by state agencies. The Information Security Advisory
Work Group that worked with the department on amending the security rules
consisted of thirteen agencies and four universities. Input was gathered from
all group participants.
COMMENT: Commenters stated that §202.3(c), which refers to defining
responsibilities, "would generate an enormous documentation burden and would
be next to impossible to keep current without great expense" for non-business
aspects of universities.
RESPONSE: The department disagrees. The rule applies only to assigned responsibilities
within a business function of an institution of higher education. The rules
are inapplicable to non-business function operations.
COMMENT: A commenter indicated that the cost estimates in the preamble
to this rule fall short of what will actually be needed.
RESPONSE: The department disagrees with the comment. The cost estimates
set forth in the preamble are per instance. The cost estimates do not include
staff.
COMMENT: Another commenter indicated there will be additional costs to
the agency (costs for staff, independent reviews, and to modify operations)
to comply with this rule.
RESPONSE: Some agencies will require additional funding to comply with
the rules. However, the requirements of the rules represent prudent business
practices that will help ensure adequate information resources security.
The new rules are adopted pursuant to § 2054.052(a), Government
Code, which provides the department may adopt rules as necessary to implement
its responsibilities under the Information Resources Management Act.
The department is not aware of other statutes affected by the proposed
rules.
§202.1.Security Standards Definitions.
The following words and terms, when used with this chapter, shall have
the following meanings, unless the context clearly indicates otherwise.
(1)
Access--To approach, interact with, or otherwise make use
of information resources.
(2)
Business Continuity Planning-The process of identifying
critical data systems and business functions, analyzing the risks and probabilities
of service disruptions and developing procedures to restore those systems
and functions.
(3)
Confidential Information--Information that is excepted
from disclosure requirements under the provisions of applicable state or federal
law, e.g. the Texas Public Information Act.
(4)
Control--Any action, device, policy, procedure, technique,
or other measure that improves security.
(5)
Custodian of an Information Resource--A person responsible
for implementing owner-defined controls and access to an information resource.
(6)
Department-The Department of Information Resources.
(7)
Information Resources-Is defined in §2054.003(6),
Texas Government Code and/or other applicable state or federal legislation.
(8)
Information Security Program--The elements, structure,
objectives, and resources that establish an information resources security
function within an agency.
(9)
Mission Critical Information--Information that is defined
by the agency to be essential to the agency's function(s).
(10)
Owner of an Information Resource--A person responsible:
(A)
For a business function; and
(B)
For determining controls and access to information resources
supporting that business function.
(11)
Platform-The foundation technology of a computer system.
The hardware and systems software that together provide support for an application
program. (Ref: Practices for Protecting Information Resources Assets.)
(12)
Security Incident--An event which results in unauthorized
access, loss, disclosure, modification, disruption, or destruction of information
resources whether accidental or deliberate.
(13)
Security Risk Analysis--The process of identifying and
documenting vulnerabilities and applicable threats to information resources.
(14)
Security Risk Assessment--The process of evaluating the
results of the risk analysis by projecting losses, assigning levels of risk,
and recommending appropriate measures to protect information resources.
(15)
Security Risk Management--Decisions to accept exposures
or to reduce vulnerabilities.
(16)
User of an Information Resource--An individual or automated
application authorized to access an information resource in accordance with
the owner-defined controls and access rules.
(17)
Vulnerability Report-A computer related report containing
information described in §2054.077(b), Government Code, as that section
may be amended from time to time.
§202.3.Management and Staff Responsibilities.
(a)
The agency head or his or her designated representative(s)
shall review and approve ownership of information resources and their associated
responsibilities.
(b)
The owner of an information resource, with the agency head's
concurrence, is responsible for classifying business functional information.
Agencies are responsible for defining all information classification categories
except the Confidential Information category, which is defined in §202.1
of this chapter, and establishing the appropriate controls for each.
(c)
Owners, custodians, and users of information resources
shall be identified, and their responsibilities defined and documented by
the agency. In cases where information resources are used by more than one
major business function, the owners shall reach consensus and advise the information
security function as to the designated owner with responsibility for the information
resources. The following distinctions among owner, custodian, and user responsibilities
should guide determination of these roles:
(1)
Owner Responsibilities. The owner or his or her designated
representatives(s) are responsible for and authorized to:
(A)
Approve access and formally assign custody of an information
resources asset;
(B)
Determine the asset's value;
(C)
Specify data control requirements and convey them to users
and custodians;
(D)
Specify appropriate controls, based on risk assessment,
to protect the state's information resources from unauthorized modification,
deletion, or disclosure. Controls shall extend to information resources outsourced
by the agency.
(E)
Confirm that controls are in place to ensure the accuracy,
authenticity, and integrity of data.
(F)
Ensure compliance with applicable controls;
(G)
Assign custody of information resources assets and provide
appropriate authority to implement security controls and procedures.
(H)
Review access lists based on documented agency security
risk management decisions.
(2)
Custodian responsibilities. Custodians of information resources,
including entities providing outsourced information resources services to
state agencies must:
(A)
Implement the controls specified by the owner(s);
(B)
Provide physical and procedural safeguards for the information
resources;
(C)
Assist owners in evaluating the cost-effectiveness of controls
and monitoring; and
(D)
Implement the monitoring techniques and procedures for
detecting, reporting, and investigating incidents.
(3)
User responsibilities. Users of information resources shall
use the resources only for defined purposes and comply with established controls.
(d)
The Information Security Officer. Each agency head shall
designate an information security officer to administer the agency information
security program. The Information Security Officer shall report to executive
level management.
(1)
It shall be the duty and responsibility of this individual
to develop and recommend policies and establish procedures and practices,
in cooperation with owners and custodians, necessary to ensure the security
of information resources assets against unauthorized or accidental modification,
destruction, or disclosure.
(2)
The Information Security Officer shall document and maintain
an up-to-date information security program. The information security program
must be approved by the agency head.
(3)
The Information Security Officer is responsible for monitoring
the effectiveness of defined controls for mission critical information.
(4)
The Information Security Officer shall report, at least
annually, to the agency head the status and effectiveness of information resources
security controls.
(e)
A review of the agency's information security program for
compliance with these standards will be performed at least annually by individual(s)
independent of the information security program and designated by the agency
head or his or her designated representative.
§202.4.Managing Security Risks.
(a)
A security risk analysis of information resources shall
be performed and documented. The security risk analysis shall be updated based
on the inherent risk. The inherent risk and frequency of the security risk
analysis will be ranked, at a minimum, as either "High," "Medium," or "Low,"
based primarily on the following criteria:
(1)
High Risk-annual assessment -Information resources that;
(A)
Involve large dollar amounts or significantly important
transactions, such that business or government processes would be hindered
or an impact on public health or safety would occur if the transactions were
not processed timely and accurately, or
(B)
Contain confidential or sensitive data such that unauthorized
disclosure would cause real damage to the parties involved, or
(C)
Impact a large number of people or interconnected systems.
(2)
Medium Risk-biennial assessment - Information resources
that;
(A)
Transact or control a moderate or low dollar value, or
(B)
Data items that could potentially embarrass or create problems
for the parties involved if released, or
(C)
Impact a moderate proportion of the customer base.
(3)
Low Risk-biennial assessment - Information resources that;
(A)
Publish generally available public information, or
(B)
Result in a relatively small impact on the population.
(b)
A system change could cause the overall classification
to move to the High Risk category.
(c)
Security risk assessment results, vulnerability reports,
and similar information shall be documented and presented to the agency head
or his or her designated representative. The agency head shall make the final
security risk management decisions to either accept exposures or protect the
data according to its value/sensitivity. The agency head must approve the
security risk management plan. This information may be exempt from disclosure
under §2054.77(c), Government Code.
§202.6.Business Continuity Planning.
(a)
Business Continuity Planning covers all business functions
of an agency and it is a business management responsibility. Agencies should
maintain a written Business Continuity Plan so that the effects of a disaster
will be minimized, and the agency will be able to either maintain or quickly
resume mission-critical functions. The agency head shall approve the Plan.
The Plan shall be distributed to key personnel and a copy stored offsite.
Elements of the Plan for information resources shall include:
(1)
Business Impact Analysis to systematically assess the potential
impacts of a loss of business functionality due to an interruption of computing
and/or infrastructure support services resulting from various events or incidents.
The analysis shall address maximum tolerable downtime for time-critical support
services and resources including, but not limited to:
(A)
Personnel;
(B)
Facilities;
(C)
Technology platforms (all computer systems);
(D)
Software;
(E)
Information resources security utilities;
(F)
Data networks and equipment;
(G)
Voice networks and equipment;
(H)
Vital electronic records and/or data.
(2)
Security Risk Assessment to weigh the cost of implementing
preventative measures against the risk of loss from not taking action.
(3)
Recovery Strategy to appraise recovery alternatives and
alternative cost-estimates which shall be presented to management.
(4)
Implementation, testing, and maintenance management program
addressing the initial and ongoing testing and maintenance activities of the
Plan.
(5)
Disaster Recovery Plan-Each agency shall maintain a written
disaster recovery plan for information resources. The disaster recovery plan
will:
(A)
Contain measures which address the impact and magnitude
of loss or harm that will result from an interruption;
(B)
Identify recovery resources and a source for each;
(C)
Contain step-by-step instructions for implementing the
Plan;
(D)
Be maintained to ensure currency; and
(E)
Be tested at least annually.
(b)
Mission critical data shall be backed up on a scheduled
basis and stored off site in a secure, environmentally safe, locked facility
accessible only to authorized agency representatives.
§202.7.Information Resources Security Safeguards.
(a)
Access to information resources shall be managed to ensure
authorized use.
(b)
Confidentiality of data and systems.
(1)
Confidential information shall be accessible only to authorized
users. Information containing any confidential data shall be identified, documented,
and protected in its entirety.
(2)
Information resources assigned from one agency to another
shall be protected In accordance with the conditions imposed by the providing
agency.
(c)
Identification/Authentication.
(1)
Each user of information resources shall be assigned a
unique identifier except for situations where risk analysis demonstrates no
need for individual accountability of users. User identification shall be
authenticated before the information resources system may grant that user
access.
(2)
A user's access authorization shall be appropriately modified
or removed when the user's employment or job responsibilities within the agency
change.
(3)
Information resources systems shall contain authentication
controls that comply with documented agency security risk management decisions.
(4)
Information resources systems which use passwords shall
be based on industry best practices on password usage and documented agency
security risk management decisions.
(5)
For electronic communications where the identity of a sender
or the contents of a message must be authenticated, the use of digital signatures
is encouraged. Agencies should refer to guidelines and rules issued by the
department for further information. (Ref. SRRPUB13 and 1 T.A.C. §201.14).
(d)
Encryption. Encryption for storage and transmission of
information shall be used based on documented agency security risk management
decisions.
(e)
Auditing.
(1)
Information resources systems must provide the means whereby
authorized personnel have the ability to audit and establish individual accountability
for any action that can potentially cause access to, generation of, modification
of, or effect the release of confidential information.
(2)
Appropriate audit trails shall be maintained to provide
accountability for updates to mission critical information, hardware and software
and for all changes to automated security or access rules.
(3)
Based on the security risk assessment, a sufficiently complete
history of transactions shall be maintained to permit an audit of the information
resources system by logging and tracing the activities of individuals through
the system.
(f)
Security incidents.
(1)
Security incidents shall be promptly investigated and documented.
Security incidents shall be reported to the department within twenty-four
hours if there is a substantial likelihood that such incidents could be propagated
to other systems beyond the control of the agency.
(2)
If criminal action is suspected, the agency must contact
the appropriate law enforcement and investigative authorities immediately.
(3)
Each agency shall provide summary reports to the department
that contain information concerning violations of security policy of which
the agency has become aware. An agency shall not be required to report security
incidents unless it reasonably believes such incidents may involve criminal
activity under Texas Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications
Crimes). Reports should include:
(A)
Type of activity, including but not limited to:
(i)
Unwanted disruption or denial of service;
(ii)
Unauthorized use of a system for the processing or storage
of data; and
(iii)
Changes made to system hardware, firmware, data or software
without the agency's effective consent.
(B)
Time elapsed between initial detection of incident and
containment of the security breach or full restoration of adversely affected
functions, whichever is later;
(C)
Description of the agency's response to the incident; and
(D)
Estimated total cost incurred by the agency in containing
the security incident or restoring adversely affected functions.
(4)
Reports must be sent to the department on a monthly basis
no later than the fifth (5th) working day after the end of the month. Information
shall be reported in the form and manner specified by the department.
(5)
The department shall establish internal security procedures
regarding the receipt and maintenance of information pertaining to security
incidents. The department shall instruct agencies as to the manner in which
they must report such information.
(g)
Systems development, acquisition, and testing.
(1)
Test functions shall be kept either physically or logically
separate from production functions. Copies of production data shall not be
used for testing unless the data has been declassified or unless all state
and independent contractor employees involved in testing are otherwise authorized
access to the data.
(2)
Information security and audit controls shall be included
in all phases of the system development lifecycle or acquisition process.
(3)
All security-related information resources changes shall
be approved by the owner through a quality assurance process. Approval must
occur prior to implementation by the agency or independent contractors.
(h)
Security Policies. Each agency head or his/her designated
representative and information security officer shall create, distribute,
and implement information security policies. At a minimum, the following policies,
will be developed and published based on the documented agency security risk
management decisions and business function. These policies are not all inclusive.
(1)
Acceptable Use-Defines scope, behavior, and practices;
compliance monitoring pertaining to users of information resources.
(2)
Account Management-Establishes the rules for administration
of user accounts.
(3)
Administrator/Special Access-Establishes rules for the
creation, use, monitoring, control, and removal of accounts with special access
privileges.
(4)
Backup/Recovery-Establishes the rules for the backup, storage,
and recovery of electronic information.
(5)
Change Management-Establishes the process for controlling
modifications to hardware, software, firmware, and documentation to ensure
the Information resources are protected against improper modification before,
during, and after system implementation.
(6)
Email-Establishes prudent and acceptable practices regarding
the use of email for the sending, receiving, or storing of electronic mail.
Ensure compliance with applicable statutes, regulations, and mandates.
(7)
Incident Management-Describes the requirements for dealing
with computer security incidents including prevention, detection, response,
and remediation.
(8)
Internet/Intranet Use-Establishes prudent and acceptable
practices regarding the use of the Internet and Intranet.
(9)
Intrusion Detection-Establishes requirements for auditing,
logging, and monitoring to detect attempts to bypass the security mechanisms
of Information resources.
(10)
Network Access-Establishes the rules for the access and
use of the network infrastructure.
(11)
Network Configuration-Establishes the rules for the maintenance,
expansion, and use of the network infrastructure.
(12)
Password/Authentication-Establishes the rules for the
creation, use, distribution, safeguarding, termination, and recovery of user
authentication mechanisms.
(13)
Physical Access-Establishes the rules for the granting,
control, monitoring, and removal of physical access to Information resources.
(14)
Portable Computing-Establishes the rules for the use of
mobile computing devices and their connection to the network.
(15)
Privacy-Methodologies used to establish the limits and
expectations regarding privacy for the users of Information resources.
(16)
Security Monitoring-Defines a process that ensures Information
resources security controls are in place, are effective, and are not being
bypassed.
(17)
Security Awareness and Training-Establishes the requirements
to ensure each user of information resources receives adequate training on
computer security issues.
(18)
Platform Hardening-Establishes the requirements for installing
and maintaining the integrity of a platform in a secure fashion.
(19)
Authorized Software-Establishes the rules for software
use on information resources.
(20)
System Development and Acquisition-Describes the security
and business continuity requirements in the systems development and acquisition
life cycle.
(21)
Vendor Access-Establishes the rules for vendor access
to information resources, support services (Air Conditioning, Universal Power
Supply, Power Distribution Unit, fire suppression, etc.), and vendor responsibilities
for protection of information.
(22)
Malicious Code-Describes the requirements for prevention,
detection, response, and recovery from the effects of malicious code (including
but not limited to viruses, worms, Trojan Horses, and unauthorized code used
to circumvent safeguards.)
(i)
Perimeter Security Controls. Each agency head or his/her
designated representative and information security officer shall establish
a perimeter protection strategy to include some or all of the following components
based on the agency's security risk management decisions:
(1)
DMZ (Demilitarized Zone)-The DMZ is the network area created
between the public Internet and internal private network(s). This neutral
zone is usually delineated by some combination of routers, firewalls, and
bastion hosts. Typically, the DMZ contains devices accessible to Internet
traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers, and
DNS servers.
(2)
Firewall-A system designed to prevent unauthorized access
to or from a private network. Firewalls can be implemented in both hardware
and software, or a combination of both and are used to prevent unauthorized
Internet users from accessing private networks connected to the Internet,
especially Intranets. They can also regulate traffic between networks within
the same agency.
(3)
Intrusion Detection System-Hardware and/or software which
is installed on a network and compares network traffic and host log entries
to the known and likely methods of attackers. Suspicious activities trigger
administrator alarms and other configurable responses.
(4)
Router-A device or, in some cases, software in a computer,
that determines the next network point to which a packet should be forwarded
toward its destination. The router is connected to at least two networks and
decides which way to send each information packet based on its current understanding
of the state of the networks to which it is connected. A router is located
at any gateway where one network meets another.
(j)
System Identification/Logon Banner. System identification/logon
banners shall have warning statements that include the following topics:
(1)
Unauthorized use is prohibited;
(2)
Usage may be subject to security testing and monitoring;
(3)
Misuse is subject to criminal prosecution; and
(4)
No expectation of privacy except as otherwise provided
by applicable privacy laws.
This agency hereby certifies that the adoption has been
reviewed by legal counsel and found to be a valid exercise of the agency's
legal authority.
Filed with the Office of
the Secretary of State on May 28, 2002.
TRD-200203271
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 17, 2002
Proposal publication date: March 22, 2002
For further information, please call: (512) 475-2153
1 TAC §§206.1 - 206.5
The Department of Information Resources (department) adopts
new §206.1, web site definitions; 206.2, accessibility and usability
of state web sites; 206.3, privacy and security of state web sites; 206.4,
state web site link and privacy policy; and 206.5, linking and indexing of
state web sites. Sections 206.1(13), 206.1(26), 206.2(a)(3) and 206.3(c) are
adopted with changes to the text as published in the March 15, 2002, issue
of the
Texas Register
(27 TexReg 1962). Sections
206.4 and 206.5 are adopted without changes and will not be republished. Simultaneous
with adoption of these rules, the department is adopting the repeal of §201.12,
state web sites, so that all state web site rules are transferred from chapter
201 to chapter 206 of Title 1.
In accordance with §2001.033(a)(1), Government Code, the department's
reasoned justification for adopting these rules is contained in the order
adopting the rules, which includes, by reference, this preamble and the rules
adopted in §§206.1-206.5. The department's reasoned justification
for adoption of the rules includes a summary of comments received from interested
parties that shows the names of the interested groups offering comments and
whether they were for or against adoption of the rules; the factual basis
for the rules as adopted and the rational connection between the factual basis
for the rules and the rules as adopted; and the reasons why the department
disagrees with some of the comments.
Comments on the rules were received from the University of Texas System
Administration, the University of Texas at Austin, the University of Texas
at Dallas, the University of Texas Health Science Center - San Antonio, the
Texas Technology Access Project of the University of Texas at Austin, and
the Texas Workers' Compensation Commission. The Texas Technology Access Project
of the University of Texas at Austin was for the adoption of the rules. The
University of Texas System Administration, the University of Texas at Austin,
the University of Texas at Dallas, the University of Texas Health Science
Center - San Antonio, and the Texas Workers' Compensation Commission were
against adoption of the rules as proposed.
A summary of the comments received by the department concerning the proposed
rules is set forth below.
Two groups made general comments to the effect that universities have different
needs than administrative or regulatory agencies, and requesting an exemption
from the rules. The department disagrees with these comments because they
are premised upon a misunderstanding of the intended scope of the proposed
rules, and because the department does not have statutory authority to provide
an exemption from the rules for institutions of higher education or other
state agencies. The new rules as adopted, just as their predecessor rule in
1 T.A.C. §201.12, apply only to state web sites as that term is defined
in the rule. A "state web site" includes a state agency's home page and any
key public entry points. The term "key public entry point" is defined as "[a]
Web page that a state agency has specifically designed for members of the
general public to access official information (e.g., the governing or authoritative
documents) from the agency." Governing or authoritative documents are intended
to refer to documents such as enabling legislation, agency rules and policies,
and information of general interest to members of the public. The rule is
not intended to apply to web sites maintained by students, faculty or staff
of educational institutions, nor to sites maintained for commercial or proprietary
activities such as those by which a university may compete with private and
public sector health or medical centers.
Two groups challenged the department's assertion in its preamble that the
proposed rules will result in no anticipated economic cost to persons as a
result of the adoption of the rules. The groups asserted that there would
be labor and training costs associated with the implementation of the rules.
The department disagrees with the comments for the reasons indicated above;
i.e., that the rule applies only to state web sites. The department believes
that the cost of implementing the requirements of the rule, if any, will be
insubstantial and would otherwise be subsumed in the normal costs incurred
by state agencies in maintaining state web sites. One group also commented
that the cost to transcribe web-based video, available at some sites maintained
by state agencies, would be significant. While the department does not disagree
that such transcription may be costly, it disagrees that the rules would apply
to such video services, inasmuch as they do not constitute governing or authoritative
documents as contemplated by the definition of "key public entry point."
Several groups commented that the department should clarify whether the
standards referred to in the rules, including accessibility standards, would
apply to internal web sites operated by students, faculty or staff. As indicated
elsewhere in this preamble, the rule would not apply to such web sites unless
and to the extent they constitute "state web sites." The department therefore
disagrees that such clarification must be made by modifying language in the
rules themselves.
One group stated that the definition of "generally accessible Internet
site" as contained in §206.1(5) is vague. The same group challenged the
use of the phrase "graceful transformation" within the definition on the same
basis. The department disagrees with these comments because both the concepts
and the language used in the definition are derived from W3C standards for
accessible web sites; see "Web Content Accessibility Guidelines 1.0" available
at www.w3.org.
One group requested that language referring to "individuals" in §206.1,
definitions, be amended to refer to "members of the public" instead. The department
agrees with this comment and has amended §206.1(13) 206.1(26) accordingly.
One group objected to the requirement in §206.2(a)(2) that state Web
sites meet the definition of a generally accessible Internet site, claiming
that such a requirements imposes a "non-attainable goal" on state agencies.
The department disagrees with this comment, in part because of the fact that
the rule is intended to apply to far fewer web sites than the commenter believes,
and also because making such sites accessible is appropriate both for public
policy reasons and to achieve compliance with applicable law, including but
not limited to the Americans with Disabilities Act.
One group suggested that the requirement in §206.2(a)(3) that state
agencies avoid the use of vendor-specific non-standard extensions be modified
to prohibit the use of such extensions. The department disagrees with this
comment because of the need for agencies to retain some flexibility in determining
which non-standard extensions may in fact be necessary for use in order to
serve the agency's particular constituencies.
Another group requested the department to amend §206.2(a)(3) to specify
which standards apply, expressly including any additional standards; still
another requested that the word "appropriate" be included when referring to
standards. The department agrees in part with these suggestions, and has therefore
amended the text of this subsection to state that agencies should comply with
"applicable" standards, and requiring agencies to refer to the department's
guidelines for guidance on applicable standards and non-standard extensions,
since these evolve over time. The department disagrees that such standards
be specified in the rule text, however, since these standards may evolve relatively
rapidly.
One group questioned the meaning of the term "non-standard extensions"
as used in §206.2(a)(3). While the department disagrees that a useful
definition can and should be included in the text of the rules, it nevertheless
agrees that state agencies should have additional guidance on this topic if
needed. Accordingly, the department has included language requiring agencies
to refer to the department's guidelines for guidance on what may currently
be regarded as non-standard extensions.
One group questioned whether a state agency is required to appoint an Accessibility
Coordinator as referred to in §206.2(b). The department disagrees any
implication that such a reference be removed from the rule text, since an
accessibility coordinator, regardless of his or her actual title or designation
or the fact that such a coordinator may perform other functions, is an essential
function that should be performed by a state agency to maintain accessibility
of state web sites.
Two groups claimed that the privacy and security requirements in §206.3(a)(1)
- (4) are burdensome, and that analogous privacy requirements are already
contained in the Federal Educational Right to Privacy Act. The groups asserted
that they should therefore be exempted from the rules. The department disagrees
that an exemption is either appropriate or possible, as indicated in the department's
response to the first general comment above.
One group requested that the department clarify whether the language in §206.3(b)
requires state agencies to obtain PICS ratings for their state web sites.
The department responds that no such ratings are required, but disagrees with
any implication that this must be made explicit in the rule text.
One group commented that the requirement in §206.3(c)(4) for use of
SSL sessions to encrypt e-mail addresses should be removed. The department
disagrees with this comment because of the statutory obligation of state agencies
to maintain the confidentiality of e-mail addresses contained in §552.136,
Government Code. The same group inquired as to whether an SSL session is required
where e-mail addresses are permitted, but not required, to be entered. The
department agrees in part that the language in this portion of the rules should
be clarified, and has modified the text of the rule to provide that e-mail
addresses must be encrypted through use of an SSL session when such information
is provided by a member of the public in the course of completing a web based
electronic form. Two groups requested clarification as to whether this requirement
is intended to apply to employees' internal e-mail addresses. The department
responds, for reasons discussed above pertaining to the intended scope of
the rules, that the provision in question is not intended to apply to employees'
internal e-mail addresses. The department disagrees that any change to the
rule text is required, however.
One group commented that the requirements in §206.4 pertaining to
links from state agencies to other web sites does not go far enough. The group
suggested that state agencies should be required to link only to web pages
that are accessible. The department disagrees that such a change to the rule
text should be made, since such a change would either effectively cause the
department to regulate the content of outside web sites, which exceeds the
department's statutory authority, or could severely curtail the number of
sites to which state web sites may link, thus effectively resulting in web
sites that are less useful to site visitors. Nevertheless, the department
believes that the intent behind the comment is commendable, and therefore
urges state agencies to encourage owners of sites that are linked to by state
web sites to comply voluntarily with the accessibility standards contained
in this rule.
Another group commented that the linking policy contained in §206.4(1)(F)
would be unworkable for universities' web sites. The department disagrees
with this comment because the rule applies only to state web sites as defined
in §206.1, and thus is more limited in scope than the group apparently
assumes.
One group objected to the linking policy pertaining to graphics or tables
contained in §206.4(1)(B). The department disagrees that this prohibition
should be removed because to do so could result in shifting the downloading
burden to state agency servers, resulting in a loss of efficiency in the use
of state resources and a concomitant restriction in the availability of such
resources to the general public. The same group commented that the language
in §206.4(1)(B) requiring full forward links is too restrictive, and
suggested that new windows should be permitted to be opened, as long as a
notification to users is provided. The department disagrees with this comment,
since the rule is intended to apply only to outside web sites and not state
web sites per se.
One group inquired as to whether the provisions of §206.4(3)(B) pertaining
to e-mail addresses indicated that e-mail addresses are not open records.
The department responds that such e-mail addresses are excluded from the scope
of public information pursuant to in §552.136, Government Code. The same
group asked whether or not student e-mail addresses would be regarded as open
records. The department believes that student e-mail addresses would be treated
as open records to the extent such addresses are based upon domains that are
state property; nevertheless, the department must defer such questions to
the Office of the Attorney General, which has the authority to issue rulings
regarding open records requests.
Two groups commented that §206.5(b) fails to differentiate between
the missions and universities and those of regulatory and administrative agencies.
The department disagrees with the comments for the reasons stated earlier
in this preamble relating to the limited scope of the rules. The two groups
also commented that the required links contained in that subsection were inappropriate
because they consumed valuable home page real estate. The department disagrees
with these comments because the majority of the links are statutorily required,
and those that are not required (privacy and security policies and accessibility
policies) are desirable both from a public policy perspective and because
web site users have increasingly come to expect such information to be easily
accessible from an organization's home page.
The new rules are adopted pursuant to §2054.121, Government
Code, which requires the department to adopt a policy concerning state web
sites and requires state agencies to post a link to the policy adopted by
the department, and §2054.052(a), Government Code, which provides that
the department may adopt rules as necessary to implement its responsibilities
under the Information Resources Management Act.
Section 2054.121, Government Code, and §2054.052(a), Government Code,
are affected by the rules.
§206.1.Definitions.
The following words and terms, when used with this chapter, shall have
the following meanings, unless the context clearly indicates otherwise.
(1)
Accessible--A Web page that can be used in a variety of
ways and that does not depend on a single sense or ability.
(2)
Accessibility Policy--An agency's policies to ensure that
access to its information, services, and programs are accessible, usable,
understandable and navigable.
(3)
Agency contact information--a list of key personnel and/or
position or program contacts, including public contact telephone numbers,
general e-mail address, and other information deemed necessary by the agency
for facilitating public access.
(4)
Compact With Texans--Agency customer service standards
and performance measures as required by §2113.006 Government Code.
(5)
Generally accessible Internet site--A state Web site that
provides for graceful transformation, and making content understandable and
navigable. Additional information and resources are included in the accessibility-usability
guidelines available at http://www.dir.state.tx.us/standards/srrpub11-accessibility.htm.
(6)
Home page--The initial page or entry point to a state Web
site.
(7)
HTML--HyperText Markup Language.
(8)
Internet--the network of interconnected networks employing
standards published by the Internet Engineering Task Force (IETF).
(9)
Key public entry point--A Web page that a state agency
has specifically designed for members of the general public to access official
information (e.g., the governing or authoritative documents) from the agency.
(10)
Link Policy--State Web Site Link and Privacy Policy that
identifies the terms under which a person may use, copy information from,
or link to a generally accessible Internet site for a state agency. The state
policy is in §206.4 and will be available at http://www.dir.state.tx.us/standards/link_policy.htm
for state agencies to links.
(11)
Logging software and cookies--Particular methods employed
for the purpose of tracking visitors to Web sites. The information collected
for analysis can include where the request came from, time, pages visited,
and identifiable information about the visitor.
(12)
Open Records/Public Information Act notice--An agency's
policies and practices for providing public access to governmental information
and decisions.
(13)
Privacy and Security Policy--a statement about what information
is collected by an agency Web site, how the information will be used and protected,
under what conditions the information may be shared or released to another
party, and the procedure under which a member of the public is entitled to
receive and/or correct information that an agency maintains about the individual.
(14)
State Web site--a state agency-owned, -operated by/or
for, or -funded Web site connected to the Internet, including a state agency's
home page and any key public entry points.
(15)
SSN--Social Security Number.
(16)
SSL--Secure Sockets Layer; The Internet security standard
for point-to-point, encrypted connections between Web servers and client browsers.
(17)
Statewide Search--a link to the TRAIL Web site.
(18)
TCP/IP--Transmission Control Protocol/Internet Protocol;
a suite of protocols developed by the IETF and published as Request for Comments
(RFCs).
(19)
Texas home page--http://www.state.tx.us or its successor
as identified in the guidelines available at http://www.dir.state.tx.us/standards/srrpub11.htm.
(20)
TRAIL--Texas Records and Information Locator or its successor.
Additional information is available at http://www.tsl.state.tx.us.
(21)
Transaction payment information--bank account and routing
number, credit, debit, charge, or other forms of card-based, access device
number, and/or Internet based, payment systems. Access device means a card,
plate, code, account number, personal identification number, electronic serial
number, mobile identification number, or other telecommunications service,
equipment, or instrument identifier or means of account access that alone
or in conjunction with another access device may be used to:
(A)
obtain money, goods, services, or another thing of value;
or
(B)
initiate a transfer of funds other than a transfer originated
solely by paper instrument.
(22)
Transaction Risk Assessment--An evaluation of the security
and privacy required for an interactive Web session providing public access
to government information and services. Additional information and guidelines
are available at http://www.dir.state.tx.us/standards/srrpub11.htm.
(23)
Usability--Web design criteria that focuses on user performance,
ease of navigation, is understandable and is visually appealing.
(24)
W3C--World Wide Web Consortium. Additional information
and copies of the current standards and recommendations are available at http://www.w3.org.
(25)
Web bug--code used to track and/or report information
about a visitor to a Web page, or used in an e-mail message. Also known as
a Web Beacon or Clear GIF.
(26)
Web page--A document that a state agency has specifically
designed for members of the public to access the official information (e.g.,
the governing or authoritative documents) from the agency via the Internet.
§206.2.Accessibility and Usability of State Web Sites.
(a)
All state agencies shall develop and publish an accessibility
policy for their Web site and/or Web pages that addresses the following:
(1)
At least one copy of an agency Web page, whether static
or dynamic, must be in an accessible format.
(2)
State Web sites shall meet the definition of a generally
accessible Internet site, and ensure that Web pages transform gracefully and
remain accessible despite any physical, sensory, or environmental constraints
or technological barriers.
(3)
State Web sites shall avoid vendor specific "non-standard"
extensions and comply with applicable Internet and W3C standards. For guidance
regarding "non-standard" extensions and applicable standards, state agencies
shall refer to the department's guidelines available at http://www.dir.state.tx.us/standards/srrpub11.htm.
The policy should cover testing and validation of Web pages.
(4)
State Web sites are designed with consideration for the
types of Internet connections available to the citizens of Texas, and undergo
accessibility and usability testing.
(b)
The home page of a state Web site, and key public entry
points, shall include an "Accessibility" link to a Web page that contains
the agency's accessibility policy, site validation (e.g., W3C), contact information
for the agency's accessibility coordinator, and a link to the Governor's Committee
on People with Disabilities Web site.
§206.3.Privacy and Security of State Web Sites.
(a)
A state agency shall publish a privacy and security policy
for its Web site, and post a link to the policy from its home page. The privacy
and security policy shall address the following:
(1)
Notice: Disclose the agency's information practices before
collecting personal information from the public. The use of logging software,
cookies, and/or Web bugs. Information collected by other technologies and
processes. Information collected via e-mail and Web-based forms.
(2)
Choice: Options with respect to how personal information
collected from them may be used for purposes beyond those for which the information
was provided and whether they wish to have that information shared.
(3)
Access: The procedure under which an individual may obtain
and/or have the agency correct information about the individual.
(4)
Security: The procedures to ensure that information collected
from individuals is accurate and secure from unauthorized use.
(b)
Web pages designed for children must comply with all applicable
federal and state laws intended to protect minors.
(c)
Prior to providing access to information or services on
a state Web site that require user identification, each state agency shall
conduct a transaction risk assessment, and implement appropriate privacy and
security safeguards. At a minimum, state Web sites that require an individual
to enter the following information in a Web based electronic form shall use
an SSL session or equivalent technology to encrypt the data:
(1)
Both the individual's name and other personal information,
such as an SSN;
(2)
Transaction payment information;
(3)
An individual's access identification code and password;
(4)
An individual's e-mail address.
(d)
Any Web based form that requests information from the public
shall have a link to the associated privacy and security policy.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 28, 2002.
TRD-200203264
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 17, 2002
Proposal publication date: March 15, 2002
For further information, please call: (512) 475-2153
1 TAC §208.1, §208.2
The Department of Information Resources (department) adopts
1 T.A.C. §§208.1 and 208.2, concerning definitions applicable to
communications wiring standards for state facilities and communications wiring
standards for state facilities. The rules are adopted without changes from
the proposed text as published in the March 8, 2002,
Texas Register
, (27 TexReg 1600).
The adopted rules transfer the wiring standards previously located in §201.13(c)
to new chapter 208, establish a definitions section in §208.1 and update
to current versions the wiring standards applicable to wiring of state facilities
in §208.2.
No comments were received in response to publication of the proposed rules.
The rules are adopted pursuant to §2054.052(a), Government
Code, which authorizes the department to adopt rules necessary to implement
its responsibilities under the Information Resources Management Act.
The department is not aware of any statutes affected by the adoption of
the rules.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 29, 2002.
TRD-200203321
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 18, 2002
Proposal publication date: March 8, 2002
For further information, please call: (512) 475-2153
1 TAC §209.1, §209.2
The Department of Information Resources (department) adopts
1 T.A.C. §209.1 and §209.2, concerning definitions applicable to
minimum standards for meetings held by videoconference and minimum standards
for meetings held by videoconference. The rules are adopted without changes
from the proposed text as published in the March 8, 2002,
Texas Register
, (27 TexReg 1601 and 1602).
The adopted rules transfer the minimum standards for meetings held by videoconference,
and the definitions therefore, from 1 T.A.C. §201.16 to chapter 209.
The rules also provide definitions applicable to holding certain meetings
by videoconference and set forth the minimum standards applicable to such
meetings.
No comments were received in response to publication of the proposed rules.
The rules are adopted pursuant to §2054.052(a), Government
Code, which authorizes the department to adopt rules necessary to implement
its responsibilities under the Information Resources Management Act and §551.127(i),
Government Code, which requires the department to specify, by rule, the minimum
standards for audio and video signals at open meetings held by videoconference.
Section 551.127(i), Government Code, is affected by the adoption of the
rules.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 29, 2002.
TRD-200203320
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 18, 2002
Proposal publication date: March 8, 2002
For further information, please call: (512) 475-2153
1 TAC §210.1, §210.2
The Department of Information Resources (department) adopts
1 T.A.C. §210.1 and §210.2, concerning TexasOnline definitions and
profiling fees to be collected by state agency licensing entities participating
in the electronic profiling system established by §2054.2606, Government
Code. The rules are adopted without changes from the proposed text as published
in the March 8, 2002
Texas Register
, (27 TexReg
1603).
Under the rules, the license fees charged to covered licensees by state
agencies required or opting to participate in the electronic profiling system
established by §2054.2606, Government Code increase annually by five
dollars per covered license renewal. This amount may be collected by the affected
licensing agency increasing the license renewal fees to the renewing licensees,
by the affected licensing agency covering the increase from other revenues
rather than from the affected licensees, or by a combination of these mechanisms.
No comments were received in response to publication of the proposed rules.
The rules are adopted under §2054.052(a), Government Code,
which authorizes the department to adopt rules necessary to implement its
responsibilities under the Information Resources Management Act, §2054.262(b),
Government Code, which provides the department may adopt rules prepared by
the TexasOnline Authority and §2054.2606(d), Government Code, which requires
the TexasOnline Authority to prepare rules for adoption by the department
to prescribe the amount of the fee to be collected by a state agency that
establishes a profile system for its license holders pursuant to §2054.2606,
Government Code.
Section 2054.262(b) and §2054.2606(d), Government Code, are affected
by adoption of the rules.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 29, 2002.
TRD-200203323
Renee Mauzy
General Counsel
Department of Information Resources
Effective date: June 18, 2002
Proposal publication date: March 8, 2002
For further information, please call: (512) 475-2153
Chapter 355.
MEDICAID REIMBURSEMENT RATES
The Texas Health and Human Services Commission (HHSC) adopts the repeal
of §355.502 and §355.5901, and amendments to §§355.501,
355.503, and 355.5902. The amendment to §355.503 is adopted with changes
to the proposed text published in the March 29, 2002, issue of the
Texas Register
(27 TexReg 2426). The amendments to §355.501 and §355.5902
and the repeal of §355.502 and §355.5901 are adopted without changes
to the proposed text.
Justification for the amendment to §355.501 is to modify the payment
rate methodology for the Program for All-Inclusive Care for the Elderly (PACE)
to eliminate obsolete language regarding cost reporting requirements formerly
required by the Centers for Medicare and Medicaid Services during the research
and demonstration timeframe of the program. The proposal establishes January
1 of each year as the effective date of the payment rate for this program.
Also, references to the Texas Department of Human Services (DHS) were changed
to references for the Texas Health and Human Services Commission and references
to DHS were eliminated where appropriate.
Justification for the amendment to §355.503 is to add the Home-Delivered
Meals payment rate ceiling methodology to the Community Based Alternatives
(CBA) program through a reference to the rules regarding the Reimbursement
Methodology for Home-Delivered Meals. Also, references to the Texas Department
of Human Services (DHS) were changed to references for the Texas Health and
Human Services Commission and references to DHS were eliminated where appropriate.
In addition, it is clarified that a weighted median is used in the determination
of payment rates for nursing services provided by a registered nurse (RN),
nursing services provided by a Licensed Vocational Nurse (LVN), therapies,
and in-home respite services. Section 355.502, the reimbursement methodology
for CBA that pertained to the1996 cost report, is being repealed because it
is obsolete.
Justification for the amendment to §355.5902 is to establish the Community
Based Alternatives (CBA) RN payment rate as the amount that is deducted from
the client's budget under the Primary Home Care (PHC) vendor fiscal intermediary
option to pay for required assessments performed by an RN. This payment rate
amount is paid to PHC contracted providers that perform required RN assessments
for clients whose care is funded by §1929(b) of the Social Security Act.
This amendment also expands references to DHS to include DHS or its designee
and eliminates references to DHS where appropriate. Section 355.5901, the
reimbursement methodology for PHC that pertained to the 1994, 1995, and 1996
cost reports, is being repealed because it is obsolete.
DHS is adopting related policy in its Chapter 47, concerning Primary Home
Care, in this issue of the
Texas Register
.
HHSC received no comments regarding adoption of the repeals or the amendments;
however, HHSC staff initiated a minor editorial change to the text of §355.503(h)
to clarify and improve the accuracy of the section.
Subchapter E. COMMUNITY CARE FOR AGED AND DISABLED
1 TAC §355.501, §355.503
The amendments are adopted under the Government Code, §531.033,
which authorizes the commissioner of the Health and Human Services Commission
to adopt rules necessary to carry out the commission's duties, and §531.021(b),
which establishes the commission as the agency responsible for adopting reasonable
rules governing the determination of fees, charges, and rates for medical
assistance payments under Chapter 32, Human Resources Code.
The amendments implement the Government Code, §§531.033 and 531.021(b).
§355.503.Reimbursement Methodology for the Community-Based Alternatives Waiver Program.
(a)
General requirements. Cost reports pertaining to providers'
fiscal year ending in calendar year 1997 and subsequent years will be governed
by the information in this section. The Texas Health and Human Services Commission
(HHSC) applies the general principles of cost determination as specified in §355.101
of this title (relating to Introduction).
(b)
General. Texas Medicaid contracted providers will be reimbursed
for waiver services provided to individuals who meet the criteria for alternatives
to nursing facility care. Additionally, Texas Medicaid contracted providers
will be reimbursed for a pre-enrollment assessment of potential waiver participants.
The pre-enrollment assessment covers care planning for the participant and
is reimbursed by a one-time administrative expense fee which is not included
in the waiver services but will be paid from Medicaid administrative funds.
(c)
Other sources of cost information. If HHSC has determined
that there is not sufficient reliable cost report data from which to determine
reimbursements and reimbursement ceilings for waiver services, reimbursements
and reimbursement ceilings will be developed by using data from surveys; cost
report data from other similar programs, consultation with other service providers
and/or professionals experienced in delivering contracted services; and other
sources.
(d)
Waiver reimbursement determination. Recommended reimbursements
are determined in the following manner.
(1)
Unit of service reimbursement. Reimbursement for personal
assistance services, nursing services provided by a registered nurse (RN),
nursing services provided by a licensed vocational nurse (LVN), physical therapy,
occupational therapy, speech pathology, and in-home respite care services
will be determined on a fee-for-service basis in the following manner.
(A)
Total allowable costs for each provider will be determined
by analyzing the allowable historical costs reported on the cost report.
(B)
Total allowable costs are reduced by the amount of the
pre-enrollment expense fee and requisition fee revenues accrued for the reporting
period.
(C)
Each provider's total reported allowable costs, excluding
depreciation and mortgage interest, are projected from the historical cost-reporting
period to the prospective reimbursement period as described in §355.108
of this title (relating to Determination of Inflation Indices). The prospective
reimbursement period is the period of time that the reimbursement is expected
to be in effect.
(D)
Payroll taxes and employee benefits are allocated to each
salary line item on the cost report on a pro rata basis based on the portion
of that salary line item to the amount of total salary expense for the appropriate
group of staff. Employee benefits will be charged to a specific salary line
item if the benefits are reported separately. The allocated payroll taxes
are Federal Insurance Contributions Act (FICA) or Social Security, Medicare
Contributions, Workers' Compensation Insurance (WCI), the Federal Unemployment
Tax Act (FUTA), and the Texas Unemployment Compensation Act (TUCA).
(E)
Allowable administrative and facility costs are allocated
or spread to each waiver service cost component on a pro rata basis based
on the portion of each waiver service's units of service to the amount of
total waiver units of service.
(F)
For nursing services provided by an RN, nursing services
provided by an LVN, physical therapy, occupational therapy, speech pathology,
and in-home respite care services, an allowable cost per unit of service is
calculated for each contracted provider for each service. The allowable costs
per unit of service for each contracted provider are arrayed. The units of
service for each contracted provider in the array are summed until the median
unit of service is reached. The corresponding expense to the median unit of
service is determined and is multiplied by 1.044. The allowable costs per
unit of service may be combined into an array with the allowable cost per
unit of service of similar services provided by other programs in determining
the weighted median cost per unit of service.
(G)
For personal assistance services two cost areas are created:
(i)
The attendant cost area includes salaries, wages, benefits,
and mileage reimbursement calculated as specified in §355.112 of this
title (relating to Attendant Compensation Rate Enhancement).
(ii)
Another attendant cost area is created which includes
the other personal attendant services costs not included in subparagraph (G)(i)
of this paragraph as determined in subparagraphs (A)- (E) of this paragraph.
An allowable cost per unit of service is determined for each contracted provider
for the other attendant cost area. The allowable costs per unit of service
for each contracted provider are arrayed. The units of service for each contracted
provider in the array are summed until the median unit of service is reached.
The corresponding expense to the median unit of service is determined and
is multiplied by 1.044.
(iii)
The attendant cost area and the other attendant cost
area are summed to determine the personal assistance services cost per unit
of service.
(2)
Per day reimbursement.
(A)
The reimbursement for Adult Foster Care (AFC), Assisted
Living/Residential Care (AL/RC) and out-of-home respite care provided in AFC
and AL/RC settings, will be determined as a per day reimbursement using a
method based on modeled projected expenses which are developed by using data
from surveys; cost report data from other similar programs, consultation with
other service providers and/or professionals experienced in delivering contracted
services; and other sources. The room and board payments for AFC and AL/RC
Services are not covered in these reimbursements and will be paid to providers
from the client's Supplemental Security Income, less a personal needs allowance.
(B)
The reimbursement for out-of-home respite care provided
in a Nursing Facility will be based on the amount determined for the Texas
Index of Level of Effort (TILE) for the CBA participant.
(3)
Monthly reimbursement ceilings. The reimbursement for Emergency
Response Services will be determined as monthly reimbursement ceiling, based
on the ceiling amount determined in accordance with 40 TAC §52.504 (relating
to Reimbursement Methodology for Emergency Response Services). The reimbursement
for Home-Delivered Meals will be determined on a per meal basis, based on
the ceiling amount determined in accordance with 40 TAC §48.9806 (relating
to Reimbursement Methodology for Home-Delivered Meals).
(4)
Requisition fees. Requisition fees are reimbursements paid
to the CBA home and community support services contracted providers for their
efforts in acquiring adaptive aids and minor home modifications for CBA participants.
Reimbursement for adaptive aids and minor home modifications will vary based
on the actual cost of the adaptive aid and minor home modification. Reimbursements
are determined using a method based on modeled projected expenses which are
developed by using data from surveys; cost report data from similar programs;
consultation with other service providers and/or professionals experienced
in delivering contracted services; and/or other sources.
(5)
Pre-enrollment expense fee. Reimbursement for pre-enrollment
assessment is determined using a method based on modeled projected expenses
that are developed by using data from surveys; cost report data from other
similar programs; consultation with other service providers and/or professionals
experienced in delivering contracted services; and other sources.
(6)
Exceptions to the reimbursement determination methodology.
HHSC may adjust reimbursement if new legislation, regulations, or economic
factors affect costs, according to §355.109 of this title (relating to
Adjusting Reimbursement When New Legislation, Regulations, or Economic Factors
Affect Costs).
(e)
Authority to determine reimbursement. The authority to
determine reimbursement is specified in §355.101 of this title (relating
to Introduction).
(f)
Reporting of cost.
(1)
Cost reporting guidelines. If HHSC requires a cost report
for any waiver service in this program, providers must follow the cost-reporting
guidelines as specified in §355.105 of this title (relating to General
Reporting and Documentation Requirements, Methods, and Procedures).
(2)
Excused from submission of cost reports. If required by
HHSC, all contracted providers must submit a cost report unless the number
of days between the date the first Texas Department of Human Services (DHS)
client received services and the provider's fiscal year end is 30 days or
fewer. The provider may be excused from submitting a cost report if circumstances
beyond the control of the provider make cost-report completion impossible,
such as the loss of records due to natural disasters or removal of records
from the provider's custody by any regulatory agency. An AL/RC provider may
also be excused from submitting a cost report if the total number of days
serving DHS AL/RC or Residential Care residents is 366 or fewer during its
fiscal year. Requests to be excused from submitting a cost report must be
received by HHSC before the due date of the cost report.
(3)
Reporting and verification of allowable cost.
(A)
Providers are responsible for reporting only allowable
costs on the cost report, except where cost report instructions indicate that
other costs are to be reported in specific lines or sections. Only allowable
cost information is used to determine recommended reimbursements. HHSC excludes
from reimbursement determination any unallowable expenses included in the
cost report and makes the appropriate adjustments to expenses and other information
reported by providers; the purpose is to ensure that the database reflects
costs and other information which are necessary for the provision of services,
and are consistent with federal and state regulations.
(B)
Individual cost reports may not be included in the database
used for reimbursement determination if:
(i)
there is reasonable doubt as to the accuracy or allowability
of a significant part of the information reported; or
(ii)
an auditor determines that reported costs are not verifiable.
(C)
When material pertinent to proposed reimbursements is made
available to the public, the material will include the number of cost reports
eliminated from reimbursement determination for the reason stated in subparagraph
(B)(i) of this paragraph.
(4)
Allowable and unallowable costs. Providers must follow
the guidelines in determining whether a cost is allowable or unallowable as
specified in §355.102 and §355.103 of this title (relating to General
Principles of Allowable and Unallowable Costs, and Specifications for Allowable
and Unallowable Costs), in addition to the following.
(A)
Client room and board expenses are not allowable, except
for those related to respite care.
(B)
The actual cost of adaptive aids and home modifications
are not allowable for cost reporting purposes. Allowable labor costs associated
with acquiring adaptive aids and home modifications should be reported in
the cost report. Any item purchased for participants in this program and reimbursed
through a voucher payment system is unallowable for cost reporting purposes.
Refer to §355.103(17)(K) of this title (relating to Specifications for
Allowable and Unallowable Costs).
(g)
Reporting revenue. Revenues must be reported on the cost
report in accordance with §355.104 of this title (relating to Revenues).
(h)
Reviews and field audits of cost reports. Desk reviews
or field audits are performed on cost reports for all contracted providers.
The frequency and nature of the field audits are determined by HHSC to ensure
the fiscal integrity of the program. Desk reviews and field audits will be
conducted in accordance with §355.106 of this title (relating to Basic
Objectives and Criteria for Audit and Desk Review of Cost Reports), and providers
will be notified of the results of a desk review or a field audit in accordance
with §355.107 of this title (relating to Notification of Exclusions and
Adjustments). Providers may request an informal review and, if necessary,
an administrative hearing to dispute an action taken under §355.110 of
this title (relating to Informal Reviews and Formal Appeals).
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on May 30, 2002.
TRD-200203359
Marina Henderson
Executive Deputy Commissioner
Texas Health and Human Services Commission
Effective date: July 1, 2002
Proposal publication date: March 29, 2002
For further information, please call: (512) 438-3734
1 TAC §355.502
The repeal is adopted under the Government Code, §531.033,
which authorizes the commissioner of the Health and Human Services Commission
to adopt rules necessary to carry out the commission's duties, and §531.021(b),
which establishes the commission as the agency responsible for adopting reasonable
rules governing the determination of fees, charges, and rates for medical
assistance payments under Chapter 32, Human Resources Code.
The repeal implements the Government Code, §§531.033 and 531.021(b).
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed
with the Office of the Secretary of State on May 30, 2002.
TRD-200203360
Marina Henderson
Executive Deputy Commissioner
Texas Health and Human Services Commission
Effective date: July 1, 2002
Proposal publication date: March 29, 2002
For further information, please call: (512) 438-3734
Chapter 202.
INFORMATION SECURITY STANDARDS
Chapter 206.
STATE WEB SITES
Chapter 208.
COMMUNICATIONS WIRING STANDARDS
Chapter 209.
MINIMUM STANDARDS FOR MEETINGS HELD BY VIDEOCONFERENCE
Chapter 210.
TEXASONLINE
Part 15.
TEXAS HEALTH AND HUMAN SERVICES COMMISSION
Subchapter G. TELEMEDICINE SERVICES