Can I skip having an information security program in place in Texas? What are the requirements?

An information security program is mandatory for state agencies and institutions of higher education in Texas. According to the Texas Administrative Code, each institution of higher education shall develop, document, and implement an institution of higher education-wide information security program that includes protections based on risk for all information and information resources owned, leased, or under the custodianship of any department, operating unit, or employee of the institution of higher education including outsourced resources to another institution of higher education, contractor, or other source (e.g., cloud computing) ^[1.2].

The program shall include:

1. Periodic assessments in alignment with minimum legal reporting requirements of the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information, information systems, and applications that support the operations and assets of the institution of higher education.
2. Policies, controls, standards, and procedures that cost-effectively reduce information security risks to a level acceptable to the institution head.
3. Strategies to address risk to high impact information resources.
4. Plans for providing information security for networks, facilities, and systems or groups of information systems and applications based on risk.
5. A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the institution of higher education.
6. A process to justify, grant, and document any exceptions to specific program requirements in accordance with requirements and processes defined in this chapter ^[1.2].

State agencies are required to develop, document, and implement an agency-wide information security program that includes protections based on risk for all information and information resources owned, leased, or under the custodianship of any department, operating unit, or employee of the state agency including outsourced resources to another state agency, contractor, or other source (e.g., cloud computing) ^[1.1].

The program shall include:

1. Periodic assessments in alignment with minimum legal reporting requirements of the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information, information systems, and applications that support the operations and assets of the agency.
2. Policies, controls, standards, and procedures that cost-effectively reduce information security risks to a level acceptable to the agency head.
3. Strategies to address risk to high impact information resources.
4. Plans for providing information security for networks, facilities, and systems or groups of information systems and applications based on risk.
5. A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency.
6. A process to justify, grant, and document any exceptions to specific program requirements in accordance with requirements and processes defined in this chapter ^[1.1].

Institutions of higher education contracting for cloud computing services that store, process, or transmit data of the institution of higher education shall confirm that vendors contracting with the institution of higher education to provide cloud computing services for the institution of higher education are certified through the Texas Risk and Authorization Management Program for Institutions of Higher Education (TX-RAMP) prior to entering or renewing a cloud computing services contract on or after January 1, 2022. They shall also require a vendor contracting with the institution of higher education to provide cloud computing services for the institution of higher education that are subject to the state risk and authorization management program to maintain program compliance and certification throughout the term of the contract ^[1.3].

Each state agency and institution of higher education shall have a designated Information Security Officer who shall report to executive level management, has explicit authority for information security for the entire state agency or institution of higher education, and complies with all other requirements of Texas Government Code § 2054.136. The Information Security Officer is responsible for developing and maintaining an agency-wide or institution-wide information security plan, developing and maintaining information security policies and procedures that address the requirements of this chapter and the agency’s or institution’s information security risks, coordinating the review of security requirements and specifications, and verifying that security requirements are identified and risk mitigation plans are developed and implemented. Security reporting is also required, including reporting urgent security incidents to the department within 48 hours of discovery and submitting summary reports of security-related events on a monthly basis ^{[1.1][1.2][1.6]}.

In summary, an information security program is mandatory for state agencies and institutions of higher education in Texas. The program must include periodic assessments, policies, controls, standards, and procedures, strategies to address risk to high impact information resources, plans for providing information security, a process for planning, implementing, evaluating, and documenting remedial action, and a process to justify, grant, and document any exceptions to specific program requirements. The Information Security Officer is responsible for developing and maintaining an agency-wide or institution-wide information security plan, developing and maintaining information security policies and procedures, coordinating the review of security requirements and specifications, and verifying that security requirements are identified and risk mitigation plans are developed and implemented. Security reporting is also required, including reporting urgent security incidents to the department within 48 hours of discovery and submitting summary reports of security-related events on a monthly basis. Therefore, you cannot skip having an information security program in place in Texas ^{[1.1][1.2][1.3][1.6]}.

Source(s):

• [1.1] Agency Information Security Program
• [1.2] Institution Information Security Program
• [1.3] Texas Risk and Authorization Management Program for Institutions of Higher Education
• [1.6] Responsibilities of Information Security Officer

Jurisdiction

Texas

• Privacy