1 Tex. Admin. Code § 202.21

Current through Register Vol. 49, No. 48, November 29, 2024

Section 202.21 - Responsibilities of the Information Security Officer

(a) Each state agency shall have a designated Information Security Officer in accordance with Texas Government Code § RSA 2054.136. The Information Security Officer shall report to executive level management, has explicit authority for information security for the entire state agency, and complies with all other requirements of Texas Government Code § RSA 2054.136.;

(b) The Information Security Officer shall be responsible for:

(1) developing and maintaining an agency-wide information security plan as required by Texas Government Code § RSA 2054.133

(2) developing and maintaining information security policies and procedures that address the requirements of this chapter and the agency's information security risks;

(3) working with the business and technical resources to ensure that controls are utilized to address all applicable requirements of this chapter and the agency's information security risks;

(4) providing for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities;

(5) providing guidance and assistance to senior agency officials, information-owners, information custodians, and end users concerning their responsibilities under this chapter;

(6) ensuring that:

(A) risk assessments are performed by the information owners and supported by the information-custodians at least biennially for systems containing confidential data and periodically for systems containing agency sensitive or public data; and

(B) security assessments are conducted biennially for systems containing confidential data and periodically for systems containing agency sensitive or public data

(7) reviewing the agency's inventory of information systems and related ownership and responsibilities;

(8) recommending and collaborating to establish policies, procedures, and practices, in cooperation with the agency Information Resources Manager, information-owners, and custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, access, exposure, or disclosure;

(9) coordinating the review of security requirements and specifications, and verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the acquisition of new information systems and/or related services and applications;

(10) verifying that security requirements are identified and risk mitigation plans are developed and implemented prior to the deployment of internally-developed information systems and/or related applications or services;

(11) reporting, at least annually, directly to the agency head the status and effectiveness of the security program and its controls;

(12) informing any relevant parties in the event of noncompliance with this chapter and/or with the state agency's information security policies; and

(13) all other duties required by Texas Government Code § RSA 2054.136.

(c) The Information Security Officer, with the approval of the agency head, may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented, and communicated.

1 Tex. Admin. Code § 202.21

The provisions of this §202.21 adopted to be effective November 28, 2004, 29 TexReg 10703; Amended to be effective September 17, 2009, 34 TexReg 6315; Amended by Texas Register, Volume 40, Number 11, March 13, 2015, TexReg 1362, eff. 3/17/2015; Amended by Texas Register, Volume 41, Number 11, March 11, 2016, TexReg 1832, eff. 3/16/2016; Amended by Texas Register, Volume 46, Number 46, November 12, 2021, TexReg 7777, eff. 11/17/2021