Statutes, codes, and regulations
Texas Administrative Code
Title 1 - ADMINISTRATIONPart 10 - DEPARTMENT OF INFORMATION RESOURCESChapter 202 - INFORMATION SECURITY STANDARDS
Subchapter C - INFORMATION SECURITY STANDARDS FOR INSTITUTIONS OF HIGHER EDUCATION
Section 202.74 - Institution Information Security Program

1 Tex. Admin. Code § 202.74

Download
PDF
Current through Register Vol. 49, No. 48, November 29, 2024
Section 202.74 - Institution Information Security Program
(a) Each institution of higher education shall develop, document, and implement an institution of higher education-wide information security program, approved by the agency head or delegate under 1 Texas Administrative Code § RSA 202.70, that includes protections based on risk for all information and information resources owned, leased, or under the custodianship of any department, operating unit, or employee of the institution of higher education including outsourced resources to another institution of higher education, contractor, or other source (e.g., cloud computing). The program shall include:
(1) periodic assessments in alignment with minimum legal reporting requirements of the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information, information systems, and applications that support the operations and assets of the institution of higher education;
(2) policies, controls, standards, and procedures that:
(A) are based on the risk assessments required by 1 Texas Administrative Code § RSA 202.75;
(B) cost-effectively reduce information security risks to a level acceptable to the institution head;
(C) ensure that information security is addressed throughout the lifecycle of institution of higher education information resources; and
(D) ensure compliance with:
(i) the requirements of 1 Texas Administrative Code Chapter 202 Subchapter C;
(ii) minimally acceptable system configuration requirements, as determined by the institution of higher education; and
(iii) the control catalog published by the department.
(3) strategies to address risk to high impact information resources;
(4) plans for providing information security for networks, facilities, and systems or groups of information systems and applications based on risk;
(5) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the institution of higher education; and
(6) a process to justify, grant and document any exceptions to specific program requirements in accordance with requirements and processes defined in this chapter.
(b) State institutions of higher education are responsible for:
(1) defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the controls for each;
(2) administering an ongoing information security awareness education program in compliance with the requirements of Texas Government Code § RSA 2054.5191 -.5192 for all users; and
(3) introducing information security awareness and inform new employees of information security policies and procedures during the onboarding process.

1 Tex. Admin. Code § 202.74

The provisions of this §202.74 adopted to be effective November 28, 2004, 29 TexReg 10703; Amended to be effective September 17, 2009, 34 TexReg 6315; Amended by Texas Register, Volume 40, Number 11, March 13, 2015, TexReg 1365, eff. 3/17/2015; Amended by Texas Register, Volume 46, Number 46, November 12, 2021, TexReg 7778, eff. 11/17/2021