<<Prev Rule

Texas Administrative Code

Next Rule>>
TITLE 1ADMINISTRATION
PART 10DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202INFORMATION SECURITY STANDARDS
SUBCHAPTER BINFORMATION SECURITY STANDARDS FOR STATE AGENCIES
RULE §202.25Managing Security Risks

A risk assessment of the agencies' information and information systems shall be performed and documented.

  (1) The inherent impact will be ranked, at a minimum, as either "High," "Moderate," or "Low".

  (2) The frequency of the future risk assessments will be documented.

  (3) Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the Information Security Officer or his or her designated representative(s).

  (4) Approval of the security risk acceptance, transference, or mitigation decision shall be the responsibility of:

    (A) the information security officer or his or her designee(s), in coordination with the information owner, for systems identified with a Low or Moderate residual risk.

    (B) The state agency head for all systems identified with a residual High Risk.


Source Note: The provisions of this §202.25 adopted to be effective March 17, 2015, 40 TexReg 1357

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page