(a) Each state agency shall have a designated Information
Security Officer in accordance with Texas Government Code § 2054.136.
The Information Security Officer shall report to executive level management,
has explicit authority for information security for the entire state
agency, and complies with all other requirements of Texas Government
Code § 2054.136.
(b) The Information Security Officer shall be responsible
for:
(1) developing and maintaining an agency-wide information
security plan as required by Texas Government Code § 2054.133;
(2) developing and maintaining information security
policies and procedures that address the requirements of this chapter
and the agency's information security risks;
(3) working with the business and technical resources
to ensure that controls are utilized to address all applicable requirements
of this chapter and the agency's information security risks;
(4) providing for training and direction of personnel
with significant responsibilities for information security with respect
to such responsibilities;
(5) providing guidance and assistance to senior agency
officials, information-owners, information custodians, and end users
concerning their responsibilities under this chapter;
(6) ensuring that:
(A) risk assessments are performed by the information
owners and supported by the information-custodians at least biennially
for systems containing confidential data and periodically for systems
containing agency sensitive or public data; and
(B) security assessments are conducted biennially for
systems containing confidential data and periodically for systems
containing agency sensitive or public data;
(7) reviewing the agency's inventory of information
systems and related ownership and responsibilities;
(8) recommending and collaborating to establish policies,
procedures, and practices, in cooperation with the agency Information
Resources Manager, information-owners, and custodians, necessary to
ensure the security of information and information resources against
unauthorized or accidental modification, destruction, access, exposure,
or disclosure;
(9) coordinating the review of security requirements
and specifications, and verifying that security requirements are identified
and risk mitigation plans are developed and contractually agreed and
obligated prior to the acquisition of new information systems and/or
related services and applications;
(10) verifying that security requirements are identified
and risk mitigation plans are developed and implemented prior to the
deployment of internally-developed information systems and/or related
applications or services;
(11) reporting, at least annually, directly to the
agency head the status and effectiveness of the security program and
its controls;
(12) informing any relevant parties in the event of
noncompliance with this chapter and/or with the state agency's information
security policies; and
(13) all other duties required by Texas Government
Code § 2054.136.
(c) The Information Security Officer, with the approval
of the agency head, may issue exceptions to information security requirements
or controls in this chapter. Any such exceptions shall be justified,
documented, and communicated.
|
Source Note: The provisions of this §202.21 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831; amended to be effective November 17, 2021, 46 TexReg 7775 |