Texas Register
TITLE 1 ADMINISTRATION
PART 10DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202INFORMATION SECURITY STANDARDS
RULE §202.4Managing Security Risks
ISSUE 03/22/2002
ACTION Proposed
Preamble Texas Admin Code Rule
(a)A security risk analysis of information resources shall be performed and documented. The security risk analysis shall be updated based on the inherent risk. The inherent risk and frequency of the security risk analysis will be ranked, at a minimum, as either "High," "Medium," or "Low," based primarily on the following criteria:

  (1)High Risk-annual assessment - Systems that;

    (A)Involve large dollar amounts or significantly important transactions, such that business or government processes would be hindered or an impact on public health or safety would occur if the transactions were not processed timely and accurately, or

    (B)Contain confidential or sensitive data such that unauthorized disclosure would cause real damage to the parties involved, or

    (C)Impact a large number of people or interconnected systems.

  (2)Medium Risk-biennial assessment - Systems that;

    (A)Transact or control a moderate or low dollar value, or

    (B)Data items that could potentially embarrass or create problems for the parties involved if released, or

    (C)Impact a moderate proportion of the customer base.

  (3)Low Risk-biennial assessment - Systems that;

    (A)Publish generally available public information, or

    (B)Result in a relatively small impact on the population.

(b)A system change could cause the overall classification to move to the High Risk category.

(c)Security risk assessment results, vulnerability reports, and similar information shall be documented and presented to the agency head or his or her designated representative. The agency head shall make the final security risk management decisions to either accept exposures or protect the data according to its value/sensitivity. The agency head must approve the security risk management plan. This information may be exempt from disclosure under §2054.77(c), Government Code.

This agency hereby certifies that the proposal has been reviewed by legal counsel and found to be within the agency's legal authority to adopt.

Filed with the Office of the Secretary of State on March 6, 2002

TRD-200201365

Renee Mauzy

General Counsel

Department of Information Resources

Earliest possible date of adoption: April 21, 2002

For further information, please call: (512) 475-4750

 

Next Page       Previous Page

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page