(a)A security risk analysis of information resources shall be performed and documented. The security risk analysis shall be updated based on the inherent risk. The inherent risk and frequency of the security risk analysis will be ranked, at a minimum, as either "High," "Medium," or "Low," based primarily on the following criteria: (1)High Risk-annual assessment - Systems that; (A)Involve large dollar amounts or significantly important transactions, such that business or government processes would be hindered or an impact on public health or safety would occur if the transactions were not processed timely and accurately, or (B)Contain confidential or sensitive data such that unauthorized disclosure would cause real damage to the parties involved, or (C)Impact a large number of people or interconnected systems. (2)Medium Risk-biennial assessment - Systems that; (A)Transact or control a moderate or low dollar value, or (B)Data items that could potentially embarrass or create problems for the parties involved if released, or (C)Impact a moderate proportion of the customer base. (3)Low Risk-biennial assessment - Systems that; (A)Publish generally available public information, or (B)Result in a relatively small impact on the population. (b)A system change could cause the overall classification to move to the High Risk category. (c)Security risk assessment results, vulnerability reports, and similar information shall be documented and presented to the agency head or his or her designated representative. The agency head shall make the final security risk management decisions to either accept exposures or protect the data according to its value/sensitivity. The agency head must approve the security risk management plan. This information may be exempt from disclosure under §2054.77(c), Government Code.
This agency hereby certifies that the proposal has been reviewed
by legal counsel and found to be within the agency's legal authority to adopt.
Filed with the Office of
the Secretary of State on March 6, 2002
TRD-200201365 Renee Mauzy
General Counsel
Department of
Information Resources
Earliest possible date of adoption: April 21, 2002
For further information, please call: (512) 475-4750
|