(3) The ISPA shall be effective with respect to all
current and future contracts that Contractor has or will have with
the Department for as long as the Contractor has access to Protected
Information. Contractors receiving awards or contracts after the effective
date of this rule must have an executed ISP Agreement on file with
the Department's Program Services Division or enter into an ISP Agreement
before work can begin on the new award or contract.
(4) Contractor and Department may agree to eliminate
or reduce access to, or the generation of, any class of Protected
Information related to Contractor's obligations to the Department,
provided it does not impair Contractor's ability to fulfill its obligations
to the Department.
(5) Contractor shall accept responsibility for all
Representatives and ensure the safeguarding of Protected Information
in accordance with applicable federal and state laws, and the terms
and conditions set forth in the ISPA.
(6) The Department may, in its sole discretion, require
Contractor to amend an ISPA in order to conform to state and/or federal
law.
(d) ISPA Security Measures. The ISPA shall include,
among other requirements:
(1) Security measures for devices that connect to the
Department network, and
(2) Security measures for maintenance of Department
information external to the Department network, including, but not
limited to:
(A) Maintaining an inventory of all information technology
(IT) assets;
(B) Implementing and maintaining a risk management
program;
(C) Ensuring information is recoverable in accordance
with risk management decisions;
(D) Adhering to monitoring techniques for detecting,
reporting, and investigating security incidents;
(E) Providing IT security training to employees;
(F) Conducting criminal background checks on employees
with access to department information;
(G) Separating development and production environments;
(H) Following a software change control process;
(I) Maintaining and following an IT security policy
that has been approved by the department; and
(J) Implementing other requirements reasonably necessary
to ensure the security and privacy of Protected Information in the
Contractor's possession or control.
(e) Breach. In the event of an actual or suspected
breach involving Department Private Information stored by the Contractor,
Contractor shall promptly notify the Department no later than twenty-four
hours after discovery of the incident. The Contractor will coordinate
and cooperate fully with the Department in making all breach notifications
and taking all actions required by law to effect the required notifications.
(f) Texas Public Information Act. If Contractor receives
a request pursuant to the Texas Public Information Act for Information
maintained by Contractor on account of a contract with TDHCA, Contractor
shall notify the Department within three calendar days of the receipt
of the request by forwarding the request to open.records@tdhca.state.tx.us
(g) Department Review. Contractor and Representatives
shall permit Department to conduct periodic IT general controls audits,
Internet security scans, and internal network vulnerability assessments,
and contract monitoring audits at reasonable times, and upon reasonable
notice. Such reviews may be conducted by the Department, the Texas
State Auditor's Office, the Texas Department of Information Resources,
an applicable federal oversight agency, or any third parties under
contract with one of these agencies.
|