(a) Each institution of higher education shall develop,
document, and implement an institution of higher education-wide information
security program, approved by the agency head or delegate under §202.70
of this subchapter, that includes protections based on risk for all
information and information resources owned, leased, or under the
custodianship of any department, operating unit, or employee of the
institution of higher education including outsourced resources to
another institution of higher education, contractor, or other source
(e.g., cloud computing). The program shall include:
(1) periodic assessments in alignment with minimum
legal reporting requirements of the risk and impact that could result
from the unauthorized access, use, disclosure, disruption, modification,
or destruction of information, information systems, and applications
that support the operations and assets of the institution of higher
education;
(2) policies, controls, standards, and procedures that:
(A) are based on the risk assessments required by §202.75
of this chapter;
(B) cost-effectively reduce information security risks
to a level acceptable to the institution head;
(C) ensure that information security is addressed throughout
the lifecycle of institution of higher education information resources;
and
(D) ensure compliance with:
(i) the requirements of this subchapter;
(ii) minimally acceptable system configuration requirements,
as determined by the institution of higher education; and
(iii) the control catalog published by the department.
(3) strategies to address risk to high impact information
resources;
(4) plans for providing information security for networks,
facilities, and systems or groups of information systems and applications
based on risk;
(5) a process for planning, implementing, evaluating,
and documenting remedial action to address any deficiencies in the
information security policies, procedures, and practices of the institution
of higher education; and
(6) a process to justify, grant and document any exceptions
to specific program requirements in accordance with requirements and
processes defined in this chapter.
(b) State institutions of higher education are responsible
for:
(1) defining all information classification categories
except the Confidential Information category, which is defined in
Subchapter A of this chapter, and establishing the controls for each;
(2) administering an ongoing information security awareness
education program in compliance with the requirements of Texas Government
Code § 2054.5191 - .5192 for all users; and
(3) introducing information security awareness and
inform new employees of information security policies and procedures
during the onboarding process.
|