<<Prev Rule

Texas Administrative Code

Next Rule>>
TITLE 1ADMINISTRATION
PART 10DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202INFORMATION SECURITY STANDARDS
SUBCHAPTER BINFORMATION SECURITY STANDARDS FOR STATE AGENCIES
RULE §202.23Security Reporting

(a) Agency Reporting. Each Information Security Officer shall report, at least annually, to the agency head on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of this chapter and:

  (1) effectiveness of current information security program and status of key initiatives;

  (2) residual risks identified by the agency risk management process; and

  (3) agency information security requirements and requests.

(b) Report to the Department.

  (1) Urgent Incident Report.

    (A) Each state agency shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Security incidents shall be promptly reported to immediate supervisors and the agency Information Security Officer. Security incidents shall be promptly reported to the department in the form and manner specified by the department where the security incident is assessed to:

      (i) propagate to other state systems;

      (ii) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws; or

      (iii) involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in §521.002(a)(2), Business and Commerce Code, and other applicable laws that may require public notification.

    (B) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Chapters 33, Penal Code (Computer Crimes) or Chapter 33A, Penal Code (Telecommunications Crimes)), the agency shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.

    (C) Depending on the criticality of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams should continue to report information to the department as it is collected. The department shall instruct state agencies as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency. Agencies shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.

  (2) Monthly Incident Report. Summary reports of security-related events shall be sent to the department on a monthly basis no later than nine (9) calendar days after the end of the month. Agencies shall submit summary security incident reports in the form and manner specified by the department. Supporting vendors or other third parties that report security incident information to an agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency.

  (3) Biennial Information Security Plan. Each state agency shall submit to the department a Biennial Information Security Plan, in accordance with §2054.133, Texas Government Code.


Source Note: The provisions of this §202.23 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page