| (a) Information owners, custodians, and users of information
resources shall, in consultation with the institution Information
Resources Managers and Information Security Officer, be identified
and their responsibilities defined and documented by the state institution
of higher education. The following distinctions among owner, custodian,
and user responsibilities should guide determination of these roles:
(1) Information Owner Responsibilities. The owner or
their designated representative(s) are responsible for:
(A) classifying information under their authority or
responsibility, with the concurrence of the agency head or their designated
representative(s), in accordance with the institution of higher education's
established information classification categories;
(B) approving access to information resources and periodically
reviewing access lists based on documented risk management decisions;
(C) formally assigning custody of information or an
information resource;
(D) coordinating data security control requirements
with the Information Security Officer;
(E) conveying data security control requirements to
custodians;
(F) providing authority to custodians to implement
security controls and procedures;
(G) justifying, documenting, and being accountable
for exceptions to security controls issued by the Information Security
Officer for the information for which the Information Owner is responsible;
(H) coordinating and obtaining approval for exceptions
to security controls with the agency Information Security Officer;
and
(I) performing risk assessments as provided under §202.75
of this subchapter.
(J) Information owners, in coordination with the information
custodian, shall ensure that information resources provide a clear
and conspicuous prohibition against unauthorized access or use as
detailed by Texas Penal Code § 33.02(b-1).
(2) Information Custodian Responsibilities. Custodians
of information resources, including third party entities providing
outsourced information resources services to state institutions of
higher education shall:
(A) implement controls required to protect information
and information resources required by this chapter based on the classification
and risks specified by the information owner(s) or as specified by
the policies, procedures, and standards defined by the institution
of higher education information security program;
(B) provide owners with information to evaluate the
cost-effectiveness of controls and monitoring;
(C) adhere to monitoring techniques and procedures,
approved by the Information Security Officer, for detecting, reporting,
and investigating incidents;
(D) supply any information and/or documents necessary
to provide appropriate information security training to employees;
and
(E) ensure information is recoverable in accordance
with risk management decisions.
(3) User Responsibilities. The user of information
resources has the responsibility to:
(A) use the resource only for the purpose specified
by the institution or information owner;
(B) comply with information security controls and institutional
policies to prevent unauthorized or accidental disclosure, modification,
or destruction of information and information resources; and
(C) formally acknowledge that they will comply with
the security policies and procedures in a method determined by the
institution head or his or her designated representative.
(b) Institution information resources designated for
use by the public shall be configured to enforce security policies
and procedures without requiring user participation or intervention.
Information resources must require the acceptance of a banner or notice
prior to use.
|
