<<Prev Rule

Texas Administrative Code

Next Rule>>
TITLE 1ADMINISTRATION
PART 10DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202INFORMATION SECURITY STANDARDS
SUBCHAPTER CINFORMATION SECURITY STANDARDS FOR INSTITUTIONS OF HIGHER EDUCATION
RULE §202.72Staff Responsibilities

Information owners, custodians, and users of information resources shall, in consultation with the institution IRM and ISO, be identified, and their responsibilities defined and documented by the state institution of higher education. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles:

  (1) Information Owner Responsibilities. The owner or his or her designated representative(s) are responsible for:

    (A) classifying information under their authority, with the concurrence of the state institution of higher education head or his or her designated representative(s), in accordance with institution of higher education's established information classification categories;

    (B) approving access to information resources and periodically review access lists based on documented risk management decisions;

    (C) formally assigning custody of information or an information resource;

    (D) coordinating data security control requirements with the ISO;

    (E) conveying data security control requirements to custodians;

    (F) providing authority to custodians to implement security controls and procedures;

    (G) justifying, documenting, and being accountable for exceptions to security controls. The information owner shall coordinate and obtain approval for exceptions to security controls with the institution of higher education information security officer; and

    (H) participating in risk assessments as provided under §202.75 of this chapter.

  (2) Information Custodian Responsibilities. Custodians of information resources, including third party entities providing outsourced information resources services to state institutions of higher education shall:

    (A) implement controls required to protect information and information resources required by this chapter based on the classification and risks specified by the information owner(s) or as specified by the policies, procedures, and standards defined by the institution of higher education information security program;

    (B) provide owners with information to evaluate the cost-effectiveness of controls and monitoring;

    (C) adhere to monitoring techniques and procedures, approved by the ISO, for detecting, reporting, and investigating incidents;

    (D) provide information necessary to provide appropriate information security training to employees; and

    (E) ensure information is recoverable in accordance with risk management decisions.

  (3) User Responsibilities. The user of an information resource has the responsibility to:

    (A) use the resource only for the purpose specified by the institution or information-owner;

    (B) comply with information security controls and institutional policies to prevent unauthorized or accidental disclosure, modification, or destruction; and

    (C) formally acknowledge that they will comply with the security policies and procedures in a method determined by the institution head or his or her designated representative.

  (4) Institution information resources designated for use by the public shall be configured to enforce security policies and procedures without requiring user participation or intervention. Information resources must require the acceptance of a banner or notice prior to use.


Source Note: The provisions of this §202.72 adopted to be effective March 17, 2015, 40 TexReg 1357

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page