<<Prev Rule

Texas Administrative Code

Next Rule>>
TITLE 1ADMINISTRATION
PART 10DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202INFORMATION SECURITY STANDARDS
SUBCHAPTER CINFORMATION SECURITY STANDARDS FOR INSTITUTIONS OF HIGHER EDUCATION
RULE §202.73Security Reporting

(a) Institution Reporting. Each Information Security Officer shall report, at least annually, to the institution of higher education head on the adequacy and effectiveness of information security policies, procedures, and practices, and compliance with the requirements of this chapter and:

  (1) effectiveness of current information security program and status of key initiatives;

  (2) residual risks identified by the institution of higher education risk management process; and

  (3) institution of higher education information security requirements and requests.

(b) Report to the Department.

  (1) Urgent Incident Report.

    (A) Each state institution of higher education shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Security incidents shall be promptly reported to immediate supervisors and the institution of higher education Information Security Officer. Security incidents shall be promptly reported to the department in the form and manner specified by the department where the security incident is assessed to:

      (i) propagate to other state systems;

      (ii) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws; or

      (iii) involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in §521.002(a)(2), Business and Commerce Code, and other applicable laws that may require public notification.

    (B) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Chapters 33, Penal Code (Computer Crimes) or Chapter 33A, Penal Code (Telecommunications Crimes)), the institution of higher education shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.

    (C) Depending on the criticality of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams should continue to report information to the department as it is collected. The department shall instruct state institutions of higher education as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education. Institutions of higher education shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.

  (2) Monthly Incident Report. Summary reports of security-related events shall be sent to the department on a monthly basis no later than nine (9) calendar days after the end of the month. Institutions of higher education shall submit summary security incident reports in the form and manner specified by the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education.

  (3) Biennial Information Security Plan. Each state institution of higher education shall submit to the department a biennial Information Security plan, in accordance with §2054.133, Texas Government Code.


Source Note: The provisions of this §202.73 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page