<<Prev Rule

Texas Administrative Code

Next Rule>>
RULE §202.76Security Control Standards Catalog

(a) Mandatory Requirements. Mandatory security controls shall be defined by the department in a Control Standards document published on the department's website.

(b) Minimum Requirements for Security Controls. The controls required by subsection (a) shall include:

  (1) minimum information security requirements for all State information and information systems; and

  (2) standards to be used by all institutions of higher education to provide levels of information security according to risk levels.

(c) A review of the institution's information security program for compliance with these standards will be performed at least biennially, based on business risk management decisions, by individual(s) independent of the information security program and designated by the institution of higher education head or his or her designated representative(s).

(d) Development of Control Standards. Prior to publishing new or revised standards as required by subsections (a) and (b), the department shall:

  (1) solicit comment through the department's electronic communications channels for proposed standards from the Information Resource Managers, ITCHE, and Information Security Officers of institutions of higher education and institutes of higher education at least 30 days prior to publication of proposed standards;

  (2) after reviewing comments provided in paragraph (1), present proposed standards to the department's Board and obtain approval from the Board for publication; and

  (3) minimize the impact to an affected institution of higher education, to the extent possible by:

    (A) ensuring that such standards and guidelines do not require the use or procurement of specific products, including any specific hardware or software;

    (B) ensuring that such standards provide for flexibility to permit alternative solutions to provide equivalent levels of protection for identified information security risks; and

    (C) using flexible, performance-based standards and guidelines that permit the use of off-the-shelf commercially developed information security products.

  (4) New standards required by the department will have an effective date, not to exceed 18 months from the date of adoption, after which institutions of higher education are required to adhere to the new standard.

(e) Application of More Stringent Standards. The head of an institution of higher education may employ standards for the cost-effective information security of information and information resources within or under the supervision of that institution of higher education that are more stringent than the standards the department prescribes under this section if the more stringent standards:

  (1) contain at least the applicable standards issued by the department;

  (2) are consistent with applicable federal law, policies and guidelines issued under state rule, industry standards, best practices, or deemed necessary to adequately protect the information held by the institution of higher education.

Source Note: The provisions of this §202.76 adopted to be effective March 17, 2015, 40 TexReg 1357

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page