<<Prev Rule

Texas Administrative Code

Next Rule>>
RULE §202.21Responsibilities of the Information Security Officer

(a) Each agency shall have a designated Information Security Officer (ISO), and shall provide that its Information Security Officer:

  (1) reports to executive level management;

  (2) has authority for information security for the entire agency;

  (3) possesses training and experience required to administer the functions described under this chapter; and

  (4) whenever possible, has information security duties as that official's primary duty.

(b) The Information Security Officer shall be responsible for:

  (1) developing and maintaining an agency-wide information security plan as required by §2054.133, Texas Government Code;

  (2) developing and maintaining information security policies and procedures that address the requirements of this chapter and the agency's information security risks;

  (3) working with the business and technical resources to ensure that controls are utilized to address all applicable requirements of this chapter and the agency's information security risks;

  (4) providing for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities;

  (5) providing guidance and assistance to senior agency officials, information-owners, information custodians, and end users concerning their responsibilities under this chapter;

  (6) ensuring that annual information security risk assessments are performed and documented by information-owners;

  (7) reviewing the agency's inventory of information systems and related ownership and responsibilities;

  (8) developing and recommending policies and establishing procedures and practices, in cooperation with the agency Information Resources Manager, information-owners and custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure;

  (9) coordinating the review of data security requirements, specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data;

  (10) verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or share confidential data;

  (11) reporting, at least annually, to the state agency head the status and effectiveness of security controls; and

  (12) informing the parties in the event of noncompliance with this chapter and/or with the agency's information security policies.

(c) The Information Security Officer, with the approval of the state agency head, may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.

Source Note: The provisions of this §202.21 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page