<<Prev Rule

Texas Administrative Code

Next Rule>>
RULE §202.71Responsibilities of Information Security Officer

(a) Each institution of higher education shall have a designated Information Security Officer (ISO), and shall provide that its Information Security Officer:

  (1) reports to executive level management;

  (2) has authority for information security for the entire institution;

  (3) possesses training and experience required to administer the functions described under this chapter; and

  (4) whenever possible, has information security duties as that official's primary duty.

(b) The Information Security Officer shall be responsible for:

  (1) developing and maintaining an institution-wide information security plan as required by §2054.133, Texas Government Code;

  (2) developing and maintaining information security policies and procedures that address the requirements of this chapter and the institution's information security risks;

  (3) working with the business and technical resources to ensure that controls are utilized to address all applicable requirements of this chapter and the institution's information security risks;

  (4) providing for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities;

  (5) providing guidance and assistance to senior institution of higher education officials, information owners, information custodians, and end users concerning their responsibilities under this chapter;

  (6) ensuring that annual information security risk assessments are performed and documented by information-owners;

  (7) reviewing the institution's inventory of information systems and related ownership and responsibilities;

  (8) developing and recommending policies and establishing procedures and practices, in cooperation with the institution Information Resources Manager, information-owners and custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure;

  (9) coordinating the review of the data security requirements, specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data;

  (10) verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or share confidential data;

  (11) reporting, at least annually, to the state institution of higher education head the status and effectiveness of security controls; and

  (12) informing the parties in the event of noncompliance with this chapter and/or with the institution's information security policies.

(c) The Information Security Officer, with the approval of the state institution of higher education head, may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.

Source Note: The provisions of this §202.71 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page