| (a) Mandatory Requirements. Mandatory security controls
shall be defined by the department in a Control Standards document
published on the department's website.
(b) Minimum Requirements for Security Controls. The
controls required by subsection (a) of this section shall include:
(1) minimum information security requirements for all
institution information, information systems, and applications; and
(2) standards to be used by all institutions of higher
education to provide levels of information security according to risk
categorizations.
(c) A review of the institution's information security
program for compliance with these standards will be performed at least
biennially, based on business risk management decisions, by individual(s)
independent of the information security program and designated by
the institution of higher education head or their designated representative(s).
(d) Development of Control Standards. Prior to publishing
new or revised standards as required by subsections (a) and (b) of
this section, the department shall:
(1) solicit comment through the department's electronic
communications channels for proposed standards from the Information
Resources Managers, ITCHE, and Information Security Officers of agencies
and institutions of higher education at least 30 days prior to publication
of proposed standards;
(2) after reviewing comments provided in paragraph
(1) of this subsection, present proposed standards to the department's
Board and obtain approval from the Board for publication; and
(3) minimize the impact to an affected institution
of higher education to the extent possible by:
(A) ensuring that such standards and guidelines do
not require the use or procurement of specific products, including
any specific hardware or software;
(B) ensuring that such standards provide for flexibility
to permit alternative solutions to provide equivalent levels of protection
for identified information security risks; and
(C) using flexible standards and guidelines that permit
the use of commercial off-the-shelf developed information security
products.
(4) New standards required by the department will have
an effective date, not to exceed 18 months from the date of adoption,
after which institutions of higher education are required to adhere
to the new standard.
(e) Application of More Stringent Standards. The agency
head may employ standards for the cost-effective information security
of information, information resources, and applications within or
under the supervision of that institution of higher education that
are more stringent than the standards the department prescribes under
this section if the more stringent standards:
(1) contain at least the applicable standards issued
by the department; and/or
(2) are consistent with applicable federal law, policies
and guidelines issued under state rule, industry standards, best practices,
or deemed necessary to adequately protect the information held by
the institution of higher education.
|
