| (a) Institution Reporting. Each Information Security
Officer shall directly report to the agency head, at least annually,
on the adequacy and effectiveness of information security policies,
procedures, practices, compliance with the requirements of this chapter,
and:
(1) effectiveness of current information security program
and status of key initiatives;
(2) residual risks identified by the institution of
higher education risk management process; and
(3) institution of higher education information security
requirements and requests.
(b) Report to the Department.
(1) Urgent Incident Report.
(A) Each state institution of higher education shall
assess the significance of a security incident based on the business
impact on the affected resources and the current and potential technical
effect of the incident (e.g., loss of revenue, productivity, access
to services, reputation, unauthorized disclosure of confidential information,
or propagation to other networks). Confirmed or suspected incidents
shall be reported to immediate supervisors and the institution of
higher education Information Security Officer. Confirmed or suspected
security incidents shall be reported to the department within 48 hours
of discovery in the form and manner specified by the department where
the security incident is assessed to:
(i) propagate to other state systems;
(ii) result in criminal violations that shall be reported
to law enforcement in accordance with state or federal information
security or privacy laws;
(iii) involve the unauthorized disclosure or modification
of confidential information, e.g., sensitive personal information
as defined in Texas Business and Commerce Code §521.002(a)(2)
and other applicable laws that may require public notification; or
(iv) be an unauthorized incident that compromises,
destroys, or alters information systems, applications, or access to
such systems or applications in any way.
(B) If the security incident is assessed to involve
suspected criminal activity (e.g., violations of Texas Penal Code
Chapters 33 or 33A, the institution of higher education shall contact
law enforcement, as required, and the security incident shall be investigated,
reported, and documented in accordance with the legal requirements
for handling of evidence.
(C) Depending on the nature of the incident, it will
not always be feasible to gather all the information prior to reporting.
In such cases, incident response teams shall continue to report information
to the department as it is collected. The department shall instruct
state institutions of higher education as to the manner in which they
shall report such information to the department. Supporting vendors
or other third parties that report security incident information to
an institution of higher education shall submit such reports to the
institution of higher education in the form and manner specified by
the department, unless otherwise directed by the institution of higher
education. Institutions of higher education shall ensure that compliant
reporting requirements are included in any contract where incident
reporting may be necessary.
(2) Monthly Incident Report. Summary reports of security-related
events shall be sent to the department on a monthly basis no later
than nine (9) calendar days after the end of the month. Institutions
of higher education shall submit summary security incident reports
in the form and manner specified by the department. Supporting vendors
or other third parties that report security incident information to
an institution of higher education shall submit such reports to the
institution of higher education in the form and manner specified by
the department, unless otherwise directed by the institution of higher
education.
(3) Biennial Information Security Plan. Each state
institution of higher education shall submit to the department a biennial
Information Security plan, in accordance with Texas Government Code §
2054.133.
|
| Source Note: The provisions of this §202.73 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831; amended to be effective November 17, 2021, 46 TexReg 7775 |
