(a) Each Information Security Officer shall directly
report to the agency head, at least annually, on the adequacy and
effectiveness of information security policies, procedures, practices,
compliance with the requirements of this chapter, and:
(1) effectiveness of current information security program
and status of key initiatives;
(2) residual risks identified by the institution of
higher education risk management process; and
(3) institution of higher education information security
requirements and requests.
(b) Each institution of higher education shall submit
to the department a Biennial Information Security Plan in accordance
with Texas Government Code §2054.133.
(c) At least every two years, each institution of higher
education shall complete and submit an information security assessment
in compliance with the requirements of Texas Government Code §2054.515
and this subsection.
(1) The institution of higher education's Biennial
Information Security Plan may be considered to satisfy the information
security assessment requirements of Texas Government Code §2054.515(a)(1)
if the institution's Biennial Information Security Plan assesses:
(A) The security of the institution's information resources
systems, network systems, and digital data storage systems;
(B) The measures in place to establish digital data
security; and
(C) The vulnerabilities of the institution's information
resources, including an evaluation determining how well the organization's
security policies protect its data and information systems.
(2) To comply with Texas Government Code §2054.515(a)(2),
an institution of higher education must complete a data maturity assessment
in alignment with the requirements established at 1 Texas Administrative
Code §218.10.
(3) Upon completion of its information security assessment,
an institution of higher education shall report the results of its
assessment to the department in the form and manner identified by
the department. An institution of higher education must comply with
a request for the results of its assessment received from the Office
of the Governor, Lieutenant Governor, or speaker of the House of Representatives.
(d) Each state institution of higher education shall
assess the significance of a security incident based on the business
impact on the affected resources and the current and potential technical
effect of the incident (e.g., loss of revenue, productivity, access
to services, reputation, unauthorized disclosure of confidential information,
or propagation to other networks). Confirmed or suspected incidents
shall be reported to immediate supervisors and the institution of
higher education Information Security Officer.
(1) An institution of higher education shall report
security incidents to the department within 48 hours of discovery
in the form and manner specified by the department where the security
incident is assessed to:
(A) propagate to other state systems;
(B) result in criminal violations that shall be reported
to law enforcement in accordance with state or federal information
security or privacy laws;
(C) involve the unauthorized disclosure or modification
of confidential information, e.g., sensitive personal information
as defined in Texas Business and Commerce Code §521.002(a)(2)
and other applicable laws that may require public notification; or
(D) be an unauthorized incident that compromises, destroys,
or alters information systems, applications, or access to such systems
or applications in any way.
(2) If the security incident is assessed to involve
suspected criminal activity (e.g., violations of Texas Penal Code
Chapters 33 or 33A), the institution of higher education shall contact
law enforcement, as required, and the security incident shall be investigated,
reported, and documented in accordance with the legal requirements
for handling of evidence.
(3) Depending on the nature of the incident, it will
not always be feasible to gather all the information prior to reporting.
In such cases, incident response teams shall continue to report information
to the department as it is collected. The department shall instruct
state institutions of higher education as to the manner in which they
shall report such information to the department. Supporting vendors
or other third parties that report security incident information to
an institution of higher education shall submit such reports to the
institution of higher education in the form and manner specified by
the department, unless otherwise directed by the institution of higher
education. Institutions of higher education shall ensure that compliant
reporting requirements are included in any contract where incident
reporting may be necessary.
(4) Ten days after the date of the eradication, closure,
and recovery from a security incident, an institution of higher education
shall notify the department and the chief information security officer
in the form and manner prescribed by the department of the security
incident details and an analysis of the security incident cause.
|
Source Note: The provisions of this §202.73 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831; amended to be effective November 17, 2021, 46 TexReg 7775; amended to be effective November 16, 2023, 48 TexReg 6579 |