The following words and terms, when used in this chapter, shall
have the following meanings, unless the context clearly indicates
otherwise.
(1) Access--The physical or logical capability to view,
interact with, or otherwise make use of information resources.
(2) Agency Head--The top-most senior executive with
operational accountability for an agency, department, commission,
board, office, council, authority, or other agency in the executive
or judicial branch of state government, that is created by the constitution
or a statute of the state; or institutions of higher education, as
defined in Texas Education Code §61.003.
(3) Application--As defined in Texas Government Code §2054.003(1).
(4) Availability--The security objective of ensuring
timely and reliable access to and use of information.
(5) Cloud Computing--Has the same meaning as "Advanced
Internet-Based Computing Service" as defined in Texas Government Code §2157.007(a).
(6) Cloud Computing Service--The meaning assigned by
Special Publication 800-145 issued by the United States Department
of Commerce National Institute of Standards and Technology as the
definition existed on January 1, 2015.
(7) Confidential Information--Information that must
be protected from unauthorized disclosure or public release based
on state or federal law or other legal agreement.
(8) Confidentiality--The security objective of preserving
authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information.
(9) Control--A safeguard or countermeasure, including
devices, policies, procedures, techniques, or other measures, that
are prescribed to meet security requirements of an information system
or organization to preserve. Controls may include security features,
management constraints, personnel security, and security of physical
structures, areas, and devices.
(10) Control Standards Catalog--The document that provides
state agencies and higher education institutions state specific implementation
guidance for alignment with the National Institute of Standards and
Technology (NIST) SP (Special Publication) 800-53 security controls.
(11) Custodian--See information custodian.
(12) Department--The Department of Information Resources.
(13) Destruction--The result of actions taken to ensure
that physical and digital media cannot be reused as originally intended
and that information is technologically infeasible or prohibitively
expensive to recover.
(14) Electronic Communication--A process used to convey
a message or exchange information via electronic media. It includes
the use of electronic mail (email), Internet access, Instant Messaging
(IM), Short Message Service (SMS), facsimile transmission, and other
paperless means of communication.
(15) Encryption (encrypt or encipher)--The conversion
of plaintext information into a code or cipher text using a variable
called a "key" and processing those items through a fixed algorithm
to create the encrypted text that conceals the data's original meaning.
(16) FedRAMP--Federal Risk and Authorization Management
Program.
(17) Guideline--Recommended, non-mandatory controls
that help support standards or serve as a reference when no applicable
standard is in place.
(18) High Impact Information Resources--Information
Resources whose loss of confidentiality, integrity, or availability
could be expected to have a severe or catastrophic adverse effect
on organizational operations, organizational assets, or individuals.
Such an event could:
(A) cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is not
able to perform one or more of its primary functions;
(B) result in major damage to organizational assets;
(C) result in major financial loss; or
(D) result in severe or catastrophic harm to individuals
involving loss of life or serious life-threatening injuries.
(19) Information--Any communication or representation
of knowledge such as facts, data, or opinions in any medium or form,
including textual, numerical, graphic, cartographic, narrative, electronic,
or audiovisual forms.
(20) Information Custodian--A department, agency, or
third-party service provider responsible for implementing the information
owner-defined controls and access to an information resource.
(21) Information Owner(s)--A person(s) with statutory
or operational authority for specified information and responsibility
for establishing the controls for its generation, collection, processing,
dissemination, and disposal.
(22) Information Resources--As defined in Texas Government
Code § 2054.003(7).
(23) Information Resources Manager--As defined in Texas
Government Code § 2054.071.
(24) Information Security Program--The policies, standards,
procedures, elements, structure, strategies, objectives, plans, metrics,
reports, services, and resources that establish an information resources
security function within an institution of higher education or state
agency.
(25) Information System--A discrete set of information
resources organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of information. An Information
System normally includes, but is not limited to, hardware, software,
network infrastructure, information, applications, communications,
and people.
(26) Integrity--The security objective of guarding
against improper information modification or destruction, including
ensuring information non-repudiation and authenticity.
(27) ITCHE--Information Technology Council for Higher
Education.
(28) Local Government - As defined by Texas Government
Code § 2054.003(9).
(29) Low Impact Information Resources--Information
resources whose loss of confidentiality, integrity, or availability
could be expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals. Such an event could:
(A) cause a degradation in mission capability to an
extent and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is noticeably reduced;
(B) result in minor damage to organizational assets;
(C) result in minor financial loss; or
(D) result in minor harm to individuals.
(30) Moderate Impact Information Resources--Information
Resources whose loss of confidentiality, integrity, or availability
could be expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals. Such an event could:
(A) cause a significant degradation in mission capability
to an extent and duration that the organization is able to perform
its primary functions, but the effectiveness of the functions is significantly
reduced;
(B) result in significant damage to organizational
assets;
(C) result in significant financial loss; or
(D) result in significant harm to individuals that
does not involve loss of life or serious life-threatening injuries.
(31) Network Security Operations Center (NSOC)--As
established by Texas Government Code §2059.101.
(32) Nonconfidential Data--Information that is not
required to be or may not be protected from unauthorized disclosure
or public release based on state or federal law or other legal agreement.
(33) Personal Identifying Information (PII)--A category
of personal identity information as defined by Texas Business and
Commerce Code § 521.002(a)(1).
(34) Procedure--Instructions to assist information
security staff, custodians, and users in implementing policies, standards,
and guidelines.
(35) Program Manual--Program manual for the Texas risk
and authorization management program.
(36) Residual Risk--The risk that remains after security
measures have been applied.
(37) Risk--The effect on the entity's missions, functions,
image, reputation, assets, or constituencies considering the probability
that a threat will exploit a vulnerability, the safeguards already
in place, and the resulting impact. Risk outcomes are a consequence
of Impact levels defined in this section.
(38) Risk Assessment--The process of identifying, evaluating,
and documenting the probability and level of impact on an organization's
mission, functions, image, reputation, assets, or individuals that
may result from the operation of information systems. Risk Assessment
incorporates threat and vulnerability analyses and considers mitigations
provided by planned or in-place security controls.
Cont'd... |