COMMENT: With respect to §202.7(h) a commenter indicated that the provision requiring agencies to implement suggested security policies was not worded well and suggested alternative language.

RESPONSE: The department agrees with the comment and has changed the wording to clarify the rule.

COMMENT: A commenter suggested that §202.7(h)(21) spell out the acronyms A/C, UPS, and PDU.

RESPONSE: The department agrees, and the acronyms were changed to "Air Conditioning, Universal Power Supply, and Power Distribution Unit."

COMMENT: Concerning §202.7(i)(4) a commenter requested that the provision concerning "routers" be changed to include additional wording that would require security features activated.

RESPONSE: The department disagrees. The requested change would place unnecessary additional requirements on the agencies. The rule does not preclude an agency from activating security features on routers.

COMMENT: Concerning §202.7(f)(1) a commenter noted that the rule did not make clear the types of security incidents that must be reported in the 24-hour reporting requirement to the department and asked if the department is prepared to receive incident reporting 24X7.

RESPONSE: The department agreed and added the following to clarify the 24-hour reporting requirements: "incidents that pose a substantial threat to other agencies or could propagate to other agencies' systems beyond the control of the agencies shall be reported to the department within 24 hours." The change eliminates the requirement to report every incident. In addition, the department has taken steps to develop a process to receive notifications on critical incidents on a 24X7 schedule.

COMMENT: Also, in §202.7(f)(1) commenters opposed the requirement to report within 24 hours stating that it would be problematic.

RESPONSE: The department clarified the reporting requirement in response to these comments. Under the revised rule, only "incidents that pose a substantial threat to other agencies or could propagate to other agencies' systems beyond the control of the agencies shall be reported to the department within 24 hours." The change eliminates the need to report every incident, thereby reducing the reporting obligation for agencies.

COMMENT: A commenter inquired if monthly incident reports are necessary under §202.7(f) since the rule requires prompt investigation.

RESPONSE: Monthly incident reports are necessary. As indicated above, the department has reduced the 24-hour reporting requirements, and monthly reports continue to be necessary so that all incidents are covered and reported.

COMMENT: For §202.7(j)(4) a commenter indicated that the proposed provision would compromise the integrity and credibility of universities if personal information was subject to a banner statement that there is no expectation of privacy with respect to use of the information resource.

RESPONSE: The department agrees that certain laws provide certain privacy rights, however, the department disagrees with removing the requirement that system identification and logon banners address that users of state information resources should have no expectation of privacy. In response to the comment received, the department modified the language of §202.7(j)(4) to provide that system identification/logon banners shall include the warning that there is no expectation of privacy except as otherwise provided by applicable privacy law.

COMMENT: Comments were made that the rules should differentiate between institutions of higher education and other state agencies due to differing missions and operating environments.

RESPONSE: The department disagrees and has tried to accommodate all agencies, including institutions of higher education. The department believes the rules are prudent business practices that all agencies, including institutions of higher education, must follow to protect both state resources and private data held electronically by state agencies. The Information Security Advisory Work Group that worked with the department on amending the security rules consisted of thirteen agencies and four universities. Input was gathered from all group participants.

COMMENT: Commenters stated that §202.3(c), which refers to defining responsibilities, "would generate an enormous documentation burden and would be next to impossible to keep current without great expense" for non-business aspects of universities.

RESPONSE: The department disagrees. The rule applies only to assigned responsibilities within a business function of an institution of higher education. The rules are inapplicable to non-business function operations.

COMMENT: A commenter indicated that the cost estimates in the preamble to this rule fall short of what will actually be needed.

RESPONSE: The department disagrees with the comment. The cost estimates set forth in the preamble are per instance. The cost estimates do not include staff.

COMMENT: Another commenter indicated there will be additional costs to the agency (costs for staff, independent reviews, and to modify operations) to comply with this rule.

RESPONSE: Some agencies will require additional funding to comply with the rules. However, the requirements of the rules represent prudent business practices that will help ensure adequate information resources security.

The new rules are adopted pursuant to §2054.052(a), Government Code, which provides the department may adopt rules as necessary to implement its responsibilities under the Information Resources Management Act.

The department is not aware of other statutes affected by the proposed rules.