The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise. (1)Access--The physical or logical capability to [To approach,] interact with, or otherwise make use of information resources. (2)Business Continuity Planning--The process of identifying mission critical data systems and business functions, analyzing the risks and probabilities of service disruptions and developing procedures to restore those systems and functions. (3)Confidential Information--Information that must be protected from unauthorized disclosure or public release based on state or federal law (e.g. the Texas Public Information Act, and other constitutional, statutory, judicial, and legal agreement requirements). [Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.] (4)Control--A safeguard or protective action, device, policy, procedure, technique, or other measure prescribed to meet security requirements (i.e., confidentiality, integrity, and availability) that may be specified for a set of information resources. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [Any action, device, policy, procedure, technique, or other measure that improves security.] (5)Custodian of an Information Resource--A person responsible for implementing the information owner-defined controls and access to an information resource. Custodians may include state employees, vendors, and any third party acting as an agent of, or otherwise on behalf of the state entity. (6)Department--The Department of Information Resources. (7)DMZ--A network area created between the public Internet and internal private network(s). This neutral zone is usually delineated by some combination of routers, firewalls, and other hosts. A DMZ usually includes devices that are accessible to Internet traffic. (8)Electronic Communication--A process used to convey a message or exchange information via electronic media. It includes the use of electronic mail (email), Internet access, Instant Messaging (IM), Short Message Service (SMS), facsimile transmission, and other paperless means of communication. (9)Encryption (encrypt, encipher, or encode)--The conversion of plaintext information into a code or cipher text using a variable, called a "key" and processing those items through a fixed algorithm to create the encrypted text that conceals the data's original meaning. (10)Firewall--A software or hardware device or system that filters communications between networks that have different security domains based on a defined set of rules. A firewall may be configured to deny, permit, encrypt, decrypt, or serve as an intermediary (proxy) for network traffic. (11)Information Owner--A person with statutory or operational authority for specified information (e.g., supporting a specific business function) and responsibility for establishing the controls for its generation, collection, processing, access, dissemination, and disposal. The Information Owner may also be responsible for other information resources including personnel, equipment, and information technology that support the Information Owner's business function. (12)[(7)] Information Resources--Is defined in §2054.003(7), Government Code and/or other applicable state or federal legislation. (13)[(8)] Information Security Program--The elements, structure, objectives, and resources that establish an information resources security function within an institution of higher education, or state agency. (14)Intrusion Detection System (IDS)--Hardware or a software application that can be installed on network devices or host operating systems to monitor network traffic and host log entries for signs of known and likely methods of intruder activity and attacks. Suspicious activities trigger administrator alarms and other configurable responses. (15)Intrusion Prevention System (IPS)--Hardware or a software application that can be installed on a network or host operating system to monitor network and/or system activities for malicious or unwanted behavior and can automatically block or prevent those activities. (Firewalls, routers, IDS devices, and anti-virus gateways all may have IPS capabilities). IPS can make access control decisions based on application content. (16)[(9)] Mission Critical Information--Information that [is confidential or] is defined by the institution of higher education, or state agency to be essential to the institution of higher education, or state agency function(s). [(10)Owner of an Information Resource--A person responsible:] [(A)For a business function; and] [(B)For determining controls and access to information resources supporting that business function.] (17)[(11)] Platform--The foundation technology of a computer system. The hardware and systems software that together provide support for an application program. (Ref: Practices for Protecting Information Resources Assets.) (18)Risk Assessment--The process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information system on an organization's mission, functions, image, reputation, assets, or individuals. Risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls. (19)Risk Management--Decisions to accept risk exposures or to reduce vulnerabilities and to align information resources risk exposure with the organization's risk tolerance. (20)Router--A device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks to which it is connected. A router is located at any intersection where one network meets another. (21)Sanitize--A Process to remove information from media such that data recovery is not possible. It includes removing all confidential labels, markings, and activity logs as specified in applicable National Institute of Standards and Technology Special Publication (NIST SP) 800-88 or U.S. Department of Defense 5220.22-M guidelines and standards for media sanitization. [(12)Restricted Personal Information--Includes an individual's social security number, or data protected under state or federal law (e.g., financial, medical or student data).] [(13)Sanitized--Overwriting data using software tools and procedures to comply with the U.S. Department of Defense 5220.22-M standard for disk-sanitization. For specific types storage media see Department of Defense 5220.22-M §8-500. Software and Data, Table 1 Clearing and Sanitization Data Storage] (22)[(14)] Security Incident--An event which results in accidental or deliberate unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources [whether accidental or deliberate]. (23)Sensitive Personal Information--A category of personal identity information as defined by §521.002(a)(2), Business and Commerce Code. [(15)Security Risk Analysis--The process of identifying and documenting vulnerabilities and applicable threats to information resources.] [(16)Security Risk Assessment--The process of evaluating the results of the risk analysis by projecting losses, assigning levels of risk, and recommending appropriate measures to protect information resources.] [(17)Security Risk Management--Decisions to accept exposures or to reduce vulnerabilities.] (24)[(18)] Storage Device--Any fixed or removable device that contains data and maintains the data after power is removed from the device, such as a DVD/CD-ROM, external or internal hard drive, Universal Serial Bus (USB) flash drive, memory card, or media player. (25)[(19)] Test--A simulated or, otherwise documented event ["real-live" incident] for which results and records are kept [of the incident]. (26)Threat--Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (27)[(20)] User of an Information Resource--An individual or automated application authorized to access an information resource in accordance with the information owner-defined controls and access rules. (28)[(21)] Vulnerability Assessment--A documented evaluation containing information described in §2054.077(b), Government Code [measurement of vulnerability] which includes the susceptibility of a particular system to a specific attack [and the opportunities available to a threat agent to mount that attack]. [(22)Vulnerability Report--A computer related report containing information described in §2054.077(b), Government Code, as that section may be amended from time to time.] (29)[(23)] Wireless Access--Using one or more of the following technologies to access the information resources systems of a state agency or institution of higher education: (A)Wireless Local Area Networks--Based on the IEEE 802.11 family of standards. (B)Wireless Personal Area Networks--Based on the Bluetooth and/or InfraRed (IR) technologies. (C)Wireless Handheld Devices--Includes text-messaging devices, Personal Digital Assistant (PDAs), and smart phones. NIST SP 800-48 provides an overview of Wireless Network Security 802.11 technologies and provides guidelines to reduce the risks associated Bluetooth and Handheld Devices. [(24)Wireless Security Guidelines--The National Institute of Standards and Technology Special Publication 800-48, Wireless Network Security 802.11, Bluetooth and Handheld Devices.]
This agency hereby certifies that the proposal
has been reviewed by legal counsel and found to be within the agency's
legal authority to adopt.
Filed with the Office
of the Secretary of State on May 21, 2009
TRD-200901999 Renee Mauzy
General
Counsel
Department of Information Resources
Earliest possible date of adoption: July 5, 2009
For further information, please call: (512) 475-4750
|
