Texas Register

TITLE 1 ADMINISTRATION
PART 10DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202INFORMATION SECURITY STANDARDS
SUBCHAPTER ADEFINITIONS
RULE §202.1Applicable Terms and Technologies for Information Security Standards
ISSUE 11/07/2014
ACTION Proposed
Preamble Texas Admin Code Rule

The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise.

  (1)Access--The physical or logical capability to view, interact with, or otherwise make use of information resources.

  (2)Agency Head--The top-most senior executive with operational accountability for an agency, department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government, that is created by the constitution or a statute of the state; or institutions of higher education, as defined in §61.003, Education Code.

  (3)Availability--The security objective of ensuring timely and reliable access to and use of information.

  (4)Cloud Computing--Has the same meaning as "Advanced Internet-Based Computing Service" as defined in §2157.007(a), Texas Government Code.

  (5)Confidential Information--Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement.

  (6)Confidentiality--The security objective of preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

  (7)Control--A safeguard or protective action, device, policy, procedure, technique, or other measure prescribed to meet security requirements (i.e., confidentiality, integrity, and availability) that may be specified for a set of information resources. Controls may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

  (8)Control Standards Catalog--The document that provides state agencies and higher education institutions state specific implementation guidance for alignment with the National Institute of Standards and Technology (NIST) SP (Special Publication) 800-53 security controls.

  (9)Custodian--See information custodian.

  (10)Department--The Department of Information Resources.

  (11)Destruction--The result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive.

  (12)Electronic Communication--A process used to convey a message or exchange information via electronic media. It includes the use of electronic mail (email), Internet access, Instant Messaging (IM), Short Message Service (SMS), facsimile transmission, and other paperless means of communication.

  (13)Encryption (encrypt or encipher)--The conversion of plaintext information into a code or cipher text using a variable called a "key" and processing those items through a fixed algorithm to create the encrypted text that conceals the data's original meaning.

  (14)Guideline--Recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.

  (15)High Impact Information Resources--Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

    (A)cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;

    (B)result in major damage to organizational assets;

    (C)result in major financial loss; or

    (D)result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

  (16)Information--Data as processed, stored, or transmitted by a computer.

  (17)Information Custodian--A department, agency, or third-party service provider responsible for implementing the information owner-defined controls and access to an information resource.

  (18)Information Owner(s)--A person(s) with statutory or operational authority for specified information or information resources.

  (19)Information Resources--As defined in §2054.003(7), Texas Government Code.

  (20)Information Resources Manager--As defined in §2054.071, Texas Government Code.

  (21)Information Security Program--The policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, services, and resources that establish an information resources security function within an institution of higher education or state agency.

  (22)Information System--An interconnected set of information resources under the same direct management control that shares common functionality. An Information System normally includes, but is not limited to, hardware, software, network Infrastructure, information, applications, communications and people.

  (23)Integrity--The security objective of guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity.

  (24)ITCHE--Information Technology Council for Higher Education.

  (25)Low Impact Information Resources--Information resources whose loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

    (A)cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced;

    (B)result in minor damage to organizational assets;

    (C)result in minor financial loss; or

    (D)result in minor harm to individuals.

  (26)Mission Critical Information Resources--High impact Information Resources that are essential to the institution of higher education's or state agency's ability to meet its function(s). The loss of these resources or inability to restore them in a timely fashion would result in the failure of the institution of higher education's or state agency operations, inability to comply with regulations or legal obligations, negative legal or financial impact, or endanger the health and safety of State citizens.

  (27)Moderate Impact Information Resources--Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

    (A)cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;

    (B)result in significant damage to organizational assets;

    (C)result in significant financial loss; or

    (D)result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

  (28)Network Security Operations Center (NSOC)--As defined in §2059.001(1), Texas Government Code.

  (29)Personal Identifying Information (PII)--A category of personal identity information as defined by §521.002(a)(1), Business and Commerce Code.

  (30)Procedure--Instructions to assist information security staff, custodians, and users in implementing policies, standards and guidelines.

  (31)Residual Risk--The risk that remains after security controls have been applied.

  (32)Risk--The effect on the entity's missions, functions, image, reputation, assets, or constituencies considering the probability that a threat will exploit a vulnerability, the safeguards already in place, and the resulting impact. Risk outcomes are a consequence of Impact levels defined in this section.

  (33)Risk Assessment--The process of identifying, evaluating, and documenting the level of impact on an organization's mission, functions, image, reputation, assets, or individuals that may result from the operation of information systems. Risk Assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls.

  (34)Risk Management--The process of aligning information resources risk exposure with the organization's risk tolerance by either accepting, transferring, or mitigating risk exposures.

  (35)Security Incident--An event which results in the accidental or deliberate unauthorized access, loss, disclosure, modification, disruption, or destruction of information or information resources.

  (36)Sensitive Personal Information--A category of personal identity information as defined by §521.002(a)(2), Business and Commerce Code.

  (37)Standards--Specific mandatory controls that help enforce and support the information security policy.

  (38)Threat--Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals.

  (39)User of an Information Resource--An individual, process, or automated application authorized to access an information resource in accordance with federal and state law, agency policy, and the information-owner's procedures and rules.

  (40)Vulnerability Assessment--A documented evaluation containing information described in §2054.077(b), Texas Government Code which includes the susceptibility of a particular system to a specific attack.

The agency certifies that legal counsel has reviewed the proposal and found it to be within the state agency's legal authority to adopt.

Filed with the Office of the Secretary of State on October 23, 2014

TRD-201404958

Martin H. Zelinsky

General Counsel

Department of Information Resources

Earliest possible date of adoption: December 7, 2014

For further information, please call: (512) 475-4700



Next Page Previous Page

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page