The following words and terms, when used in this chapter, shall
have the following meanings, unless the context clearly indicates
otherwise.
(1)Access--The physical or logical capability to view,
interact with, or otherwise make use of information resources.
(2)Agency Head--The top-most senior executive with
operational accountability for an agency, department, commission,
board, office, council, authority, or other agency in the executive
or judicial branch of state government, that is created by the constitution
or a statute of the state; or institutions of higher education, as
defined in §61.003, Education Code.
(3)Availability--The security objective of ensuring
timely and reliable access to and use of information.
(4)Cloud Computing--Has the same meaning as "Advanced
Internet-Based Computing Service" as defined in §2157.007(a),
Texas Government Code.
(5)Confidential Information--Information that must
be protected from unauthorized disclosure or public release based
on state or federal law or other legal agreement.
(6)Confidentiality--The security objective of preserving
authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information.
(7)Control--A safeguard or protective action, device,
policy, procedure, technique, or other measure prescribed to meet
security requirements (i.e., confidentiality, integrity, and availability)
that may be specified for a set of information resources. Controls
may include security features, management constraints, personnel security,
and security of physical structures, areas, and devices.
(8)Control Standards Catalog--The document that provides
state agencies and higher education institutions state specific implementation
guidance for alignment with the National Institute of Standards and
Technology (NIST) SP (Special Publication) 800-53 security controls.
(9)Custodian--See information custodian.
(10)Department--The Department of Information Resources.
(11)Destruction--The result of actions taken to ensure
that media cannot be reused as originally intended and that information
is technologically infeasible to recover or prohibitively expensive.
(12)Electronic Communication--A process used to convey
a message or exchange information via electronic media. It includes
the use of electronic mail (email), Internet access, Instant Messaging
(IM), Short Message Service (SMS), facsimile transmission, and other
paperless means of communication.
(13)Encryption (encrypt or encipher)--The conversion
of plaintext information into a code or cipher text using a variable
called a "key" and processing those items through a fixed algorithm
to create the encrypted text that conceals the data's original meaning.
(14)Guideline--Recommended, non-mandatory controls
that help support standards or serve as a reference when no applicable
standard is in place.
(15)High Impact Information Resources--Information
Resources whose loss of confidentiality, integrity, or availability
could be expected to have a severe or catastrophic adverse effect
on organizational operations, organizational assets, or individuals.
Such an event could:
(A)cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is not
able to perform one or more of its primary functions;
(B)result in major damage to organizational assets;
(C)result in major financial loss; or
(D)result in severe or catastrophic harm to individuals
involving loss of life or serious life threatening injuries.
(16)Information--Data as processed, stored, or transmitted
by a computer.
(17)Information Custodian--A department, agency, or
third-party service provider responsible for implementing the information
owner-defined controls and access to an information resource.
(18)Information Owner(s)--A person(s) with statutory
or operational authority for specified information or information
resources.
(19)Information Resources--As defined in §2054.003(7),
Texas Government Code.
(20)Information Resources Manager--As defined in §2054.071,
Texas Government Code.
(21)Information Security Program--The policies, standards,
procedures, elements, structure, strategies, objectives, plans, metrics,
reports, services, and resources that establish an information resources
security function within an institution of higher education or state
agency.
(22)Information System--An interconnected set of information
resources under the same direct management control that shares common
functionality. An Information System normally includes, but is not
limited to, hardware, software, network Infrastructure, information,
applications, communications and people.
(23)Integrity--The security objective of guarding
against improper information modification or destruction, including
ensuring information non-repudiation and authenticity.
(24)ITCHE--Information Technology Council for Higher
Education.
(25)Low Impact Information Resources--Information
resources whose loss of confidentiality, integrity, or availability
could be expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals. Such an event could:
(A)cause a degradation in mission capability to an
extent and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is noticeably reduced;
(B)result in minor damage to organizational assets;
(C)result in minor financial loss; or
(D)result in minor harm to individuals.
(26)Moderate Impact Information Resources--Information
Resources whose loss of confidentiality, integrity, or availability
could be expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals. Such an event could:
(A)cause a significant degradation in mission capability
to an extent and duration that the organization is able to perform
its primary functions, but the effectiveness of the functions is significantly
reduced;
(B)result in significant damage to organizational
assets;
(C)result in significant financial loss; or
(D)result in significant harm to individuals that
does not involve loss of life or serious life threatening injuries.
(27)Network Security Operations Center (NSOC)--As
defined in §2059.001(1), Texas Government Code.
(28)Personal Identifying Information (PII)--A category
of personal identity information as defined by §521.002(a)(1),
Business and Commerce Code.
(29)Procedure--Instructions to assist information
security staff, custodians, and users in implementing policies, standards
and guidelines.
(30)Residual Risk--The risk that remains after security
controls have been applied.
(31)Risk--The effect on the entity's missions, functions,
image, reputation, assets, or constituencies considering the probability
that a threat will exploit a vulnerability, the safeguards already
in place, and the resulting impact. Risk outcomes are a consequence
of Impact levels defined in this section.
(32)Risk Assessment--The process of identifying, evaluating,
and documenting the level of impact on an organization's mission,
functions, image, reputation, assets, or individuals that may result
from the operation of information systems. Risk Assessment incorporates
threat and vulnerability analyses and considers mitigations provided
by planned or in-place security controls.
(33)Risk Management--The process of aligning information
resources risk exposure with the organization's risk tolerance by
either accepting, transferring, or mitigating risk exposures.
(34)Security Incident--An event which results in the
accidental or deliberate unauthorized access, loss, disclosure, modification,
disruption, or destruction of information or information resources.
(35)Sensitive Personal Information--A category of
personal identity information as defined by §521.002(a)(2), Business
and Commerce Code.
(36)Standards--Specific mandatory controls that help
enforce and support the information security policy.
(37)Threat--Any circumstance or event with the potential
to adversely impact organizational operations (including mission,
functions, image, or reputation), organizational assets, or individuals.
(38)User of an Information Resource--An individual,
process, or automated application authorized to access an information
resource in accordance with federal and state law, agency policy,
and the information-owner's procedures and rules.
(39)Vulnerability Assessment--A documented evaluation
containing information described in §2054.077(b), Texas Government
Code which includes the susceptibility of a particular system to a
specific attack.
The agency certifies that legal counsel has
reviewed the adoption and found it to be a valid exercise of the agency's
legal authority.
Filed
with the Office of the Secretary of State on February 25,
2015
TRD-201500657 Martin H. Zelinsky
General Counsel
Department of Information Resources
Effective date: March 17, 2015
Proposal publication date: November 7, 2014
For further information, please call: (512) 475-4700
|