The following words and terms, when used in this chapter, shall
have the following meanings, unless the context clearly indicates
otherwise.
(1)Access--The physical or logical capability to view,
interact with, or otherwise make use of information resources.
(2)Agency Head--The top-most senior executive with
operational accountability for an agency, department, commission,
board, office, council, authority, or other agency in the executive
or judicial branch of state government, that is created by the constitution
or a statute of the state; or institutions of higher education, as
defined in Texas Education Code § 61.003 [§61.003,
Education Code].
(3)Application--As defined in Texas
Government Code § 2054.003(1).
(4)[(3)] Availability--The security
objective of ensuring timely and reliable access to and use of information.
(5)[(4)] Cloud Computing--Has
the same meaning as "Advanced Internet-Based Computing Service" as
defined in Texas Government Code § 2157.007(a) [,
Texas Government Code].
(6)Cloud Computing Service--the
meaning assigned by Special Publication 800-145 issued by the United
States Department of Commerce National Institute of Standards and
Technology, as the definition existed on January 1, 2015.
(7)[(5)] Confidential Information--Information
that must be protected from unauthorized disclosure or public release
based on state or federal law or other legal agreement.
(8)[(6)] Confidentiality--The
security objective of preserving authorized restrictions on information
access and disclosure, including means for protecting personal privacy
and proprietary information.
(9)[(7)] Control--A safeguard
or countermeasure [protective action], including
devices [device], policies, [policy,]
procedures [procedure] techniques [technique
], or other measures, [measure] that
are prescribed to meet security requirements of an information
system or organization to preserve [(i.e.,] confidentiality,
integrity, and availability[) that may be specified for a set
of information resources]. Controls may include security features,
management constraints, personnel security, and security of physical
structures, areas, and devices.
(10)[(8)] Control Standards
Catalog--The document that provides state agencies and higher education
institutions state specific implementation guidance for alignment
with the National Institute of Standards and Technology (NIST) SP
(Special Publication) 800-53 security controls.
(11)[(9)] Custodian--See information
custodian.
(12)[(10)] Department--The Department
of Information Resources.
(13)[(11)] Destruction--The
result of actions taken to ensure that physical and digital media
cannot be reused as originally intended and that information is technologically
infeasible [to recover] or prohibitively expensive to
recover.
(14)[12]) Electronic Communication--A
process used to convey a message or exchange information via electronic
media. It includes the use of electronic mail (email), Internet access,
Instant Messaging (IM), Short Message Service (SMS), facsimile transmission,
and other paperless means of communication.
(15)[(13)] Encryption (encrypt
or encipher)--The conversion of plaintext information into a code
or cipher text using a variable called a "key" and processing those
items through a fixed algorithm to create the encrypted text that
conceals the data's original meaning.
(16)FedRAMP--Federal Risk and Authorization
Management Program.
(17)[(14)] Guideline--Recommended,
non-mandatory controls that help support standards or serve as a reference
when no applicable standard is in place.
(18)[(15)] High Impact Information
Resources--Information Resources whose loss of confidentiality, integrity,
or availability could be expected to have a severe or catastrophic
adverse effect on organizational operations, organizational assets,
or individuals. Such an event could:
(A)cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is not
able to perform one or more of its primary functions;
(B)result in major damage to organizational assets;
(C)result in major financial loss; or
(D)result in severe or catastrophic harm to individuals
involving loss of life or serious life-threatening [life
threatening] injuries.
(19)[(16)] Information--Any
communication or representation of knowledge such as facts, data,
or opinions in any medium or form, including textual, numerical, graphic,
cartographic, narrative, electronic, or audiovisual forms. [Data
as processed, stored, or transmitted by a computer.]
(20)[(17)] Information Custodian--A
department, agency, or third-party service provider responsible for
implementing the information owner-defined controls and access to
an information resource.
(21)[(18)] Information Owner(s)--A
person(s) with statutory or operational authority for specified information
and responsibility for establishing the controls for its generation,
collection, processing, dissemination, and disposal. [or
information resources].
(22)[(19)] Information Resources--As
defined in Texas Government Code § 2054.003(7) [ §2054.003(7),
Texas Government Code].
(23)[(20)] Information Resources
Manager--As defined in Texas Government Code § 2054.071 [
§2054.071, Texas Government Code].
(24)[(21)] Information Security
Program--The policies, standards, procedures, elements, structure,
strategies, objectives, plans, metrics, reports, services, and resources
that establish an information resources security function within an
institution of higher education or state agency.
(25)[(22)] Information System--
A discrete[An interconnected] set of information
resources organized for the collection, processing, maintenance,
use, sharing, dissemination, or disposition of information. [under
the same direct management control that shares common functionality.]
An Information System normally includes, but is not limited to, hardware,
software, network infrastructure [Infrastructure],
information, applications, communications, and people.
(26)[(23)] Integrity--The security
objective of guarding against improper information modification or
destruction, including ensuring information non-repudiation and authenticity.
(27)[(24)] ITCHE--Information
Technology Council for Higher Education.
(28)[(25)] Low Impact Information
Resources--Information resources whose loss of confidentiality, integrity,
or availability could be expected to have a limited adverse effect
on organizational operations, organizational assets, or individuals.
Such an event could:
(A)cause a degradation in mission capability to an
extent and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is noticeably reduced;
(B)result in minor damage to organizational assets;
(C)result in minor financial loss; or
(D)result in minor harm to individuals.
(29)[(26)] Moderate Impact Information
Resources--Information Resources whose loss of confidentiality, integrity,
or availability could be expected to have a serious adverse effect
on organizational operations, organizational assets, or individuals.
Such an event could:
(A)cause a significant degradation in mission capability
to an extent and duration that the organization is able to perform
its primary functions, but the effectiveness of the functions is significantly
reduced;
(B)result in significant damage to organizational
assets;
(C)result in significant financial loss; or
(D)result in significant harm to individuals that
does not involve loss of life or serious life-threatening [
life threatening] injuries.
(30)[(27)] Network Security
Operations Center (NSOC)--As established by [defined
in] Texas Government Code § 2059.101 [§2059.001(1),
Texas Government Code].
(31)Nonconfidential Data--Information
that is not required to be or may not be protected from unauthorized
disclosure or public release based on state or federal law or other
legal agreement.
(32)[(28)] Personal Identifying
Information (PII)--A category of personal identity information as
defined by Texas Business and Commerce Code § 521.002(a)(1)[
, Business and Commerce Code].
(33)[(29)] Procedure--Instructions
to assist information security staff, custodians, and users in implementing
policies, standards, and guidelines.
(34)Program Manual--Program manual
for the Texas risk and authorization management program.
(35)[(30)] Residual Risk--The
risk that remains after security measures [control]
have been applied.
(36)[(31)] Risk--The effect
on the entity's missions, functions, image, reputation, assets, or
constituencies considering the probability that a threat will exploit
a vulnerability, the safeguards already in place, and the resulting
impact. Risk outcomes are a consequence of Impact levels defined in
this section.
(37)[(32)] Risk Assessment--The
process of identifying, evaluating, and documenting the probability
and level of impact on an organization's mission, functions,
image, reputation, assets, or individuals that may result from the
operation of information systems. Risk Assessment incorporates threat
and vulnerability analyses and considers mitigations provided by planned
or in-place security controls.
(38)[(33)] Risk Management--The
process of aligning information resources risk exposure with the organization's
risk tolerance by either accepting, transferring, or mitigating risk
exposures.
(39)Security Assessment--The testing
or evaluation of security controls to determine the extent to which
the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security
requirements for an information system or organization.
(40)[(34)] Security Incident--An
event that [which] results in the accidental
or deliberate unauthorized access, loss, disclosure, modification,
disruption, exposure, or destruction of information or
information resources.
(41)[(35)] Sensitive Personal
Information--A category of personal identity information as defined
by Texas Business and Commerce Code § 521.002(a)(2) [
§521.002(a)(2), Business and Commerce Code].
(42)[(36)] Standards--Specific
mandatory controls that help enforce and support the information security
policy.
(43)State-controlled data--Any and
all data that is created, processed, or stored by a state agency.
(44)StateRAMP--The risk and authorization
management program, built upon the National Institute of Standards
and Technology Special Publication 800-53 and modeled after the FedRAMP
program, that provides state and local governments a common method
for verification of cloud security.
(45)Statewide Technology Centers--As
defined in Texas Government Code § 2054.375(2).
(46)[(37)] Threat--Any circumstance
or event with the potential to adversely impact organizational operations
(including mission, functions, image, or reputation), organizational
assets, or individuals by the unauthorized access, destruction,
disclosure, modification of information, and/or denial of service.
(47)TX-RAMP--the Texas risk and authorization
management program.
(48)[(38)] User of [an]
Information Resources [Resource]--An individual,
process, or automated application authorized to access an information
resource in accordance with federal and state law, agency policy,
and the information-owner's procedures and rules.
(49)[(39)] Vulnerability Assessment--A
documented evaluation containing information described in Texas
Government Code § 205.077(b) [§ 2054.077(b),
Texas Government Code] which includes the susceptibility of
a particular system to a specific attack.
The agency certifies that legal counsel has
reviewed the proposal and found it to be within the state agency's
legal authority to adopt.
Filed with the Office
of the Secretary of State on August 26, 2021
TRD-202103364 Katherine Rozier Fite
General Counsel
Department of Information Resources
Earliest possible date of adoption: October 10, 2021
For further information, please call: (512) 475-4552
|