|
(a)The agency head or his or her designated representative(s) shall review and approve ownership of information resources and their associated responsibilities. (b)The owner of an information resource, with the agency head's concurrence, is responsible for classifying business functional information. Agencies are responsible for defining all information classification categories except the Confidential Information category, which is defined in 202.1 of this chapter, and establishing the appropriate controls for each. (c)Owners, custodians, and users of information resources shall be identified, and their responsibilities defined and documented by the agency. In cases where information resources are used by more than one major business function, the owners shall reach consensus and advise the information security function as to the designated owner with responsibility for the information resources. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles: (1)Owner Responsibilities. The owner or his or her designated representatives(s) are responsible for and authorized to: (A)Approve access and formally assign custody of an information resources asset; (B)Determine the asset's value; (C)Specify data control requirements and convey them to users and custodians; (D)Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the agency. (E)Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data. (F)Ensure compliance with applicable controls; (G)Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures. (H)Review access lists based on documented agency security risk management decisions. (2)Custodian responsibilities. Custodians of information resources, including entities providing outsourced information resources services to state agencies must: (A)Implement the controls specified by the owner(s); (B)Provide physical and procedural safeguards for the information resources; (C)Assist owners in evaluating the cost-effectiveness of controls and monitoring; and (D)Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents. (3)User responsibilities. Users of information resources shall use the resources only for defined purposes and comply with established controls. (d)The Information Security Officer. Each agency head shall designate an information security officer to administer the agency information security program. The Information Security Officer shall report to executive level management. (1)It shall be the duty and responsibility of this individual to develop and recommend policies and establish procedures and practices, in cooperation with owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure. (2)The Information Security Officer shall document and maintain an up-to-date information security program. The information security program must be approved by the agency head. (3)The Information Security Officer is responsible for monitoring the effectiveness of defined controls for mission critical information. (4)The Information Security Officer shall report, at least annually, to the agency head the status and effectiveness of information resources security controls. (e)A review of the agency's information security program for compliance with these standards will be performed at least annually by individual(s) independent of the information security program and designated by the agency head or the Information Resources Manager.
This agency hereby certifies that the proposal has been reviewed
by legal counsel and found to be within the agency's legal authority to adopt.
Filed with the Office of
the Secretary of State on March 6, 2002
TRD-200201365 Renee Mauzy
General Counsel
Department
of Information Resources
Earliest possible date of adoption: April 21, 2002
For further information, please call: (512) 475-4750
|
