§202.25(7)(D) and §202.75(7)(D). Security control change that adds the recommendation for creating, distributing, and implementing an "Application Security" policy based on applicable risk management decisions and business functions.

§202.25(7)(E) - (AA) and §202.75(7)(E) - (AA). Administrative changes that reletter subparagraphs to reflect updates and additional entries.

§202.25(7)(F) and §202.75(7)(F). Administrative change that reletters and updates "Change Management" to include "Configuration Management" term to reflect standard security terminology.

§202.25(7)(G) and §202.75(7)(G). Security control change that reletters, clarifies and updates applicable "Email" with "Electronic Communication" policy requirements to include electronic messages in addition to email.

§202.25(7)(H) and §202.75(7)(H). Encryption standard change that adds the recommendation for creating, distributing, and implementing an "Encryption" policy based on applicable risk management decisions and business functions.

§202.25(7)(I) and §202.75(7)(I). Security control change that adds the recommendation for creating, distributing, and implementing a "Firewall" management policy based on applicable risk management decisions and business functions. Clauses (i) - (vi) provide suggested topic areas that the firewall policy should address.

§202.25(7)(J) and §202.75(7)(J). Incident response-related change that clarifies and updates "Incident Management" policy requirements to reflect reporting consistency with §202.26 and §202.76.

§202.25(7)(K) and §202.75(7)(K). Security control change that updates and replaces the previous "Password/Authentication" policy recommendation in §202.25(7)(L) and §202.75(7)(L) with "Identification/Authentication" policy requirements for granting access to resources in an information system based on applicable risk management decisions and business functions.

§202.25(7)(U) and §202.75(7)(U). Security control change that reletters, updates, and clarifies the previous "Platform Hardening" term in §202.25(7)(R) and §202.75(7)(R) with applicable "Platform Management" policy requirements to include configuration, patching and monitoring in addition to installing and maintaining the platform.

§202.25(7)(X) and §202.75(7)(X). Security control change that reletters, clarifies, and updates the previous "Vendor Access" policy in §202.25(7)(U) and §202.75(7)(U) with applicable "Third Party Access" policy requirements to include contractors, vendors, and other outside parties that have access to information resources, support services, and responsibilities for protecting state information.

§202.25(7)(Z)(i) and §202.75(7)(Z)(i). Administrative change that reletters, and clarifies word usage the previous §202.25(7)(W)(i) and §202.75(7)(W)(i).

§202.25(7)(Z)(ii) and §202.75(7)(Z)(ii). Encryption standard change that reletters, clarifies and updates the previous "Wireless Access" policy requirements in §202.25(7)(W)(ii) and §202.75(7)(W)(ii) to reflect revised technical encryption standards for transmitting confidential information.

§202.25(7)(Z)(iii), (iv) and §202.75(7)(Z)(iii), (iv). Security control change that reletters the previous §202.25(7)(W)(iii) and (iv) and §202.75(7)(W)(iii) and (iv), and replaces redundant "Wireless Access" in clause (iii) with information storage and transmission policy standards now contained in §202.25(4)(A), (B) and (C) and §202.75(4)(A), (B) and (C). Also clarifies and updates applicable "Wireless Access" policy requirements to include the requirement to periodically monitor compliance.

§202.25(7)(AA) and §202.75(7)(AA). Security control change that reletters, clarifies, and updates the previous §202.25(7)(X) and §202.75(7)(X) with applicable "Vulnerability Assessment" policy requirements to reflect the various types of assessments that can be performed and eliminate redundancy with other sections regarding risk assessments.

§202.25(8). Security control change that clarifies and updates the "Perimeter Security Controls" safeguard to include the department's requirement to provide related external security services for state agencies pursuant to Chapters 2054 and 2059, Texas Government Code. This change does not apply to institutions of higher education.

§202.25(8) and §202.75(8). Security control change that adds Intrusion Protection System (IPS) to the list of components that may be included as part of perimeter security controls; the IPS description is included at §202.1(14).

§202.25(8)(A), (B), (C), (D) and §202.75(8)(A), (B), (C), (D). Security control change that moves and updates the perimeter security component descriptions and definitions (DMZ, Firewall, IDS, Router) in the list of applicable terms and technologies (§202.1(7), (10), (13), and (19)).

§202.25(9)(D) and §202.75(9)(D). Administrative change that clarifies the requirement for system Logon Banners to specify that the no expectation of privacy statement applies to system users.

§202.26(a) and §202.76(a). Incident response-related change that clarifies and updates agency and institution of higher education reporting requirements for security incidents based on the business and technical impact of the incident. Also defines the types of security incidents that require timely reporting to department.

§202.26(b) and §202.76(b). Incident response-related change that clarifies and updates requirements for responding to security incidents in ways that comply with law enforcement notification and evidence handling requirements.

§202.26(c) and §202.76(c). Incident response-related change that clarifies and streamlines incident reporting requirements. Also clarifies the security incident reporting responsibilities of vendors and other third parties with respect to the agencies and institutions of higher education that they support.

§202.26(d) and §202.76(d). Incident response-related change that clarifies the monthly summary reporting requirements for state agencies, institutions of higher education, and supporting third parties.

§202.26(e) and §202.76(e). Incident response-related change that incorporates this requirement that Department of Information Resources provide additional reporting instructions into §202.26(c) and (d) and §202.76(c) and (d).

PART III. IMPACT STATEMENTS, PUBLIC BENEFITS AND COSTS

William A. Perez, State of Texas Chief Information Security Officer, has determined that for the first five-year period the rules are in effect there will be minimal fiscal implications for state government. There is no impact on local government as a result of enforcing or administering the rules. The fiscal implication of each provision is discussed below.

Mr. Perez has also determined that for each year of the first five year period the rules are in effect, the public benefit anticipated will be improved protection of confidential information, including sensitive personal information, by state agencies, including institutions of higher education; improved clarity in state agency and institution of higher education firewall policy and clear security standards for all state agency and institution of higher education employees to observe. Other than the positive impact of improved security of citizen information held by state agencies and institutions of higher education, there will be no effect on small businesses, micro-businesses or individuals and no taking of private property for public use.

A. Standardize network controls including firewall configurations.

The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.

There are no costs to state agencies and institutions of higher education when implementing standard best practices for the recommended provisions for security controls including firewall management using existing IT, security, and management staff.

Annual risk assessments are required internal functions for state agencies and institutions of higher education as addressed in §202.23(b) and §202.73(b). To assist in this effort, the department has funded the licensing for a web-based risk assessment tool that Texas A&M University developed for state agency and institution of higher education compliance with these rules and other risk assessment best practices. The annual cost to the department for user licenses, annual upgrades, and maintenance of the Information Security Awareness Assessment compliance (ISAAC) tool is $75,000. There is no additional cost to state agencies or institutions of higher education that elect to use the available licenses and web-based training.

Although each state agency and institution of higher education can implement testing and verification controls using manual and other no-cost, automated tools, the department provides annual controlled penetration tests that assess external security controls at no cost to state agencies. In fiscal 2008, the department delivered a total of 163 technical network vulnerability security assessments. Of this total, 112 assessments were complex controlled penetration tests and two were wireless network assessments for eligible state entities. The department also offers these services to institutions of higher education at nominal cost based on proportionate usage (no more than $15,000 per engagement) to the extent approved by the Information Technology Council for Higher Education and as required by §2059.052 and §2059.151, Texas Government Code. These costs are not applicable to state agencies and are optional expenditures for institutions of higher education.

B. Encryption.

The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.

There are no costs when agencies and institutions of higher education develop policies that prohibit the storing or transmission of confidential information on certain media or devices. For those state entities that must store and transmit confidential information on portable devices, via wireless networks or via Internet, the proposed provisions provide reasonable assurance that this information will be protected from unauthorized exposure. The cost of encryption installed on portable devices will vary depending on the type of encryption employed. Some encryption can be installed without cost.

In a FY 2006 assessment of twenty-eight of the State's largest agencies, the department found that twelve had wireless implementations with a total of 826 wireless users. This number has continued to grow through the implementation of additional wireless technologies and business continuity contingency planning for remote computing. The ongoing emphasis on mobility and collaboration has made encryption a top priority to protect data. When properly prioritized and implemented, encryption investments can not only meet legislative mandates and compliance-driven regulations, they reinforce customer confidence in e-government services.

Between January 2005 and December 2008, thirty-four of the ninety-two incidents reported for Texas-based organizations were attributed to state government entities (Identity Theft Resource Center, "2008 Breach List" and Privacy Rights Clearing House, "Chronology of Data Breaches," 2008). The number of individual records exposed totaled over 3 million, which is over twelve percent of the state's population. The estimated cost of this type of security breach is at an all-time high of $202 per record exposed (Ponemon Institute "Cost of a Data Breach" for the year 2008).

To assist state entities with their data protection efforts and to avoid the costs cited above, particularly for confidential data on mobile devices, the department issued a Buyers' Alert for a Whole Disk Encryption product in the fourth quarter of FY 2008 that was subsequently extended into FY 2009. This encryption solution satisfies all current and proposed state and federal data encryption compliance requirements. As a result of this offering, State entities increased their acquisition of Whole Disk Encryption licenses from 500 in FY 2007 to almost 60,000 in 2008. Department-managed "Go Direct" contracts for these types of products increased from $87,000 in FY 2007 to over $730,000 FY 2008 and the first quarter of FY 2009. This type of enhanced security for confidential information stored on mobile devices is available at low, commodity pricing (approximately $11.50 per license) via multiple vendors on department-managed contracts. State entities can also avoid the risk to confidential information and the associated direct and indirect costs by adopting mobile computing and other information security policies that do not place confidential information at high risk of unauthorized disclosure.

C. Incident Reporting

The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.

There are no costs when agencies and institutions of higher education provide security incident reporting to the department using existing IT, security, and management staff. The department received a $250,000 allocation of State Homeland Security Program (SHSP) funds in fiscal year 2008 through the Texas State Administrative Agency (SAA) and the Governor's Division of Emergency Management (GDEM) to develop a sustainable Texas Computer Security Incident Response Team (CSIRT) program. The CSIRT development, training, and certification program is conducted in partnership with Carnegie Mellon University. To be effective, the department and agency CSIRT members need to receive timely reporting of significant security incidents as well as comprehensive monthly summary reports. The first two CSIRT training phases were completed in FY 2008. The third phase for the first class has been completed and a new training cycle will begin in the forth quarter of FY 2009. The department sponsors CSIRT activities at no cost to state agencies.

For monthly summary reporting, the department provides a web-based Security Incident Reporting System (SIRS) for the use of all state entities that are required to provide monthly summary reports of security events. The department maintains, updates and provides training for the SIRS reporting tool at no cost to state agencies and institutions of higher education. Additionally, the department coordinates with supporting vendors to provide compatible security incident reporting using automated network security monitoring tools to ease the work load of state security personnel at no cost to state agencies and institutions of higher education.

D. Technical corrections in numbering, definitions, terminology, word usage, consistency, and clarifications

The following provisions are affected: §§2054.051, 2054.052 and 2054.121, Texas Government Code.

There are no costs for agencies and institutions of higher education to implement these administrative changes.

PART IV. COMMENTS; AGENCY CERTIFICATION

Comments on the proposed rule changes may be submitted to Renee Mauzy, General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701, or to renee.mauzy@dir.state.tx.us. Comments will be accepted for 30 days after publication in the Texas Register.

The amendments are proposed pursuant to §2054.052(a), Texas Government Code, which authorizes the department to adopt rules as necessary to implement its responsibilities under Chapter 2054, Texas Government Code.

No other statutes, codes, or articles are affected by this proposal.