The department adopts new Subchapter C, Security Standards for Institutions of Higher Education, with new §202.70, Responsibilities of the Agency Head, that clarifies the roles and responsibilities for an institution of higher education head related to information security. New §202.71, Responsibilities of the Information Security Officer, provides details on the responsibilities for the institution's designated information security officer. The department adopts new §202.72, Staff Responsibilities, that clarifies the security responsibilities of institution of higher education staff who own, have custody, or use information resources. New §202.73, Security Reporting, highlights the required reporting of security incidents and the biennial security plan to the department; and the institution of higher education information security officer's annual report on security policies, procedures and practices to the institution head. New §202.74, Institution Information Security Program, requires each institution of higher education to develop, document and implement an institution-wide information security program approved by the institution head. New §202.75, Managing Security Risks, requires each institution of higher education to perform and document a risk assessment of the institution's information and information systems and assess levels of risk on the institution's mission and function. Finally, new §202.76, Security Control Standards Catalog, establishes a Control Standards document published by the department that provides minimum information security requirements for state information and information systems, and standards to be used by institutions of higher education to provide appropriate levels of information security according to risk levels.

The clarification of terms and definitions and the specific operational and business procedures highlighted in the chapter increase the effectiveness of the for agencies and institutions.

Todd Kimbriel, Deputy Executive Director, determined that during the first five-year period following the repeal and adoption of new 1 TAC Chapter 202, there will be no fiscal impact on local government. Mr. Kimbriel has also determined that during the first five-year period following the adoption of new 1 TAC Chapter 202, there may be fiscal impact to state agencies and institutions of higher education that are required to reconfigure information technology systems to meet the minimally acceptable system configuration requirements in §202.24 and §202.26 for state agencies and §202.74 and §202.76 for institutions of higher education. That fiscal impact will vary, depending on the degree to which the state agency or institution has a mature and robust information technology infrastructure that addresses the security standards developed in the Security Controls Standards Catalog. To minimize the impact on agencies and institutions, the required controls in the Security Controls Standards Catalog will be phased in over a period of three years, with no new controls in the first year.

Mr. Kimbriel further determined that for each year of the first five years following the adoption of new 1 TAC Chapter 202 there are no anticipated additional economic costs to persons or small businesses required to comply with the repeals and new rules.

The repeals are adopted pursuant to §2054.052(a), Texas Government Code, which authorizes the department to adopt rules as necessary to implement its responsibilities under Chapter 2054, Texas Government Code; and §2059.053, Texas Government Code, which authorizes the department to adopt rules related to network security.

No other code, article or statute is affected by this adoption.