The Department of Information Resources (department) proposes to publish for public comment proposed new 1 TAC Chapter 202, §§202.1 - 202.3, 202.20 - 202.27 and 202.70 - 202.77 in their entirety, as a portion of the rules affected by the implementation of §2054.121, Texas Government Code, Coordination with Institutions of Higher Education. The department and the Information Technology Council of Higher Education identified former department Chapter 202 as needing restructuring to clarify the instances in which the rule will apply to Institutions of Higher Education. The department intends to publish repeal of Chapter 202 by separate action.

Section 202.1(7) was updated to cite to the correct section of the Information Resources Management Act for the definition of "information resources." In new Chapter 202, relating to the management of security risks, §202.22(b) (for state agencies) and §202.72(b) (for institutions of higher education) were changed to provide that system changes could cause an entire classification to move to another risk category, either higher or lower. Sections 202.25 (for state agencies) and 202.75 (for institutions of higher education) were altered to clarify that the security safeguards should apply when indicated by documented security risk management decisions. Sections 202.25(c)(5) (for state agencies) and 202.75(c)(5) (for institutions of higher education) were altered to provide accurate cross references to newly published 1 TAC Chapter 203, which is updated to refer to the Uniform Electronic Transactions Act (UETA) guidelines. There have been no other substantive changes to the rule, other than the restructuring.

The department disagreed with a recommendation by the Information Technology Council of Higher Education to extend the deadline for reporting security incidents to the department from five business days to nine working days, therefore, no change to the reporting requirements in the existing rule are being proposed in this rule.

The new rules are structured into three subchapters. Subchapter A, §§202.1 - 202.3 are definitions. Subchapter B, §§202.20 - 202.27 contains the rules that apply only to state agencies. Subchapter C, §§202.70 - 202.77 contains the rules that apply only to institutions of higher education. These rules are promulgated to implement §2054.121, Texas Government Code, which requires the repeal and readoption of rules in a manner that expressly applies to institutions of higher education, and §2054.052(a), Texas Government Code, which authorizes the department to adopt rules necessary to implement its responsibilities under the Information Resources Management Act.

The rules being proposed for publication underwent the analysis required by §2054.121, Texas Government Code, and were found to have no impact on the mission of higher education, student populations, and federal grant requirements. Alternate methods of implementation of this policy were considered to achieve the purpose of the rules and no alternates were found. The department did consider exempting institutions of higher education from all or part of the requirements of the rules. The department believes that application of the rules to institutions of higher education is in the public interest.

Mr. Edward Block, acting Director of Security for the department, has determined that there will be no fiscal implications for state or local government if the proposed rules are adopted. The public will benefit by the adoption.

Mr. Block believes there will be no different effect on small businesses than there is on large businesses and that there is no additional anticipated economic cost to persons if the rules are adopted.

Comments on the proposed adoption of the rules may be submitted to Renée Mauzy, General Counsel, Department of Information Resources, via mail to P.O. Box 13564, Austin, Texas 78711, or electronically to renee.mauzy@dir.state.tx.us no later than 5:00 p.m. CST, within 30 days after publication.

The rules are proposed under §2054.121 and §2054.052(a), Texas Government Code.