The Department of Information Resources (department) adopts new 1 T.A.C. Chapter 202, §§202.1 - 202.3, 202.20 - 202.27 and 202.70 - 202.77, concerning information security standards, in their entirety, as part of the rules affected by the implementation of §2054.121, Texas Government Code, Coordination with Institutions of Higher Education. Sections 202.1, 202.24 - 202.27, 202.71, 202.74 and 202.76 are adopted with changes to the proposed text as published in the September 10, 2004, issue of the Texas Register (29 TexReg 8704). Sections 202.2, 202.3, 202.20 - 202.23, 202.70, 202.72, 202.73, 202.75 and 202.77 are adopted without changes and will not be republished.

Before department board consideration of the proposed rules, they were informally submitted to agencies that had asked to review rules affecting them prior to board consideration. No comments were received in response to that circulation of the proposed rules.

The department received written comments on the proposed rules from Texas A&M University, the University of Texas-San Antonio, the State Auditor's Office and the Information Technology Council for Higher Education.

The University of Texas at San Antonio commented that the word "institution" should be changed to "state agency" in §202.25(d). Staff agrees and has modified §202.25(d) to refer to "state agency." Texas A&M recommended §202.21(d)(3) and §202.71(d)(3) be modified to state that the Information Security Officer has a responsibility for monitoring confidential information resources as well as mission critical information resources. As proposed, these sections assigned responsibility only for mission critical information resources. Staff agrees with this comment and addressed it by expanding the definition of "mission critical" information resources in §202.1(9) to include confidential information.

The Information Technology Council for Higher Education recommended the department modify §202.26(d) and §202.76(d) to allow agencies and institutions of higher education nine calendar days rather than five working days in which to file monthly incident reports with the department. The department agrees with this comment and has modified §202.26(d) and §202.76(d) to allow nine calendar days in which to file monthly security incident reports.

The State Auditor's Office urged that the Information Security Officer report to executive level management rather than to senior management so that executive management is aware of security risks facing the institution of higher education and how those risks are addressed. Staff agrees with this recommendation and has changed §202.71(d) to require that the Information Security Officer report to executive management. The department supported this change because security concerns may not receive adequate attention at institutions of higher education if the Information Security Officers report to senior management, which may be a department head, rather than to executive management, such as a vice president of administration. Unaddressed security issues may create liability for the State. Reporting to executive management does not require that the Information Security Officer report to the university president. It is sufficient for compliance with §202.71(d) that the Information Security Officer report to a vice president of administration position, or something similar, with broad administrative authority.

The State Auditor's Office also commented that DIR give guidance on a minimal approach to making risk management decisions and the content of the documentation of those decisions. We agree it would be helpful if we offered training on conducting risk assessments, and we will develop information resources manager training that covers several approaches to assessing security risks. However, no modifications are required by the rule in order to address this comment. In addition, the department maintains templates on its Website for the security policies we suggest be developed in §202.25(g) and §202.75(7).

The State Auditor's Office also commented that the security policies recommended in §202.25(g) and §202.75(7) be required unless the state agency or institution of higher education elected not to implement a particular policy based on a documented security risk assessment and that the decision not to implement a particular policy be approved by executive management. The department disagrees with the requested change because of the potential fiscal costs of implementing all of the policies.

The State Auditor's Office also urged that the definition of "test" in §202.1(16) of the rules be modified from "a simulated or documented 'real live' incident that has occurred" to "a simulated or documented 'real-live' incident that is formally documented." Staff agreed the definition should be modified to require that records be maintained of the test results and has modified the definition of "test" to require that records be kept of security incidents.

Finally, the State Auditor's Office requested that the results of tests conducted by state agencies, including institutions of higher education, be used to update disaster recovery plans. The department agrees and has modified §202.24(a)(5) and §202.74(a)(5) to require that in testing disaster recovery plans, the results of any tests performed be used to update the plan.

Section 202.1(7) of the new rules cites to the correct section of the Information Resources Management Act for the definition of "information resources." In new Chapter 202, relating to the management of security risks, §202.22(b) (for state agencies) and §202.72(b) (for institutions of higher education) provide that system changes could cause an entire classification to move to another risk category, either higher or lower. Section 202.25 (for state agencies) and §202.75 (for institutions of higher education) clarify that the security safeguards should apply when indicated by documented security risk management decisions. Section 202.25(c)(5) (for state agencies) and §202.75(c)(5) (for institutions of higher education) provide accurate cross references to new 1 T.A.C. §§203.1 - 203.3; 203.20 - 203.27 and 203.40 - 203.46, concerning management of electronic transactions and signed records, which is updated to refer to the Uniform Electronic Transactions Act (UETA) guidelines. 1 T.A.C. §§203.1 - 203.3; 203.20 - 203.27 and 203.40 - 203.46 are adopted separately.

Other than as noted above, the new rules are not substantively different than the former rules relating to information security standards in 1 T.A.C. Chapter 202, which are being repealed by separate action. The new rules are structured into three subchapters. Subchapter A, §202.1 - §202.3 contains definitions. Subchapter B, §§202.20 - 202.27 contains the rules that apply only to state agencies that are not institutions of higher education. Subchapter C, §§202.70 - 202.77, contains the rules that apply only to institutions of higher education.

The new rules are adopted pursuant to §2054.121, Texas Government Code, which requires the repeal and readoption of rules in a manner that expressly applies to institutions of higher education, and §2054.052(a), Texas Government Code, which authorizes the department to adopt rules necessary to implement its responsibilities under the Information Resources Management Act.

The new rules affect §2054.121 and §2054.052, Texas Government Code.