The Texas Department of Information Resources (department) proposes amendments to 1 TAC Chapter 202, §§202.1, 202.20 - 202.26, and 202.70 - 202.76, concerning Information Security Standards.

PART I. PURPOSE, BACKGROUND, AND AUTHORITY

The proposed amendments would clarify and standardize policy requirements for state agencies and institutions of higher education to help protect the State's critical information resources and the security of citizens' information.

The proposed clarifications and additions address three technical areas of security controls: firewalls, encryption, and incident response; and they reflect findings and recommendations of the State Auditor's Office (SAO) as well as improved technical standards.

The following proposed amendments are necessary to address the findings and recommendations of SAO Report No. 08-030 for the department to standardize network controls and firewall configurations and establish minimum security policies for network devices and periodically test firewall security to verify compliance with these policies. The affected security control provisions are:

§202.1(4), (5), (7), (10), (14), (15), and (20);

§202.21 and §202.71: (b), (c)(1)(D) - (F), (H), and (I); (c)(2)(B); (d)(3) and (5);

§202.23 and §202.73: (a) and (b);

§202.24 and §202.74: (a)(1)(A) - (C);

§202.25 and §202.75; (2)(A) and (B); (7)(B), (D), (G), (I), (K), (U), (X), (Z)(iii) and (iv), and (AA); (8) "Intrusion Protection System" state agency and institution of higher education; (8)(A) - (D);

§202.25(8) "Perimeter Security Controls" state agency only.

The following proposed amendments are necessary to clarify and improve the technical standards for encryption. The affected encryption standard change provisions are:

§202.1(9);

§202.25 and §202.75: (4), (4)(A) - (C); (7)(H) and (Z)(ii).

The following proposed amendments are necessary to clarify and improve the technical standards and best practices for reporting security incidents. The affected incident response-related change provisions are:

§202.1(22);

§202.25 and §202.75: (7)(J);

§202.26 and §202.76: (a) - (e).

Additionally, technical corrections in numbering, definitions, terminology, word usage, consistency, and clarifications are also included throughout the rule.

Numbering:

§202.1(7) - (29);

§202.21 and §202.71: (c)(1)(F) - (I);

§202.24 and §202.74: (a)(3) and (4);

§202.25 and §202.75: (7)(E) - (AA).

Definitions, terminology, and technical corrections:

§202.1(1) - (3), (8), (11), (12), (16) - (19), (21), (23) - (29);

§202.20 and §202.70;

§202.21 and §202.71: (c); (c)(1); (c)(1)(G); (c)(2)(A);

§202.22 and §202.72: (a); (a)(1)(B); (c);

§202.24 and §202.74: (a)(2); (b);

§202.25 and §202.75: (3)(C), (D), and (E); (5)(C); (6)(C); (7)(F);

§202.75(7).

Word usage, consistency, and clarifications:

§202.20 and §202.70: (1), (4), (5), (6), and (8);

§202.21 and §202.71: (a); (c)(2); (c)(2)(D); (d)(2);

§202.24 and §202.74: (a); (a)(4)(C) - (E);

§202.25 and §202.75: (1); (5)(A); (6)(A) and (B); (7)(Z)(i); (9)(D).

The amendments are proposed under §2054.052(a), Texas Government Code, which provides the department authority to adopt rules to implement its responsibility for information security.

PART II. EXPLANATION OF INDIVIDUAL PROVISIONS

The proposed amendments to these provisions are as follows:

§202.1(1). Administrative change clarifies the definition of "Access" to more accurately reflect standard terminology.

§202.1(2). Administrative change that clarifies the definition of "Business Continuity Planning" to more consistently reflect standard terminology.

§202.1(3). Administrative change that clarifies the definition of "Confidential Information" to more accurately reflect constitutional, statutory, judicial, and legal requirements.

§202.1(4). Security control change that clarifies the definition of "Control" to more accurately reflect standard terminology.

§202.1(5). Security control change that clarifies the definition of "Custodian of an Information Resource" to more accurately include parties that may act on behalf of a state entity.

§202.1(7) - (29). Administrative change that renumbers to reflect additions and deletions to the list of applicable terms and technologies.

§202.1(7). Security control change that inserts and clarifies the definition of the term "DMZ (Demilitarized Zone)" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies.

§202.1(8). Administrative change that inserts the term "Electronic Communication" in the list of applicable terms and technologies.

§202.1(9). Encryption standard change that inserts the definition of the term "Encryption" in the list of applicable terms and technologies.

§202.1(10). Security control change that inserts and updates the definition of the term "Firewall" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies. The deleted definition "Owner of an Information Resource" is incorporated into the definition of "Information Owner" in §202.1(11).

§202.1(11). Administrative change that renumbers and clarifies the definition of the term "Information Owner" previously listed as "Owner of an Information Resource" at §202.1(10), to more accurately reflect standard terminology.

§202.1(12). Administrative change that renumbers and corrects the definition of the term "Information Resources" that was previously listed as §202.1(7), to accurately reflect the Texas Government Code reference; deletes the previous non-standard term, "Restricted Personal Information."

§202.1(14). Security control change that inserts and clarifies the definition of the term "Intrusion Detection System (IDS)" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies.

§202.1(15). Security control change that inserts the term "Intrusion Prevention System (IPS)" in the list of applicable terms and technologies; deletes the previous non-standard term, "Security Risk Analysis."

§202.1(16). Administrative change that renumbers and clarifies the definition of "Mission Critical Information" that was previously listed as §202.1(9); deletes the previous non-standard term, "Security Risk Assessment" that is now defined as "Risk Assessment" in §202.1(18).

§202.1(17). Administrative change that renumbers the definition of the term "Platform" that was previously listed as §202.1(11); deletes the previous non-standard term, "Security Risk Management" that is now defined as "Risk Management" in §202.1(19).

§202.1(18). Administrative change that renumbers and clarifies the definition of "Risk Assessment" to replace the term "Security Risk Assessment" that was previously listed as §202.1(16).

§202.1(19). Administrative change that renumbers and clarifies the definition of "Risk Management" to replace the term "Security Risk Management" that was previously listed as §202.1(17).

§202.1(20). Security control change that inserts and updates the definition of the term "Router" from §202.25(8) and §202.75(8) (Perimeter Security Controls) in the list of applicable terms and technologies.

§202.1(21). Administrative change that renumbers and clarifies the definition of "Sanitize" that was previously listed as "Sanitized" in §202.1(13) to reflect an update to the referenced sources (U.S. Department of Defense 5220.22-M standards and NIST SP800-88).

§202.1(22). Incident response-related change that renumbers and clarifies the definition of "Security Incident" that was previously listed as §202.1(14); deletes the term "Vulnerability Report".

§202.1(23). Administrative change that inserts the term "Sensitive Personal Information" in the list of applicable terms and technologies.

§202.1(24). Administrative change that renumbers and clarifies the definition of "Storage Device" that was previously listed as §202.1(18); deletes the term "Wireless Security Guidelines."

§202.1(25). Administrative change that renumbers and clarifies the definition of "Test" that was previously listed as §202.1(19).

§202.1(26). Administrative change that inserts the term "Threat" in the list of applicable terms and technologies.

§202.1(27). Administrative change that renumbers and clarifies the definition of "User of an Information Resource" that was previously listed as §202.1(20) to more consistently reflect standard terminology.

§202.1(28). Administrative change that renumbers and clarifies the definition of "Vulnerability Assessment" that was previously listed as §202.1(21) to more consistently reflect Texas Government Code terminology.

§202.1(29). Administrative change that renumbers and updates the definition of "Wireless Access" that was previously listed as §202.1(23); includes the associated references in §202.1(28)(C) that were previously listed in §202.1(24), "Wireless Security Guidelines."

§202.20 and §202.70. Administrative change that aligns risk management terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.

§202.20(1), (4), (5), (6), (8) and §202.70(1), (4), (5), (6), (8). Administrative change for wording consistency.

§202.21(a) and §202.71(a). Administrative change that clarifies wording regarding information ownership and associated responsibilities.

§202.21(b) and §202.71(b). Security control change that clarifies the requirement for the information resource owner to coordinate with the head of the agency/institution of higher education when classifying business functional information.

§202.21(c) and §202.71(c). Administrative change that aligns Information Owner terminology to reflect clarifications to the list of applicable terms and technologies in §202.1 and clarifies Information Security Officer functions.

§202.21(c)(1) and §202.71(c)(1). Administrative change that aligns Information Owner terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.

§202.21(c)(1)(D) and §202.71(c)(1)(D). Security control change that clarifies the responsibility and authority for data owners to specify controls that extend to services as well as to other information resources.

§202.21(c)(1)(E) and §202.71(c)(1)(E). Security control change that clarifies the responsibility for data owners to confirm that controls are in place to ensure data confidentiality as well as data accuracy, authenticity, and integrity.

§202.21(c)(1)(F) and §202.71(c)(1)(F). Security control change that deletes a redundant subparagraph that is incorporated into the previous subparagraphs.

§202.21(c)(1)(F) - (I) and §202.71(c)(1)(F) - (I). Administrative change that reletters subparagraphs to reflect additions and deletions to the list of Information Owner Responsibilities.

§202.21(c)(1)(G) and §202.71(c)(1)(G). Administrative change that aligns risk management terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.

§202.21(c)(1)(H) and §202.71(c)(1)(H). Security control change that adds and clarifies the responsibility and authority for information owners to approve, justify, document, and coordinate agency and institution of higher education exceptions to security controls.

§202.21(c)(1)(I) and §202.71(c)(1)(I). Security control change that adds and clarifies the responsibility and authority for information owners to classify business functional information.

§202.21(c)(2) and §202.71(c)(2). Administrative change that clarifies the responsibilities of information resources custodians to include third party entities.

§202.21(c)(2)(A) and §202.71(c)(2)(A). Administrative change that aligns information owner terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.

§202.21(c)(2)(B) and §202.71(c)(2)(B). Security control change that clarifies custodian responsibility to include technical safeguards for information resources.

§202.21(c)(2)(D) and §202.71(c)(2)(D). Administrative change for word usage.

§202.21(d)(2) and §202.71(d)(2). Administrative change for wording consistency.

§202.21(d)(3). Security control change that aligns the requirement for the state agency Information Security Officer to approve security controls for major information resources projects as specified in §§2054.304 - 2054.307, Texas Government Code. This change does not apply to institutions of higher education.

§202.21(d)(5) and §202.71(d)(5). Security control change that adds and clarifies the responsibility and authority for Information Security Officers to approve, justify, document, and communicate agency and institution of higher education exceptions to information security requirements or controls as part of the security risk assessment process.

§202.22(a) and §202.72(a). Administrative change that aligns risk management terminology to reflect clarifications in the list of applicable terms and technologies in §202.1.

§202.22(a)(1)(B) and §202.72(a)(1)(B). Administrative change that aligns data classification terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.

§202.22(c) and §202.72(c). Administrative change that aligns risk management and risk assessment terminology to reflect clarifications in the list of applicable terms and technologies in §202.1 and corrects a Texas Government Code reference.

§202.23(a) and §202.73(a). Security control change that clarifies the scope of physical security management and documentation responsibilities.

§202.23(b) and §202.73(b). Security control change that clarifies the requirement for conducting a review at least annually of physical security measures for information resources as part of the risk assessment process, rather than as a separate, uncoordinated, or redundant effort.

§202.24(a) and §202.74(a). Administrative change that aligns the "shall" statement requiring the head of a state agency/institution of higher education to approve the Business Continuity Planning documentation with the requirement to maintain the plan.

§202.24(a)(1)(A) - (C) and §202.74(a)(1)(A) - (C). Security control change that updates and consolidates the elements of Business Impact Analysis for Business Continuity Planning using current best practices that were previously described in §202.24(a)(1)(A) - (H) and §202.74(a)(1)(A) - (H) as well as Recovery Strategies that were previously included in §202.24(a)(3) and §202.74(a)(3).

§202.24(a)(2) and §202.74(a)(2). Administrative change that aligns risk assessment terminology to reflect clarifications in the list of applicable terms and technologies in §202.1.

§202.24(a)(3) and §202.74(a)(3). Administrative change that renumbers previously numbered §202.24(a)(4) and §202.74(a)(4).

§202.24(a)(4) and §202.74(a)(4). Administrative change that renumbers previous §202.24(a)(5) and §202.74(a)(5) and clarifies Disaster Recovery Planning event criteria including severity and duration.

§202.24(a)(4)(C) - (E) and §202.74(a)(4)(C) - (E). Administrative changes that clarify word usage, eliminate redundant language (subparagraph (D)), and reletter §202.24(a)(4)(D) and (E) and §202.74(a)(4)(D) and (E).

§202.24(b) and §202.74(b). Administrative change that aligns mission critical information terminology to reflect clarifications in the list of applicable terms and technologies in §202.1.

§202.25 and §202.75. Security control change that aligns Information Resources Security Safeguard requirements with "shall" statements in subordinate paragraph sections. Also clarifies the process to approve, justify, and document exceptions to information security safeguards.

§202.25(1) and §202.75(1). Administrative change for word usage.

§202.25(2)(A) and §202.75(2)(A). Security control change that clarifies the scope of requirement to identify, document, and protect confidential information files or records consistent with the requirements stated in §202.20(1) and §202.70(1).

§202.25(2)(B) and §202.75(2)(B). Security control change that clarifies and updates the responsibility to protect information resources that are assigned to third parties.

§202.25(3)(C), (D) and §202.75(3)(C), (D). Administrative change that aligns risk management terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.

§202.25(3)(E) and §202.75(3)(E). Administrative change that updates the reference for digital signature guidelines.

§202.25(4)(A), (B), (C) and §202.75(4)(A), (B), (C). Encryption standard change that clarifies and updates the technical and procedural standards for encryption. Describes the need to protect portable devices, removable media, and encryption keys. Provides specific encryption requirements for transmitting and storing confidential information and provides options for protecting other data classifications.

§202.25(5)(A) and §202.75(5)(A). Administrative change for wording consistency.

§202.25(5)(C) and §202.75(5)(C). Administrative change that aligns risk assessment terminology to reflect clarifications to the list of applicable terms and technologies in §202.1.

§202.25(6)(A), (B) and §202.75(6)(A), (B). Administrative change that clarifies procedural safeguards for protecting data within test environments.

§202.25(6)(C) and §202.75(6)(C). Administrative change that aligns information owner terminology to reflect clarifications in the list of applicable terms and technologies in §202.1 and for wording consistency.

§202.75(7). Administrative change that aligns risk assessment terminology to reflect clarifications to the list of applicable terms and technologies in §202.1. This change does not apply to §202.25(7).

§202.25(7)(B) and §202.75(7)(B). Security control change that clarifies and updates applicable "Account Management" policy requirements to include user identity and monitoring user access, as well as administering user accounts.