The Texas Department of Information Resources (department) proposes the repeal of 1 TAC Chapter 202, §§202.1 - 202.3, §§202.20 - 202.28, and §§202.70 - 202.78, concerning Information Security Standards, and new 1 TAC Chapter 202, §§202.1 - 202.4, §§202.20 - 202.26, and §§202.70 - 202.76, to ensure the rules more accurately reflect legislative actions and clarify the processes and policies of current information security practices. The new rules are necessary as the result of passage of Senate Bill 1102 (83R), effective as of May 10, 2013, which legislation added §2054.551, Texas Government Code, establishing a state cybersecurity coordinator. The new rules are also necessary as the result of passage of Senate Bill 1134 (83R), effective as of September 1, 2013, which legislation amended §2054.059, Texas Government Code, requiring the department to establish a state cybersecurity framework. Finally, the new rules are necessary as the result of passage of Senate Bill 1597 (83R), effective September 1, 2013, which legislation added §2054.133, Texas Government Code, requiring state agencies to develop an information security plan. The department published a formal notice of rule review in the September 6, 2013, issue of the Texas Register (38 TexReg 5907).

The changes to the chapter apply to state agencies and institutions of higher education. The assessment of the impact of the proposed changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education (ITCHE) in compliance with §2054.121(c), Texas Government Code.

The department proposes to repeal 1 TAC Chapter 202 in its entirety to rename rule titles, revise rule language, and allow for the resulting numbering of a new 1 TAC Chapter 202, Information Security Standards. In addition, consistent with the department's treatment of institutions of higher education, the new rules allow for any difference as to how these rules may apply to state agencies and institutions of higher education.

In proposed new Subchapter A, Definitions, the department proposes new §202.1 that defines new terms and technologies related to information security practices. Proposed new terms defined include: Agency Head, Availability, Cloud Computing, Confidentiality, Control Catalog, Custodian, Destruction, Guideline, High Impact Information Resource, Information Custodian, Information Resources Manager, Information System, Integrity, ITCHE, Low Impact Information Resource, Moderate Impact Information Resources, Network Security Operations Center, Personal Identifying Information (PII), Procedure, Residual Risk, Risk, and Standards. Proposed new §202.2 defines institution of higher education, while new §202.3 defines state agency. Proposed §202.4 defines the responsibilities of the state's Chief Information Security Officer.

In proposed new Subchapter B, Information Security Standards for State Agencies, the department proposes new §202.20, Responsibilities of the Agency Head, that clarifies the roles and responsibilities for an agency head related to information security. Proposed new §202.21, Responsibilities of the Information Security Officer, provides details on the responsibilities for the agency's designated information security officer. The department proposes new §202.22, Staff Responsibilities, that clarifies the security responsibilities of state agency staff who own, have custody, or use information resources. Proposed new §202.23, Security Reporting, highlights the required reporting of security incidents and the biennial security plan to the department, and the agency information security officer's annual report on security policies, procedures and practices to the agency head. Proposed new §202.24, Agency Information Security Program, requires each agency to develop, document and implement an agency-wide information security program approved by the agency head. Proposed new §202.25, Managing Security Risks, requires each agency to perform and document a risk assessment of the agency's information and information systems and assess levels of risk on the agency's mission and function. Finally, proposed new §202.26, Security Control Standards Catalog, establishes a Control Standards document published by the department that provides minimum information security requirements for state information and information systems, and standards to be used by state agencies to provide appropriate levels of information security according to risk levels.

The department proposes new Subchapter C, Information Security Standards for Institutions of Higher Education, with proposed new §202.70, Responsibilities of the Agency Head, that clarifies the roles and responsibilities for an institution of higher education head related to information security. Proposed new §202.71, Responsibilities of the Information Security Officer, provides details on the responsibilities for the institution's designated information security officer. The department proposes new §202.72, Staff Responsibilities, that clarifies the security responsibilities of institution of higher education staff who own, have custody, or use information resources. Proposed new §202.73, Security Reporting, highlights the required reporting of security incidents and the biennial security plan to the department, and the institution of higher education information security officer's annual report on security policies, procedures and practices to the institution head. Proposed new §202.74, Institution Information Security Program, requires each institution of higher education to develop, document and implement an institution-wide information security program approved by the institution head. Proposed new §202.75, Managing Security Risks, requires each institution of higher education to perform and document a risk assessment of the institution's information and information systems and assess levels of risk on the institution's mission and function. Finally, proposed new §202.76, Security Control Standards Catalog, establishes a Control Standards document published by the department that provides minimum information security requirements for state information and information systems, and standards to be used by institutions of higher education to provide appropriate levels of information security according to risk levels.

The clarification of terms and definitions and the specific operational and business procedures highlighted in the rule, increases the effectiveness of the rule for agencies and institutions. Todd Kimbriel, Deputy Executive Director, has determined that during the first five-year period following the repeal and adoption of new 1 TAC Chapter 202, there will be no fiscal impact on local government. Mr. Kimbriel has also determined that during the first five-year period following the adoption of new 1 TAC Chapter 202, there may be fiscal impact to state agencies and institutions of higher education that are required to reconfigure information technology systems to meet the minimally acceptable system configuration requirements in §202.24 and §202.26 for state agencies and §202.74 and §202.76 for institutions of higher education. That fiscal impact will vary, depending on the degree to which the state agency or institution has a mature and robust information technology infrastructure that addresses the security standards developed in the Security Controls Standards Catalog. To minimize the impact on agencies and institutions, the required controls in the Security Controls Standards Catalog will be phased in over a period of three years, with no new controls in the first year.

Mr. Kimbriel has further determined that for each year of the first five years following the adoption of new 1 TAC Chapter 202, there are no anticipated additional economic costs to persons or small businesses required to comply with the repeal and proposed new rules.

Written comments on the proposed repeal and the adoption of new rules may be submitted to Mark Howard, Assistant General Counsel, 300 West 15th Street, Suite 1300, Austin, Texas 78701 or to mark.howard@dir.texas.gov. Comments will be accepted for 30 days after publication in the Texas Register.

The new rules are proposed pursuant to §2054.052(a), Texas Government Code, which authorizes the department to adopt rules as necessary to implement its responsibilities under Chapter 2054, Texas Government Code; and §2059.053, Texas Government Code, which authorizes the department to adopt rules related to network security.

No other code, article or statute is affected by this proposal.