The Texas Department of Information Resources (department) adopts the repeal of 1 TAC Chapter 202, §§202.1 - 202.3, 202.20 - 202.28, and 202.70 - 202.78 concerning Information Security Standards without changes to the proposal as published in the November 7, 2014, issue of the Texas Register (39 TexReg 8641). The department also adopts new Chapter 202, §§202.1 - 202.4, 202.20 - 202.26, and 202.70 - 202.76 to ensure the rules more accurately reflect legislative actions and clarify the processes and policies of current information security practices. Sections 202.2 - 202.4, 202.20, and 202.70 are adopted without changes to the proposed text as published in the November 7, 2014, issue of the Texas Register (39 TexReg 8641) and will not be republished. Sections 202.1, 202.21 - 202.26, and 202.71 - 202.76 are adopted with changes.

The new rules are necessary as the result of passage of Senate Bill 1102 (83R), effective as of May 10, 2013, which legislation added §2054.551, Texas Government Code, establishing a state cybersecurity coordinator. The new rules are also necessary as the result of passage of Senate Bill 1134 (83R), effective as of September 1, 2013, which legislation amended §2054.059, Texas Government Code, requiring the department to establish a state cybersecurity framework. Finally, the new rules are necessary as the result of passage of Senate Bill 1597 (83R), effective September 1, 2013, which legislation added §2054.133, Texas Government Code, requiring state agencies to develop an information security plan. The department published a formal notice of review in the September 6, 2013, issue of the Texas Register (38 TexReg 5907).

A number of public comments were received and these public comments and department responses are as follows:

Comment on §202.1(11): One commenter from a state agency recommended removing the word "virtually" since destruction in IT implies destroying something so that it is technologically infeasible to recover data.

Agency Response to Comment on §202.1(11): The department accepts the suggested modification and will replace the word "virtually" with the suggested phrase "technologically infeasible".

Comment on §202.1(11): One commenter from a state agency recommended adding a definition of "sanitization" since destruction implies physical act, as opposed to "sanitization" which implies a logical act (e.g.: overwriting).

Agency Response to Comment on §202.1(11): The phrase "sanitization" is not used within the rule. Thus the department will not include the suggested definition in the rule.

Comment on §202.1(22): One commenter from a state agency suggested changing the definition of an information system to accommodate a standalone device.

Agency Response to Comment on §202.1(22): For purposes of Chapter 202, a standalone device is an "Information Resource". Interconnected Information Resources comprise a system. The suggested change is not accepted.

Comment on §202.1(26): One commenter from a state agency asked whether the rule is setting a statewide data classification scheme.

Agency Response to Comment on §202.1(26): The inclusion of definitions for High, Moderate, and Low Impact Information Resources is to provide agencies and institutions of higher education a standard set of terms for assessing the criticality of an information resource. It is not designed to set a statewide data classification scheme.

Comment on §202.1(26): One commenter from a state agency questioned the definition of a Mission Critical Information resource as it relates to High Impact Information resources.

Agency Response to Comment on §202.1(26): Due to the confusion and ambiguity created by the term Mission Critical Information Resources, the department removed the definition of this term.

Comment on §202.20(1): One commenter from a state agency recommended being less prescriptive on the title and suggested the alternate wording: "designate an agency executive information security head who has the experience, explicit authority, and the duty to administer...and if this agency is a part of a "System", this individual would have a reporting relationship to the head of the System-level information security head".

Agency Response to Comment on §202.20(1): The department considered this comment and will not make a modification to the rule.

Comment on §202.21(a): A department employee found the word "that" repeated and recommended striking one instance.

Agency Response to Comment on §202.21(a): The department concurs with the recommendation and will strike the second instance of the word "that". The same change will be made to §202.71(a).

Comment on §202.21(b)(9): One commenter from a state agency stated this "new requirement will have a staffing resource impact on agency information security offices for establishing new processes, therefore, time is needed for compliance." The commenter recommended adding the phrase, "implementation will be on a risk-based phased approach".

Agency Response to Comment on §202.21(b)(9): The department considered this comment and modified the rule to read "coordinating the review of data security requirements, specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data." The department feels that having the ISO coordinate the review allows for the workload to be better distributed. The same change will be made to §202.71(b)(9).

Comment on §202.21(b)(10): One commenter from a state agency stated the "in place" reference equates to security findings being fixed prior to purchase. This could be problematic with time to market needs and the ability to address all security issues prior to purchase. The commenter recommended modifying the language as "security requirements be identified and risk mitigation plans be developed and contractually agreed and obligated prior to the purchase...."

Agency Response to Comment on §202.21(b)(10): The department concurs with the recommendation and will modify the language with the suggested wording above. The same change will be made to §202.71(b)(10).

Comment on §202.21(b)(10): With the striking of the definition of a Mission Critical Information Resource, in response to a comment received, department staff commented the use of mission critical in this rule could be confusing.

Agency Response to Comment on §202.21(b)(10): The department concurs with the recommendation and will delete the phrase Mission Critical. The same change will be made to §202.71(b)(10).

Comment on §202.21(b)(10): One commenter from a state agency stated the proposed rule doesn't take into account new technologies that are not on the market yet, nor does it address emerging threats. The commenter further stated a risk based approach is better suited to state agency environments.

Agency Response to Comment on §202.21(b)(10): The department believes the comments are addressed by the deletion of the phrase Mission Critical, resulting from the previous comment.

Comment on §202.22: One commenter from a state agency recommended adding "In consultation with the agency IRM and ISO" to the rule.

Agency Response to Comment on §202.22: The department concurs with the recommendation and will add the suggested language. The same change will be made to §202.72.

Comment on §202.22(2)(D): One commenter from a state agency stated custodians providing security training could be difficult, because their skills vary. The commenter further recommended "custodians reinforce employee information security training with the agency's information security requirements and practices...."

Agency Response to Comment on §202.22(2)(D): The department considered this comment and will not make a modification to the rule.

Comment on §202.23(b)(1)(A): One commenter from a state agency stated the rule never actually requires that the information in the reports be reported to the department.

Agency Response to Comment on §202.23(b)(1)(A): The department considered this comment and modified the section to reflect explicit reporting responsibilities. The same change will be made to §202.73(b)(1)(A).

Comment on §202.23(b)(1)(A): One commenter from a state agency recommended adding "at a minimum..." to the reporting requirements of the immediate supervisor and ISO.

Agency Response to Comment on §202.23(b)(1)(A): The department considered this comment but feels it is best for the ISO at each agency to establish their internal process for handling incidents.

Comment on §202.23(b)(1)(A): One commenter from a state agency recommended the term "department" be identified with the Department of Information Resources' CISO office, where applicable.

Agency Response to Comment on §202.23(b)(1)(A): The term department is defined in §202.1(10) as the Department of Information Resources. Changes were made throughout the rule to ensure "department" was capitalized consistently.

Comment on §202.23(b)(1)(A): An employee of the department recommended defining more explicitly the types of criminal violations that must be reported to the department.

Agency Response to Comment on §202.23(b)(1)(A): The department concurs with the recommendation and will modify the language to specify only violations of criminal law that stem from state or federal information security or privacy laws must be reported. The same change will be made to §202.73(b)(1)(A).

Comment on §202.24(b)(3): Several commenters from state agencies stated the language indicated a formal, face-to-face training, which may be cost prohibitive in large organizations. One commenter from a state agency recommended modifying the to include "a new employee program which provides security awareness and informs new employees...."

Agency Response to Comment on §202.24(b)(3): The department concurs with the comments and will make the following modification to the rule: strike the reference to new employee orientation and add "during onboarding process." This should allow agencies the freedom to provide security awareness training in multiple formats. The same change will be made to §202.74(b)(3).

Comment on §202.25(3) and (4): Several state agencies commented that day-to-day details of reviewing risk assessments and vulnerability reports should be the responsibility of the ISO, not the agency head. One commenter suggested the language be modified to: "(3) Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the Information Security Officer or his or her designee(s). (4) Approval of the security risk acceptance, transference, or mitigation decision shall be the responsibility of: (i) The Information Security Officer or his or her designee(s) for systems identified with a Low or Moderate residual risk. (ii) The state agency head or his or her designated representative(s) for systems identified with a High residual risk."

Agency Response to Comment on §202.25(3) and (4): The department concurs with the comments and will make the following modification to the rule: "(3) Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the Information Security Officer or his or her designated representative(s). (4) Approval of the security risk acceptance, transference, or mitigation decision shall be the responsibility of: (A) the information security officer or his or her designee(s), in coordination with the information owner, for systems identified with a Low or Moderate residual risk. (B) The state agency head for all systems identified with a residual High Risk." The same change will be made to §202.75(3) and (4).

Comment on §202.26(a): An employee of the department recommended making the location of the catalog less prescriptive, so that it can be placed on a protected site.

Agency Response to Comment on §202.26(a): The department concurs with the recommendation and will modify the language to reflect the suggestion. The same change will be made to §202.76(a).

Comment on §202.26(a): One commenter from a state agency stated the rule was too prescriptive and would need to be vetted by a committee that has agency representation. The commenter further recommended this be removed because each agency should determine mandatory requirements based upon the mission of the individual agency.

Agency Response to Comment on §202.26(a): The department has considered this comment, but finds the rulemaking process the appropriate place to establish statewide standards.

Comment on §202.26(c): Two commenters from state agencies stated the inclusion of this portion of the rule would be costly to state agencies and also recommended DIR continue to provide this service without a cost to the agencies.

Agency Response to Comment on §202.26(c): The department has considered this comment, but believes the rule complies with requirements of Texas Government Code §2054.133. The department will continue to provide scanning and assessment services, as funds are available.

Comment on §202.26(d)(1): One commenter from a state agency stated the rule was too prescriptive and the agency should decide which controls are applicable.

Agency Response to Comment on §202.26(d)(1): The department has considered this comment, but finds the rulemaking process the appropriate place to establish statewide standards.

Comment on §202.26(d)(1): One commenter from a state agency stated the rule was too prescriptive. The agency should determine the timeframe of compliance with new standards on a system-by-system approach based on the system's environment, complexity, cost, resources, and impact.

Agency Response to Comment on §202.26(d)(1): The department has considered this comment, but is phasing controls in over the next two years to accommodate agency planning.

Comment on §202.26(d)(4): One commenter from a state agency stated the was too prescriptive. The agency should determine the timeframe of compliance with new standards on a system-by-system approach based on the system's environment, complexity, cost, resources, and impact.

Agency Response to Comment on §202.26(d)(4): The department has considered this comment, but finds the timeline appropriate for agencies to either establish a method to implement the requirement or document an exception.

Comment on §202.26(e)(3): One commenter from a public institution of higher education commented the "and" connecting items (1) - (3) made the institution identify a federal requirement for each more stringent control it wanted to implement.

Agency Response to Comment on §202.26(e)(3): The department concurs with the comments and will make the following modification to the rule: (1) contain at least the applicable standards issued by the department; or (2) are consistent with applicable federal law, policies and guidelines issued under state rule, industry standards, best practices, or deemed necessary to adequately protect the information held by the agency. The same change will be made to §202.76(e)(3).

END OF PUBLIC COMMENTS AND DEPARTMENT RESPONSES

The changes to the chapter apply to state agencies and institutions of higher education. The assessment of the impact of the changes on institutions of higher education was prepared in consultation with the Information Technology Council for Higher Education in compliance with §2054.121(c), Texas Government Code.

The department hereby repeals 1 TAC Chapter 202 in its entirety to rename titles, revise language, and allow for the resulting numbering of a new 1 TAC Chapter 202, Information Security Standards. In addition, consistent with the department's treatment of institutions of higher education, the new rules allow for any difference as to how this may apply to state agencies, and institutions of higher education.

In new Subchapter A, Definitions, the department adopt new §202.1 that defines new terms and technologies related to information security practices. New terms defined include; Agency Head, Availability, Cloud Computing, Confidentiality, Control Catalog, Custodian, Destruction, Guideline, High Impact Information Resource, Information Custodian, Information Resources Manager, Information System, Integrity, ITCHE, Low Impact Information Resource, Moderate Impact Information Resources, Network Security Operations Center, Personal Identifying Information (PII), Procedure, Residual Risk, Risk, and Standards. New §202.2 defines institution of higher education, while the new §202.3 defines state agency. New §202.4 defines the responsibilities of the state's Chief Information Security Officer.

In new Subchapter B, Information Security Standards for State Agencies, the department adopts new §202.20, Responsibilities of the Agency Head, that clarifies the roles and responsibilities for an agency head related to information security. New §202.21, Responsibilities of the Information Security Officer, provides details on the responsibilities for the agency's designated information security officer. The department adopts new §202.22, Staff Responsibilities, that clarifies the security responsibilities of state agency staff who own, have custody, or use information resources. New §202.23, Security Reporting, highlights the required reporting of security incidents and the biennial security plan to the department; and the agency information security officer's annual report on security policies, procedures and practices to the agency head. New §202.24, Agency Information Security Program, requires each agency to develop, document and implement an agency-wide information security program approved by the agency head. New §202.25, Managing Security Risks, requires each agency to perform and document a risk assessment of the agency's information and information systems and assess levels of risk on the agency's mission and function. Finally, new §202.26, Security Control Standards Catalog, establishes a Control Standards document published by the department that provides minimum information security requirements for state information and information systems, and standards to be used by state agencies to provide appropriate levels of information security according to risk levels.