The Department of Information Resources (department) proposes new §§202.1, security standards definitions; 202.2, security standards policy; 202.3, management and staff responsibilities; 202.4, managing security risks; 202.5, managing physical security; 202.6, business continuity planning; 202.7, information resources security safeguards; and 202.8, user security practices. Simultaneous with publication of these proposed rules, the department is proposing the repeal of §201.13 information resource standards, so that all information security standards are transferred from chapter 201, §201.13(a) to chapter 202, §§202.1-202.8 of Title 1. The department is also proposing, in different rulemakings, the transfer of §201.13(c), communications wiring standards for state facilities, to new chapter 208, §208.1 and §208.2. The department believes the public and agencies affected by the department's rules can more easily locate the rules if they are grouped, by subject matter, in discrete chapters between chapters 201 through 249 of Title I.

Proposed §202.1 contains the definitions applicable within chapter 202. The section contains many of the definitions from the department's information resource standards rule located in §201.13(a). It also contains new definitions of "business continuity planning," department," "information resources," "platform," and "vulnerability report." The new definitions are proposed to clarify the rules and because they are referenced in the rules.

Proposed §202.1 also proposes amendments to the existing definitions of "access," "confidential information," "control," "information security program," "security incident or breach," and "security risk analysis." The proposed amendment to the definition of "access," shortens and clarifies the definition. The change proposed to "confidential information," is non-substantive. The changes proposed to the other definitions are efforts to clarify the definitions.

Proposed §202.2 contains the same provisions relating to the State's information resources security standards policy as currently exist in §201.13(a)(3). Proposed §202.3, concerning management and staff responsibilities for information resources, corresponds to existing §201.13(a)(5). The information is presented more clearly in the proposed §202.3. The term "business functional" is substituted for the term "program functional" information, and a requirement is added that the owners of information resources specify and ensure adequate controls to protect the information resources, including information that is outsourced.

Proposed §202.3(d) requires designation of an information security officer to administer the agency information security program. This individual must report to executive level management thereby assuring appropriate executive level management attention to information resources security. Existing §201.13(a) provided for institution of an information security function. The proposed provision is clearer and provides an organizational reporting structure for the agency's information security officer. Proposed new §202.3(e) requires an annual, rather than a biennial, as currently required, compliance review of each agency's information security program so that adequate security measures are maintained.

Proposed §202.4, which deals with managing security risks, is substantially changed from the risk management section in existing §201.13(a)(6). As proposed, security risk analyses must be updated based on inherent risk. Inherent risk and frequency of the security risk analysis will be ranked, at a minimum, as "high," "medium," or "low" based on defined criteria. Security risk assessment results, vulnerability reports and similar information must be documented and presented to the agency head or his or her representative. The agency head must make the final security risk management decisions regarding accepting exposures or protecting data according to the value and sensitivity of the data. These provisions are intended to link the frequency and nature of security risk analyses to the relative risk of a particular security risk. The criteria are based on security standards adopted by the U.S. Treasury in its Treasury Electronic Authentication Policy.

The physical security management provisions of existing §201.13(a)(8) are strengthened in proposed §202.5. The department believes this is critical given the terrorists attacks on our nation in the past six months. Management and documentation of physical access to mission critical information resources facilities are the responsibility of the agency head or his or her representative. Physical security measures are to be reviewed annually rather than periodically. Proposed §202.5(d) specifies that emergency procedures must be in writing, and must be developed, updated and tested at least annually. These requirements will help ensure that physical security is up to date. Pursuant to proposed §202.5(e), agencies are to refer to the State Office of Risk Management for applicable physical security rules and guidelines.

Proposed §202.6(a) provides that agencies should maintain written business continuity plans, a copy of which must be maintained off-site, to minimize the effects of a disaster and so that mission critical functions can be maintained during or quickly resumed after the disaster. Elements of the business continuity plan are laid out in the proposed rule. The presence of a written disaster recovery plan is a required element of each business continuity plan. Proposed §202.6(b) provides for the scheduled back-up and off-site storage of mission critical data in a secure, environmentally safe, locked facility that is accessible only to authorized agency representatives.

Proposed §202.7 concerns security safeguards applicable to information resources. Its provisions are somewhat changed from the security safeguards in existing 1 T.A.C. §01.13(a)(9). For instance, proposed §202.7(c)(4) requires that information resources systems which use passwords shall be based on documented agency security risk management decisions and industry best practices, rather than on the existing federal standard. The existing provision in 1 T.A.C. §201.13(a)(9)(F)(iv) is changed to delete the requirement that the department's instructions for reporting security incidents must specify that the reports must not contain any information which would itself compromise the security of the reporting agency, and to delete the url at which the instructions can be found. Proposed §202.7(e)(3), relating to auditing, requires that, based upon a security risk assessment, a sufficiently complete history of transactions shall be maintained to permit an audit of the information resources system by logging and tracing the activities of the individuals through the system. The Department believes that activation of the logging function should assist law enforcement in criminal investigations, should such investigations be necessary. Proposed §202.7(g) adds the requirement that information security and audit controls be included in all phases of the system development lifecycle or acquisition process.

Proposed §202.7(h), concerning security policies, is not in the department's existing security rule. Proposed subsection (1) requires each agency head, or his or her representative, and information security officer shall create, distribute and implement information security policies. Policies to be included within such policy are set forth in §202.7(1)(A) through (V). Proposed subsection (i) requires each agency to establish a perimeter protection strategy to include some or all of the components set forth in §202.7(i)(A) through (D). Proposed subsection (j) requires that system identification/logon banners shall include warning statements addressing the areas set forth in §202.7(j)(A) through (D).

Proposed §202.8 requires that all authorized users of information resources formally acknowledge they will comply with the security policies and procedures of the agency or they will not be granted access to the information resources. Devices designated for public access shall be configured to enforce security policies and procedures without the requirement of formal acknowledgement. Proposed §202.8(c) requires the agency executive director, or his or her designee, to consider requiring execution of non-disclosure agreements to protect information from disclosure by employees and contractors, and subsection (d) requires agencies to provide an ongoing information security awareness education program for all users. New employees shall be introduced to information security awareness and information security policies and procedures at new employee orientation.

Mr. Mel Mireles, director of the Enterprise Operations Division, has determined that for each year of the first five years after adoption of the proposed rules, there will be no fiscal implications for local government as a result of adoption of the rules, because the rules are not applicable to local government. He anticipates that there is a fiscal impact to state agencies in complying with the rules. The impact will vary by state agency depending on the determination each makes as to whether to maintain a business continuity plan, how much of the information already exists and the costs charged by contractors to provide the plan, if the agency elects to maintain a business continuity plan and further elects to have the plan developed by contractors. Development costs of a business continuity plan range between 0% to 2% of an agency operating budget depending on risk and previous work performed by an agency. In addition, security equipment costs per instance may range in cost as follows: firewalls - $0.00 to $75,000.00, intrusion detection system - $0.00 to $15,000.00, and routers - $0.00 to $26,000.00. In most cases, these security equipment costs do not include training or maintenance and vary depending on agency risk and equipment already acquired.

Mr. Mireles does not anticipate either a loss of, or increase in, revenues to state or local government as a result of the proposed rules. There will be no effect on small businesses and no additional anticipated economic cost to persons as a result of adoption of the proposed rules. The public benefit of adoption of the rules is increased security of state agency information resources in the face of cyberterrorism.

Comments on the proposed new §§202.1-202.8 may be submitted to Renee Mauzy, General Counsel, Department of Information Resources, via mail to P.O. Box 13564, Austin, Texas 78711, or electronically to renee.mauzy@dir.state.tx.us no later than 5:00 p.m. CST within 30 days after publication.

The new rules are proposed pursuant to §2054.052(a), Government Code, which provides the department may adopt rules as necessary to implement its responsibilities under the Information Resources Management Act.

The department is not aware of other statutes affected by the proposed rules.