The Department of Information Resources (department) adopts new §202.1, security standards definitions; 202.2, security standards policy; 202.3, management and staff responsibilities; 202.4, managing security risks; 202.5, managing physical security; 202.6, business continuity planning; 202.7, information resources security safeguards; and 202.8, user security practices. Sections 202.1, 202.3, 202.4, 202.6 and 202.7 are adopted with changes to the proposed text as published in the March 22, 2002, issue of the Texas Register (27 TexReg 2144). Sections 202.2, 202.5 and 202.8 are adopted without changes and will not be republished. Simultaneous with adoption of these rules, the department is adopting the repeal of §201.13 information resource standards, so that all information security standards are transferred from chapter 201, §201.13(a) to chapter 202, §202.1-202.8 of Title 1.

Implementation of the new rules by state agencies will increase the security of state agency information resources in an era of increased likelihood of cyberterrorism. Section 202.1 contains the definitions applicable within chapter 202. Section 202.2 sets forth security standards policy. Section 202.3 identifies management and staff responsibilities for information resources, including the requirements in subsection (d) for designation of an information security officer to administer the agency information security program. This individual must report to executive level management thereby assuring appropriate executive level management attention to information resources security. Section 202.3(e) requires an annual compliance review of each agency's information security program to maintain adequate security measures. Section 202.4 addresses the management of security risks. It requires that security risk analyses be updated based on inherent risk. Inherent risk and frequency of the security risk analysis will be ranked, at a minimum, as "high," "medium," or "low" based on defined criteria. Security risk assessment results, vulnerability reports and similar information must be documented and presented to the agency head or his or her representative. The agency head must make the final security risk management decisions regarding accepting exposures or protecting data according to the value and sensitivity of the data. Adoption of these provisions links the frequency and nature of security risk analyses to the relative risk of a particular security risk. The criteria are based on security standards adopted by the U.S. Treasury in its Treasury Electronic Authentication Policy.

Section 202.5 strengthens physical security management of information resources as required by the terrorist attacks on the U.S. in the past eight months. Management and documentation of physical access to mission critical information resources facilities are the responsibility of the agency head or his or her representative. Physical security measures must be reviewed annually. Section 202.5(d) specifies that emergency procedures must be in writing, and must be developed, updated and tested at least annually. Implementation of these requirements will help ensure that physical security is up to date. Pursuant to §202.5(e), agencies are to refer to the State Office of Risk Management for applicable physical security rules and guidelines. Section 202.6(a) provides that agencies should maintain written business continuity plans, a copy of which must be maintained off-site, to minimize the effects of a disaster and so that mission critical functions can be maintained during or quickly resumed after the disaster. Elements of the business continuity plan are laid out in this section. The presence of a written disaster recovery plan is a required element of each business continuity plan. Section 202.6(b) provides for the scheduled back-up and off-site storage of mission critical data in a secure, environmentally safe, locked facility that is accessible only to authorized agency representatives. Section 202.7 concerns security safeguards applicable to information resources. Section 202.7(c)(4) requires that information resources systems which use passwords shall be based on documented agency security risk management decisions and industry best practices. Section 202.7(e)(3) requires that, based upon a security risk assessment, a sufficiently complete history of transactions be maintained to permit an audit of the information resources system by logging and tracing the activities of the individuals through the system. The department believes that activation of the logging function should assist law enforcement in criminal investigations, should such investigations be necessary. Section 202.7(g) adds the requirement that information security and audit controls be included in all phases of the system development lifecycle or acquisition process.

Section 202.7(h) requires each agency head, or his or her representative, and information security officer to create, distribute and implement information security policies. Policies to be included within such policy are set forth in §202.7(h)(1) through (22). Subsection (i) requires each agency to establish a perimeter protection strategy to include some or all of the components set forth in §202.7(i)(1) through (4). Subsection (j) requires that system identification/logon banners include warning statements addressing the areas set forth in §202.7(j)(1) through (4). Section 202.8 requires authorized users of information resources to formally acknowledge they will comply with the security policies and procedures of the agency or they will not be granted access to the information resources. Devices designated for public access shall be configured to enforce security policies and procedures without the requirement of formal acknowledgement. Section 202.8(c) requires the agency executive director, or his or her designee, to consider requiring execution of non-disclosure agreements to protect information from disclosure by employees and contractors, and subsection (d) requires agencies to provide an ongoing information security awareness education program for all users. New employees shall be introduced to information security awareness and information security policies and procedures at new employee orientation.

In accordance with §2001(a)(1), Government Code, the department's reasoned justification for adopting these rules is set out in the order adopting the rules. The order includes, by reference, this preamble and the rules adopted in §202.1-202.8. The department's reasoned justification for adoption of the rules is contained throughout this preamble, including why the rules are appropriate, the factual, policy and legal bases for the rules, a summary of comments received from interested organizations, including whether each organization was for or against adoption of the rules, names of the organizations that commented, and the reasons the department disagrees with some of the comments.

In developing the new security rules, the department extensively reviewed and analyzed security standards as well as the comments submitted to the department in response to publication of the proposed rules. The rules strengthen the security requirements applicable to state agencies in the wake of the events of September 11, 2001 while limiting, to the extent prudent, the costs associated with increased information resources security by making some of the requirements applicable only if the state agency determines, through risk assessment, that certain controls or processes are necessary to protect information resources from unauthorized or accidental modification, destruction or disclosure.

Changes from the rules as proposed and published in the March 22, 2002, Texas Register are found in the following sections of the rules:

The word "disruption" has been added to §202.1(12) to more fully define "security incident." "Information Resources Manager" is changed to "his or her designated representative" in §202.3(e) for clarification and consistency within the rule. In §202.4(a)(1), 202.4(a)(2), and 202.4(a)(3) the word "systems" has been replaced by "information resources" for clarification and consistency throughout the rule. Section 202.7(f)(1) has been rewritten to better clarify what types of incidents should be reported to the department within a 24 hour period. The sentence now reads "Security incidents shall be promptly investigated and documented. Security incidents shall be reported to the department within twenty-four hours if there is a substantial likelihood that such incidents could be propagated to other systems beyond the control of the agency." In §202.6(a) the sentence "Business Continuity Planning covers all business functions of an agency, and it is a business management responsibility" was added to clarify that it is the responsibility of the entire agency, rather than the responsibility of the information resource function within an agency, to provide business continuity planning.

In §202.7(f)(3) the words "and there is a substantial likelihood that such incidents could be propagated to other systems beyond the control of the agency" have been moved to §202.7(f)(1) for clarity. Sections 202.7(h), 202.7(i) and 202.7(j) were renumbered to conform to standard structure. For clarity, the second sentence of §202.7(h) has changed from "The following policies shall be required, but not limited," to "At a minimum, the following policies will be developed and published." In §202.7(h)(21) the acronyms "A/C, UPS, and PDU" were spelled out to read "Air Conditioning, Universal Power Supply, and Power Distribution Unit" for clarification. Section 202.7(j)(4), concerning having a warning statement on system identification and logon banners relating to "no expectation of privacy" has been amended in response to a comment received, to clarify that there is no expectation of privacy for users of state information resources other than as is provided by applicable privacy laws.

Comments on the rules were received from the Office of the Attorney General, which did not state a position on the rules and requested several clarifications and offered several wording changes. Comments were received from the State Auditor's Office, which did not state a position on the rules, but had several suggestions it believed would strengthen the rules. Comments were received from the University of Texas at Austin. These comments indicated support for parts of the rules and opposition to parts of the rules. The department received comments from the University of Texas Medical Branch at Galveston requesting clarification in some areas and suggested narrowing and broadening different parts of the rules. The University of Texas at San Antonio submitted comments opposing parts of the rules, requesting that parts of the rules be clarified and pointing out some differences between most state agencies and large universities that have cost implications. The University of Texas at San Antonio Health Science Center submitted comments identical to those submitted by the University of Texas at San Antonio. The Department of Insurance submitted comments in opposition to §202.6 relating to business continuity planning.

The department received the following comments concerning the proposed rules:

COMMENT: For §202.1(3) a commenter suggested that the definition of "confidential information" be revised.

RESPONSE: The department disagrees. The definition of "confidential information" in the rule is broad enough to cover the revisions suggested.

COMMENT: For §202.1(7) a commenter suggested that the definition for "information resources" include the word "data." Another agency suggested that the definition include the words "telecommunications and Personal Data Assistant."

RESPONSE: The department disagrees with the comments. The definition of information resources in Texas Government Code §2054.003(7) is broad enough to include all the terms suggested. The definition implies that data is protected when hardware, software, and equipment protect the perimeter. In addition, telecommunications and Personal Data Assistants are included in hardware, software and equipment.

COMMENT: For §202.1(12) commenters suggested that the word "disruption" be added to the definition of "Security Incident" for clarification.

RESPONSE: The department agrees and the definition of "security incident" was changed to include "disruption" for additional clarification.

COMMENT: For §202.3 a commenter suggested that the department include a template in the security guidelines to assist agencies with data classification; that confidential information should be included in §202.3(b) information classification categories; and that appropriate controls should be established in §202.7(b).

RESPONSE: The department disagrees. The rule does not exclude confidential information from the classification categories. The rule states "Agencies are responsible for defining all information classification categories except the "confidential information" category, which is defined in §202.1((3)." Confidential information is defined by law. It is not subject to a different classification scheme by agencies than is established by law.

COMMENT: For §202.3 a commenter noted that the department's reference to information resources manager in this section is confusing, because the term "information resources manager" is not used elsewhere in the rule. A commenter suggested that the standards should state the responsibility of the information resources manager.

RESPONSE: The department agrees with the first comment. It has deleted the reference to "information resource manager" in §202.3(e) and has added "or his/her designated representative" for consistency within the rule. The department disagrees with the second comment, because it believes that agency heads need flexibility in defining lines of authority and responsibility within their organizations. The responsibilities of information resources managers, except as otherwise controlled by law, should be within the discretion of the particular agency head to establish.

COMMENT: Regarding §202.3 a commenter suggested that the standards should clarify the role of the information resource manager and the information resources manager should be referenced instead of the agency head.

RESPONSE: The department disagrees with the comment. By removing the reference to "information resource manager" in §202.3(e) the department has obviated the need for the term to be defined.

COMMENT: Commenters suggested that §202.1 of the rule should include a definition for "executive" and should define the reporting structure of the information security officer.

RESPONSE: The department disagrees, because it believes that the needs of agencies are better served by allowing the flexibility for each agency to determine the meaning of "executive" and the reporting structure of employees, within the agency.

COMMENT: For §202.3(e) an agency commented that an agency's internal auditor should be involved in the agency's security program compliance review.

RESPONSE: No changes are needed to the rule. The rule does not preclude an agency's internal auditor from being involved in the compliance review of information resources security.

COMMENT: Commenters suggested that "system" be defined in §202.4.

RESPONSE: The department eliminated the references to "system" throughout the rule, replacing them with "information resources." Section 202.4(a), 202.4(b) and 202.4(c) were changed to delete references to "system," therefore, there is no need to define "system."

COMMENT: A commenter indicated that §202.4 did not offer enough guidance to complete a risk assessment.

RESPONSE: The department disagrees. The rule establishes the minimum requirement to perform a risk assessment. The section is not intended to serve as guidelines. The criteria used in the rule are based on security standards adopted by the U.S. Treasury in its Treasury Electronic Authentication Policy.

COMMENT: Commenters indicated that §202.4(c) does not clarify the exemptions from the Texas Public Information Act for vulnerability reports.

RESPONSE: Agencies should look to Texas Government Code, 2054.077 and Texas Government Code, chapter 552, to determine what may be withheld from disclosure under the Texas Public Information Act. The department cannot make the determination by rule.

COMMENT: For §202.5(e) commenters indicate the rule needs to clarify the exact State Office of Risk Management guidelines to be used.

RESPONSE: The department disagrees, because the State Office of Risk Management publishes a guide for physical security. The guide is listed on the State Office of Risk Management's website.

COMMENT: Commenters disagreed with §202.6(a), indicating (1), a business continuity plan covers all phases of business and this should be an agency-wide responsibility not just an information technology issue or function. A commenter contended that by putting business continuity planning in the rule it becomes an information technology function; (2) the State Office of Risk Management should be responsible for business continuity planning, and this rule should be transferred to the State Office of Risk Management; (3) the rule was not clear as to whether it is a requirement to complete a business continuity plan. Another commenter indicated that the rule should be stronger, that business continuity planning is essential and suggested that the rule should require agencies to complete business continuity plans.

RESPONSE: The department agrees that business continuity planning is an agency-wide process which covers all business functions. The department has clarified this by adding the wording "business continuity planning covers all business functions of an agency and is a business management responsibility." The department believes that the State Office of Risk Management currently does not have rules or guidelines for business continuity planning. The department will work with the State Office of Risk Management to assist with the guidelines. The department disagrees with making business continuity planning a requirement. It believes that agencies' risks are different and each agency should define its own level of risk. The risk assessment should determine whether a business continuity plan is necessary and a prudent business practice.

COMMENT: Regarding §202.7(e) commenters indicated that the statement requiring encryption for storage and transmission of information is too broad, and that there is no provision for escrow or key recovery if the agency needs to un-encrypt the information.

RESPONSE: The department disagrees. It is up to each agency to decide based on its risk decisions whether to include escrow or key recovery in the agency's encryption policy.

COMMENT: Regarding §202.7(e)(3) a commenter recommended that the rule cite a definite period of time for keeping systems logs.

RESPONSE: The department disagrees. The rule states it is a risk based decision, and it is up to each agency to determine its schedule for retaining logs based on its record retention policy. Agencies are required to follow state records retention rules set by the Texas State Library and Archive Commission.