The state's approach to information security and risk management requires the active support and ongoing participation of individuals from multiple disciplines and all management levels. It requires the support of executive, program, and technical management, as well as all administrative and technical personnel whose duties bring them in contact with critical or sensitive state information resources.
This section provides suggestions as to specific roles and responsibilities for both management and staff and includes standards and guidelines for sound security practices which should be applicable to most state agencies.
RESPONSIBILITY. The agency head is responsible for establishing and maintaining an information security and risk management program within the agency. It is the responsibility of the agency head to assure that the agency's information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure.
Specifically, heads of agencies are responsible for:
1. Enforcement of state-level security and risk management policies.
2. Establishing and maintaining a risk management program, including a risk analysis process that identifies deficiencies and provides for their corrective action.
3. Establishing and maintaining internal policies and procedures that provide for the security of information technology facilities, software, and equipment, and the integrity and security of the agency's automated information.
4. Assigning information asset ownership for all information resources within the agency.
5. Preparation and maintenance of the agency's Contingency Plan For Information Resources Services Resumption for the continuation of vital information support services in case of a disaster.
6. Ensuring agency compliance with Department of Information Resources (DIR) planning requirements by including a description of its security and risk management policies and practices in the agency strategic plans in accordance with 1 TAC 201.13(b).
7. Ensuring agency compliance with state information systems audit requirements.
8. Ensuring participation at all necessary levels of management and administrative and technical staff during the planning, development, modification, and implementation of security and risk management policies and procedures.
The agency head retains ultimate responsibility for enforcement of all security and risk management policies but may delegate the remaining responsibilities to the Information Resources Manager (IRM).
STANDARD. The responsibilities of a position with respect to security and risk management shall be commensurate with its authority. Descriptions of security roles and responsibilities for agency personnel shall be included in written position descriptions and compiled in the agency security manual developed and maintained by the Information Security Function.
RESPONSIBILITY. The Information Security Function is responsible for directing the development of, and overseeing, agency policies and procedures designed to protect the agency's automated information assets.
STANDARD. Each agency head, or the IRM acting on delegated authority, shall institute an Information Security Function to administer the agency information security program. It shall be the duty and responsibility of this function to establish all procedures and practices necessary to ensure the security of information assets against unauthorized or accidental modification, destruction or disclosure.
STANDARD. The Information Security Function within each agency shall document and maintain an up-to-date internal information security program. The agency security program shall include written internal policies and procedures for the protection of information resources, be an instrument implementing state information security policies and standards, be applicable to all elements of the agency and be signed by the IRM or the agency head.
GUIDELINES. The security duties and functions below should be assigned in writing. The Information Security Function is tasked with overseeing the agency's security effort and should:
1. Report to the IRM responsible for the resources to be protected.
2. Develop, implement, and maintain the agency's security and risk management program including a risk analysis process.
3. Identify vulnerabilities that may cause inappropriate or accidental access, destruction, or disclosure of information, and establish security controls necessary to eliminate or minimize their potential effects.
4. Ensure the agency's critical and sensitive information resources are identified, that all information resources are assigned ownership, and that the duties of owners are prescribed.
5. Ensure that adequate backup and recovery procedures are established and followed.
6. Develop and maintain a Contingency Plan for Information Resources Services Resumption to protect the agency against the potential effects of a disaster.
7. Keep management aware of legal and regulatory changes affecting information privacy and computer crime.
8. Provide agency-wide security consulting services; serve as the agency's internal and external point of contact on information security matters.
9. Ensure that valid user lists are current and auditable.
10. Oversee procedures for agency password control and for secure distribution of encryption keys (where used).
11. Manage the development, implementation, and testing of security controls and methods for their evaluation; direct efforts for including security safeguards in the development or acquisition stages of new automated information systems.
12. Report to management periodically on agency security posture and progress, including problem areas with recommended enhancements.
13. Establish procedures necessary to monitor and ensure compliance with established security and risk management policies and procedures.
14. Coordinate with internal auditors to define their role in automated information system planning, development, implementation, operations, and modifications relative to security and risk management.
15. Coordinate with program and technical managers on matters related to the planning, development, implementation, or modification of information security and risk management policies and procedures that will affect the agency.
16. Establish adequate training programs to assure that agency staff (with particular emphasis on the owners, users, and custodians of information) are educated and aware of their roles and responsibilities relative to information security and risk management.
17. Assure coordination with agency Records Managers, Risk Managers and other functions with overlapping responsibilities.
The Information Resources Management Act makes it clear that information and information resources residing in the various agencies of state government are assets owned by the people of Texas. For the purpose of information resources security and risk management, Texas Administrative Code defines the concept of owners, custodians and users of information resources, and their surrogate responsibilities to the people of Texas, in the development of an information security program designed to provide cost-effective controls to ensure that information is not subject to unauthorized modification, disclosure, or destruction. To achieve this objective, procedures which govern access to each collection of related information should be in place. The effectiveness of access rules depends to a large extent on the correct identification of those surrogate owners, custodians, and users of information.
RESPONSIBILITY. Normally, ownership responsibility resides with the program management that employs the data processed by an automated system.
Custodial responsibility resides with any person or group who is charged with the physical possession of information assets by the agency management. Custodians are normally technical managers (e.g., Data Processing Director, Network Services Director or even separate entities, such as another agency or private outsourcing firm) that provide technical facilities and support services to owners and users of information.
Users of information include the individuals and state agencies that utilize the information that is processed by an automated information system. This includes consultants, contractors and other non-employees of the state who utilize state-owned information assets.
The determination of ownership, custodian, and user responsibilities is specific to the data processed by an automated system.
STANDARD. Owners, custodians and users of data, software and other information resources shall be identified, documented and their responsibilities defined. All resources shall be assigned an owner. In cases where data or software is aggregated for purposes of ownership, the aggregation shall be at a level which assures individual accountability. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles:
1. Owner Responsibilities. The owner of information resources is the designated individual upon whom responsibility rests for carrying out the program that uses the resources. That person is referred to herein as a program manager. The owner, or program manager, is responsible and authorized to:
a. Approve access and formally assign custody of the asset.
b. Judge the asset's value.
c. Specify data control requirements and convey them to users and custodians.
d. Ensure compliance with applicable controls.
Ownership responsibilities apply in the development of outsourcing contracts with private firms or with other agencies. These contracts must specify appropriate controls, based on risk assessment, to ensure protection of the state's confidential or sensitive information files, databases and software from unauthorized modification, deletion or disclosure.
2. Custodian responsibilities. A custodian is the agent in charge of the organizational unit providing technical facilities, data processing and other support services to owners and users of automated information. The custodian of information resources is assigned the responsibility to:
a. Implement the controls specified by the owner.
b. Provide physical and procedural safeguards for the information resources within the facility.
c. Assist owners in evaluating the cost-effectiveness of controls.
d. Administer access to the information resources and to make provisions for timely detection, reporting, and analysis of unauthorized attempts to gain access to information resources.
Custodial responsibilities apply to all entities providing outsourcing services to state agencies.
3. User responsibilities. The users of information resources have the responsibility to:
a. Use the resource only for the purposes specified by its owner.
b. Comply with controls established by the owner.
c. Prevent disclosure of sensitive information.
RESPONSIBILITY. Agency program managers have ownership responsibility for the information assets utilized in carrying out the program(s) under their direction. Program managers have responsibility and authority for acquiring, creating and/or maintaining the assets under their ownership.
STANDARD. The agency Information Security Function acting on behalf of the agency head and with cooperation from program and technical management, shall assign information asset ownership and ownership responsibilities for all information resources within the agency.
GUIDELINES. Program managers have the following ownership responsibilities in relation to their agency's information security and risk management program:
1. Participate in the agency's risk analysis process by identification of program assets and assessing their value to the organization.
2. Ensure proper classification of automated information for which the program is assigned ownership responsibility.
3. Ensure participation between the program technical staff and the Information Security Function in identifying and selecting appropriate and cost-effective security controls and procedures to protect information assets.
4. Ensure the proper planning, development, and establishment of security policies and procedures for files or data bases for which the program has ownership responsibility, and for physical devices assigned to and located in program area(s).
5. Formally assign custody of program assets to appropriate technical and data center managers and ensure they are provided the appropriate direction to implement the security controls and procedures that have been defined.
6. Define the appropriate security requirements for user access to automated information files and data bases for which the program is assigned ownership responsibility.
7. Establish all procedures necessary to comply with these standards and guidelines in relation to custodian and user responsibilities.
8. Define quality assurance procedures to minimize the risk of errors and omissions and to ensure the integrity of data for which the program is assigned ownership responsibility.
9. Ensure that procedures are established to comply with the DIR agency planning requirements set forth in 1 TAC 201.13(b).
10. In cases where technical services are outsourced to another agency or private firm, ensure contractual agreements exist, based on risk assessment, for protection of the state's confidential or sensitive information files, databases and software from unauthorized modification, deletion or disclosure.
RESPONSIBILITY. Technical managers, such as Data Processing Directors, Data Center Managers and Network Directors, who are charged with physical possession of information assets for the purposes of providing information services, have custodial responsibility for the assets used in providing those services.
STANDARD. Program managers, having been assigned information resource ownership, shall assign custody of program assets to appropriate technical and data center managers and ensure they are provided the appropriate direction to implement the security controls and procedures that have been defined.
STANDARD. Technical managers, assigned information resource custodianship, are charged with executing the monitoring techniques and procedures for detecting, reporting and investigating breaches in information asset security. Custodial responsibilities apply to all entities providing outsourcing services to state agencies.
GUIDELINES. Technical managers assigned as custodians of information assets have the following responsibilities in relation to their agency's information security and risk management program:
1. Ensure that program managers, the Information Security Function and user agencies are provided the necessary technical support services with which to define and select cost effective security controls, policies, and procedures.
2. Ensure the implementation of security controls and procedures as defined by the owners of information.
3. Ensure the implementation of system controls necessary to identify actual or attempted violations of security policies or procedures.
4. Ensure that the owners of information and the agency's Information Security Function are notified of any actual or attempted violations of security policies and procedures.
5. Develop, implement and follow adequate backup and recovery procedures for all data and software in the facility.
6. Ensure the implementation and maintenance of a Contingency Plan for Information Resources Services Resumption in cooperation with agency management, the Information Security Function and the assigned owners and users of information.
7. Monitor the security controls and develop the reports and reporting procedures in accordance with the requirements of program and those of internal and external auditors. This responsibility may be delegated to a Security Administer.
RESPONSIBILITY. Security Administrators are responsible for providing security and risk management related support services.
GUIDELINES. Personnel assigned as Security Administrators have the following responsibilities in relation to their agency's information security and risk management program:
1. Provide assistance to the agency Information Security Function relative to using the data center's security facilities.
2. Assist in the acquisition of security software and equipment to meet agency needs.
3. Assist the agency Information Security Function (if requested to do so) in developing and maintaining an agency security and risk management program, including a risk analysis process.
4. Assist in identifying vulnerabilities and the appropriate solutions to eliminate or minimize their potential effects.
5. Develop and maintain the access control rules within the system security software that provides controlled access in accordance with owner defined information access requirements.
6. Maintain valid and current user lists and oversee procedures for agency password control and for secure distribution of encryption keys (where used).
RESPONSIBILITY. All program personnel and other users (including consultants, contractors and non-state employees) of the automated information assets for which the program is assigned ownership, assume secondary responsibility for those assets and in so doing must comply with all established security controls and procedures.
GUIDELINES. User personnel have the following security and risk management responsibilities:
1. Exercise and monitor data quality assurance procedures to ensure the integrity of data for which the program is assigned ownership responsibility.
2. Comply with applicable federal, state, and agency security policies and procedures.
3. Comply with applicable federal and state statutes.
4. Identify security vulnerabilities and inform program management and the Information Security Function of those vulnerabilities.
STANDARD. An internal audit of the Information Security Function shall be performed periodically, based on risk assessment, as directed by the agency head or the Information Resources Manager acting on delegated authority for risk management decisions.
RESPONSIBILITY. Internal auditors have the following responsibilities in relation to the agency's security and risk management efforts:
1. Examination of the agency's information security policies and procedures for compliance with state information security and risk management policies, standards and guidelines.
2. Examination of the effectiveness of the agency's information security policies and procedures; identification of inadequacies within the existing security and risk management program; identification of possible corrective actions; and informing management, the Information Security Function and the information's owners, custodians, and users of its findings.
3. Review and evaluation of the effectiveness of controls for automated information systems that are either under development or operational, with particular emphasis on major systems.
4. Participation in the agency risk analysis process.
The head of an agency is responsible for assuring that the state's security and risk management policies are enforced. Should any audit indicate that the state's security policies are not established or that the agency has not taken corrective action with respect to security deficiencies, the agency may be subject to any or all of the following:
1. Further audit and review by the Office of the State Auditor.
2. Disapproval by the DIR of agency strategic plans and/or agency operating plans.
3. Further action as deemed necessary by the DIR to ensure compliance with minimum security standards for protection of state information resources.