Texas Security and Risk Management
8.0 Information Systems With Public Access Components
Copyright(c), 1995 - Management Analytics - All Rights Reserved
This section provides guidelines for reviewing automated information
systems that include public access capabilities. These systems must
incorporate security procedures and controls to ensure data integrity
and the protection of confidential information. For all systems with
existing public access capabilities, the risk analysis should pay
particular attention to the vulnerabilities associated with such
capabilities.
All proposals for the acquisition of new systems or upgrades to
existing systems should be accompanied by a complete and thorough
feasibility study justifying such acquisition or upgrades. In
addressing the functional requirements of the system or upgrades, the
feasibility study should identify the security measures necessary to
maintain data integrity and to satisfy confidentiality and security
requirements. Risk analysis provides the basis for meeting these
functional criteria. Below are special topics that agencies should
address in feasibility studies proposing public access capabilities.
8.1 Risk Analysis
Identify the vulnerabilities associated with the existing or
proposed system, including its public access capabilities. If the
public access component of the system maintains sensitive information,
identify the consequences of disseminating inaccurate or incomplete
information. Identify the security procedures and controls that exist
or that must be implemented to maintain the required standards of
information integrity and access.
If the system maintains confidential information, identify the
design features or security controls that must be incorporated to
prevent public access to the confidential information.
8.2 Feasibility Study
In conducting the feasibility study for a system incorporating
public access capabilities, address the following:
- Communication System. Describe the communication system that will be
employed to provide the public access capability. Include the number
of communication lines, the volume of traffic, and the communication
capabilities, such as dial-up or dedicated lines. Describe the
security procedures and controls designed to maintain information
access and minimize or eliminate the possibility of disseminating
inaccurate or incomplete information.
- Access Authority. Identify the criteria for information access. Is
access to the information available to the general public? Identify
the requirements and procedures that will be used to review and
evaluate an applicant's request to access information.
- Training or Documentation. Identify any special training or
documentation that is necessary to utilize the public access
component.
- Licensing Agreements. Identify any licensing agreements or contracts
related to information disclosure or availability. In the Feasibility
Study Report summarize the terms and conditions of the contract or
license. Indicate whether the information may be distributed or shared
with third parties by those using the public access system.
- Agency Security Policies. Identify any other internal agency policies
and procedures relative to the security of the information system.
- Contracting Responsibility. Agencies are responsible for negotiating
Interagency Cooperation Agreements with public sector entities or
other governmental agencies relative to accessing the public access
component of the system. If a data center maintains custodial
responsibility for the information and provides the technical
capabilities for the public access component, the agency should
maintain an Interagency Cooperation Agreement with the data center to
provide the services. The Interagency Cooperation Agreement should
address the security requirements necessary to protect the public
access component of the system.