State agencies shall apply the following Information Resources
Security Safeguards based on documented risk management decisions.
Any exception to the following safeguards shall be approved, justified
and documented in accordance with §202.21(c)(1)(H) and (d)(5)
of this chapter.
(1) Manage access to information resources to ensure
(2) Confidentiality of data and systems.
(A) Confidential information shall be accessible only
to authorized users. An information file or record containing any
confidential information shall be identified, documented, and protected
in its entirety in accordance with §202.20(1) of this chapter.
(B) Information resources assigned from one state agency
to another, or from a state agency to a contractor or other third
party, at a minimum, shall be protected in accordance with the conditions
imposed by the providing state agency.
(A) Each user of information resources shall be assigned
a unique identifier except for situations where risk analysis demonstrates
no need for individual accountability of users. User identification
shall be authenticated before the information resources system may
grant that user access.
(B) A user's access authorization shall be appropriately
modified or removed when the user's employment or job responsibilities
within the state agency change.
(C) Information resources systems shall contain authentication
controls that comply with documented state agency risk management
(D) Information resources systems which use passwords
shall be based on industry best practices on password usage and documented
state agency risk management decisions.
(E) For electronic communications where the identity
of a sender or the contents of a message shall be authenticated, the
use of digital signatures is encouraged. Agencies should refer to
guidelines and rules issued by the department for further information.
(Ref. 1 TAC Chapter 203.)
(4) Encryption. Encryption requirements for information
storage devices and data transmissions, as well as specific requirements
for portable devices, removable media, and encryption key standards
and management shall be based on documented state agency risk management
(A) Confidential information that is transmitted over
a public network (e.g.: the Internet) must be encrypted.
(B) Confidential information stored in a public location
that is directly accessible without compensating controls in place
(e.g.: FTP without access control) must be encrypted.
(C) Storing confidential information on portable devices
is discouraged. Confidential information must be encrypted if copied
to, or stored on, a portable computing device, removable media, or
a non-agency owned computing device.
(D) The minimum algorithm strength for protecting confidential
information specified in subparagraphs (A) - (C) of this paragraph
is a 128-bit encryption algorithm, subject to state agency risk management
decisions justified and documented in accordance with §202.21(c)(1)(H)
and (d)(5) of this chapter.
(E) An agency may also choose to implement additional
protections, which may include encryption, for other data classifications.
(A) Information resources systems shall provide the
means whereby authorized personnel have the ability to audit and establish
individual accountability for any action that can potentially cause
access to, generation of, modification of, or effect the release of
(B) Appropriate audit trails shall be maintained to
provide accountability for updates to mission critical information,
hardware and software and for all changes to automated security or
(C) Based on the risk assessment, a sufficiently complete
history of transactions shall be maintained to permit an audit of
the information resources system by logging and tracing the activities
of individuals through the system.
(6) Systems development, acquisition, and testing.
(A) Test environments shall be kept either physically
or logically separate from production environments. Copies of production
data shall not be used for testing unless the data has been authorized
for public release or unless all custodians involved in testing are
otherwise authorized access to the data.
(B) Information security, security testing, and audit
controls shall be included in all phases of the system development
lifecycle or acquisition process.
(C) All security-related information resources changes
shall be approved by the information owner through a change control
process. Approval shall occur prior to implementation by the state
agency or independent contractors.
(7) Security Policies. Each state agency head or his/her
designated representative and information security officer shall create,
distribute, and implement information security policies. The following
policies are recommended; however, state agencies may elect not to
implement some of the policies based on documented risk management
decisions and business functions. These policies are not all inclusive
and may be combined topically.
(A) Acceptable Use--Defines scope, behavior, and practices;
compliance monitoring pertaining to users of information resources.
(B) Account Management--Defines the rules for establishing
user identity, administering user accounts, and establishing and monitoring
user access to information resources.
(C) Administrator/Special Access--Establishes rules
for the creation, use, monitoring, control, and removal of accounts
with special access privileges.
(D) Application Security--Establishes processes and
coding practices to ensure development, deployment, and maintenance
of secure applications.
(E) Backup/Recovery--Establishes the rules for the
backup, storage, and recovery of electronic information.
(F) Change or Configuration Management--Establishes
the process for controlling modifications to hardware, software, firmware,
and documentation to ensure the information resources are protected
against improper modification before, during, and after system implementation.
(G) Electronic Communication--Establishes prudent and
acceptable practices regarding the use of electronic communications
for the sending, receiving, or storing of electronic messages. Ensures
compliance with applicable statutes, regulations, and mandates.
(H) Encryption--Establishes encryption controls for
agency-specified data classifications (e.g., confidential information),
portable devices, removable media, transmission security, and encryption
key standards and management.
(I) Firewall--Describes how to manage and update the
handling of network traffic coming into and going out of the security
domain. The firewall policy should address:
(i) Virtual and physical architecture;
(ii) Protocols and applications that are permitted
through the firewall, both inbound and outbound;
(iii) Traffic monitoring rule set;
(iv) Assignment of responsibility for monitoring and
enforcing the firewall policy, and approval process for updating or
changing rule sets;
(v) Approval process for updating or changing rule
(vi) Auditing and testing to verify a firewall's configuration,
rule set accuracy, and effectiveness.
(J) Incident Management--Describes the requirements
for dealing with computer security incidents including prevention,
detection, response, remediation, and reporting.
(K) Identification/Authentication--Establishes the
rules for verifying the identity of a user, process, or device, as
a prerequisite for granting access to resources in an information
system, e.g., something you know (password), something you have (coded
identity card), or something you are (biometric information).
(L) Internet/Intranet Use--Establishes prudent and
acceptable practices regarding the use of the Internet and Intranet.
(M) Intrusion Detection--Establishes requirements for
auditing, logging, and monitoring to detect attempts to bypass the
security mechanisms of information resources.
(N) Network Access--Establishes the rules for the access
and use of the network infrastructure.
(O) Network Configuration--Establishes the rules for
the maintenance, expansion, and use of the network infrastructure.
(P) Physical Access--Establishes the rules for the
granting, control, monitoring, and removal of physical access to information
(Q) Portable Computing--Establishes the rules for the
use of mobile computing devices and their connection to the network.
(R) Privacy--Methodologies used to establish the limits
and expectations regarding privacy for the users of information resources.
(S) Security Monitoring--Defines a process that ensures
information resources security controls are in place, are effective,
and are not being bypassed.
(T) Security Awareness and Training--Establishes the
requirements to ensure each user of information resources receives
adequate training on computer security issues.
(U) Platform Management--Establishes the requirements
and the procedures for installing, configuring, maintaining, patching,
and monitoring the integrity of a platform in a secure fashion.
(V) Authorized Software--Establishes the rules for
software use on information resources.
(W) System Development and Acquisition--Describes the
security and business continuity requirements in the systems development
and acquisition life cycle.
(X) Third Party Access--Establishes the rules for contractor,
vendor, and other third party access to information resources, support
services and responsibilities for protection of information.
(Y) Malicious Code--Describes the requirements for
prevention, detection, response, and recovery from the effects of
malicious code (including but not limited to viruses, worms, Trojan
Horses, and unauthorized code used to circumvent safeguards).
(Z) Wireless Access--Establishes the requirements and
security restrictions for installing or providing access to the state
agency information resources systems. Using the Wireless Security
Guidelines identified in §202.1(29) of this chapter, the policy
shall address the following topic areas:
(i) Wireless Local Area Networks. Ensure that Service
Set Identifiers (SSID) values are changed from the manufacturer default
setting. Some networks should not include organizational or location
information in the SSID. Additional equipment configuration recommendations
are included in the Wireless Security Guidelines.
(ii) Types of information that may be transmitted via
wireless networks and devices with or without encryption including
mission critical information or sensitive personal information. State
agencies shall not transmit confidential information via a wireless
connection to, or from a portable computing device unless encryption
methods, such as a Virtual Private Network (VPN), Wi-Fi Protected
Access, or other secure encryption protocols that meet appropriate
protection or certification standards, are used to protect the information.
(iii) Prohibit and periodically monitor any unauthorized
installation or use of Wireless Personal Area Networks on state agency
IT systems by individuals without the approval of the state agency
information resources manager.
(AA) Vulnerability Assessment--Establishes the requirements
to conduct periodic work, operating system, and application vulnerability
(8) Perimeter Security Controls. Each state agency
head or his/her designated representative and information security
officer shall establish a security strategy that includes perimeter
protection. The department will provide security information management
services to include external network monitoring, scanning, and alerting
for each agency that utilizes State information resources as specified
in Chapters 2054 and 2059, Government Code. Perimeter security controls
may include some or all of the following components: DMZ, firewall,
intrusion detection or prevention system, or router.
(9) System Identification/Logon Banner. System identification/logon
banners shall have warning statements that include the following topics:
(A) Unauthorized use is prohibited;
(B) Usage may be subject to security testing and monitoring;
(C) Misuse is subject to criminal prosecution; and
(D) Users have no expectation of privacy except as
otherwise provided by applicable privacy laws.