<<Prev Rule

Texas Administrative Code

Next Rule>>
RULE §202.25Information Resources Security Safeguards

State agencies shall apply the following Information Resources Security Safeguards based on documented risk management decisions. Any exception to the following safeguards shall be approved, justified and documented in accordance with §202.21(c)(1)(H) and (d)(5) of this chapter.

  (1) Manage access to information resources to ensure authorized use.

  (2) Confidentiality of data and systems.

    (A) Confidential information shall be accessible only to authorized users. An information file or record containing any confidential information shall be identified, documented, and protected in its entirety in accordance with §202.20(1) of this chapter.

    (B) Information resources assigned from one state agency to another, or from a state agency to a contractor or other third party, at a minimum, shall be protected in accordance with the conditions imposed by the providing state agency.

  (3) Identification/Authentication.

    (A) Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access.

    (B) A user's access authorization shall be appropriately modified or removed when the user's employment or job responsibilities within the state agency change.

    (C) Information resources systems shall contain authentication controls that comply with documented state agency risk management decisions.

    (D) Information resources systems which use passwords shall be based on industry best practices on password usage and documented state agency risk management decisions.

    (E) For electronic communications where the identity of a sender or the contents of a message shall be authenticated, the use of digital signatures is encouraged. Agencies should refer to guidelines and rules issued by the department for further information. (Ref. 1 TAC Chapter 203.)

  (4) Encryption. Encryption requirements for information storage devices and data transmissions, as well as specific requirements for portable devices, removable media, and encryption key standards and management shall be based on documented state agency risk management decisions.

    (A) Confidential information that is transmitted over a public network (e.g.: the Internet) must be encrypted.

    (B) Confidential information stored in a public location that is directly accessible without compensating controls in place (e.g.: FTP without access control) must be encrypted.

    (C) Storing confidential information on portable devices is discouraged. Confidential information must be encrypted if copied to, or stored on, a portable computing device, removable media, or a non-agency owned computing device.

    (D) The minimum algorithm strength for protecting confidential information specified in subparagraphs (A) - (C) of this paragraph is a 128-bit encryption algorithm, subject to state agency risk management decisions justified and documented in accordance with §202.21(c)(1)(H) and (d)(5) of this chapter.

    (E) An agency may also choose to implement additional protections, which may include encryption, for other data classifications.

  (5) Auditing.

    (A) Information resources systems shall provide the means whereby authorized personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or effect the release of confidential information.

    (B) Appropriate audit trails shall be maintained to provide accountability for updates to mission critical information, hardware and software and for all changes to automated security or access rules.

    (C) Based on the risk assessment, a sufficiently complete history of transactions shall be maintained to permit an audit of the information resources system by logging and tracing the activities of individuals through the system.

  (6) Systems development, acquisition, and testing.

    (A) Test environments shall be kept either physically or logically separate from production environments. Copies of production data shall not be used for testing unless the data has been authorized for public release or unless all custodians involved in testing are otherwise authorized access to the data.

    (B) Information security, security testing, and audit controls shall be included in all phases of the system development lifecycle or acquisition process.

    (C) All security-related information resources changes shall be approved by the information owner through a change control process. Approval shall occur prior to implementation by the state agency or independent contractors.

  (7) Security Policies. Each state agency head or his/her designated representative and information security officer shall create, distribute, and implement information security policies. The following policies are recommended; however, state agencies may elect not to implement some of the policies based on documented risk management decisions and business functions. These policies are not all inclusive and may be combined topically.

    (A) Acceptable Use--Defines scope, behavior, and practices; compliance monitoring pertaining to users of information resources.

    (B) Account Management--Defines the rules for establishing user identity, administering user accounts, and establishing and monitoring user access to information resources.

    (C) Administrator/Special Access--Establishes rules for the creation, use, monitoring, control, and removal of accounts with special access privileges.

    (D) Application Security--Establishes processes and coding practices to ensure development, deployment, and maintenance of secure applications.

    (E) Backup/Recovery--Establishes the rules for the backup, storage, and recovery of electronic information.

    (F) Change or Configuration Management--Establishes the process for controlling modifications to hardware, software, firmware, and documentation to ensure the information resources are protected against improper modification before, during, and after system implementation.

    (G) Electronic Communication--Establishes prudent and acceptable practices regarding the use of electronic communications for the sending, receiving, or storing of electronic messages. Ensures compliance with applicable statutes, regulations, and mandates.

    (H) Encryption--Establishes encryption controls for agency-specified data classifications (e.g., confidential information), portable devices, removable media, transmission security, and encryption key standards and management.

    (I) Firewall--Describes how to manage and update the handling of network traffic coming into and going out of the security domain. The firewall policy should address:

      (i) Virtual and physical architecture;

      (ii) Protocols and applications that are permitted through the firewall, both inbound and outbound;

      (iii) Traffic monitoring rule set;

      (iv) Assignment of responsibility for monitoring and enforcing the firewall policy, and approval process for updating or changing rule sets;

      (v) Approval process for updating or changing rule sets; and

      (vi) Auditing and testing to verify a firewall's configuration, rule set accuracy, and effectiveness.

    (J) Incident Management--Describes the requirements for dealing with computer security incidents including prevention, detection, response, remediation, and reporting.

    (K) Identification/Authentication--Establishes the rules for verifying the identity of a user, process, or device, as a prerequisite for granting access to resources in an information system, e.g., something you know (password), something you have (coded identity card), or something you are (biometric information).

    (L) Internet/Intranet Use--Establishes prudent and acceptable practices regarding the use of the Internet and Intranet.

    (M) Intrusion Detection--Establishes requirements for auditing, logging, and monitoring to detect attempts to bypass the security mechanisms of information resources.

    (N) Network Access--Establishes the rules for the access and use of the network infrastructure.

    (O) Network Configuration--Establishes the rules for the maintenance, expansion, and use of the network infrastructure.

    (P) Physical Access--Establishes the rules for the granting, control, monitoring, and removal of physical access to information resources.

    (Q) Portable Computing--Establishes the rules for the use of mobile computing devices and their connection to the network.

    (R) Privacy--Methodologies used to establish the limits and expectations regarding privacy for the users of information resources.

    (S) Security Monitoring--Defines a process that ensures information resources security controls are in place, are effective, and are not being bypassed.

    (T) Security Awareness and Training--Establishes the requirements to ensure each user of information resources receives adequate training on computer security issues.

    (U) Platform Management--Establishes the requirements and the procedures for installing, configuring, maintaining, patching, and monitoring the integrity of a platform in a secure fashion.

    (V) Authorized Software--Establishes the rules for software use on information resources.

    (W) System Development and Acquisition--Describes the security and business continuity requirements in the systems development and acquisition life cycle.

    (X) Third Party Access--Establishes the rules for contractor, vendor, and other third party access to information resources, support services and responsibilities for protection of information.

    (Y) Malicious Code--Describes the requirements for prevention, detection, response, and recovery from the effects of malicious code (including but not limited to viruses, worms, Trojan Horses, and unauthorized code used to circumvent safeguards).

    (Z) Wireless Access--Establishes the requirements and security restrictions for installing or providing access to the state agency information resources systems. Using the Wireless Security Guidelines identified in §202.1(29) of this chapter, the policy shall address the following topic areas:

      (i) Wireless Local Area Networks. Ensure that Service Set Identifiers (SSID) values are changed from the manufacturer default setting. Some networks should not include organizational or location information in the SSID. Additional equipment configuration recommendations are included in the Wireless Security Guidelines.

      (ii) Types of information that may be transmitted via wireless networks and devices with or without encryption including mission critical information or sensitive personal information. State agencies shall not transmit confidential information via a wireless connection to, or from a portable computing device unless encryption methods, such as a Virtual Private Network (VPN), Wi-Fi Protected Access, or other secure encryption protocols that meet appropriate protection or certification standards, are used to protect the information.

      (iii) Prohibit and periodically monitor any unauthorized installation or use of Wireless Personal Area Networks on state agency IT systems by individuals without the approval of the state agency information resources manager.

    (AA) Vulnerability Assessment--Establishes the requirements to conduct periodic work, operating system, and application vulnerability assessments.

  (8) Perimeter Security Controls. Each state agency head or his/her designated representative and information security officer shall establish a security strategy that includes perimeter protection. The department will provide security information management services to include external network monitoring, scanning, and alerting for each agency that utilizes State information resources as specified in Chapters 2054 and 2059, Government Code. Perimeter security controls may include some or all of the following components: DMZ, firewall, intrusion detection or prevention system, or router.

  (9) System Identification/Logon Banner. System identification/logon banners shall have warning statements that include the following topics:

    (A) Unauthorized use is prohibited;

    (B) Usage may be subject to security testing and monitoring;

    (C) Misuse is subject to criminal prosecution; and

    (D) Users have no expectation of privacy except as otherwise provided by applicable privacy laws.

Source Note: The provisions of this §202.25 adopted to be effective November 28, 2004, 29 TexReg 10703; amended to be effective April 24, 2006, 31 TexReg 3373; amended to be effective September 17, 2009, 34 TexReg 6315; amended to be effective June 11, 2012, 37 TexReg 4183

Next Page Previous Page

Home TxReg TAC OM NewTac Public Footer Bar