State institutions of higher education shall apply the following
Information Resources Security Safeguards based on documented risk
management decisions. Any exception to the following safeguards shall
be approved, justified and documented in accordance with §202.71(c)(1)(H)
and (d)(5) of this chapter.
(1) Manage access to information resources to ensure
authorized use.
(2) Confidentiality of data and systems.
(A) Confidential information shall be accessible only
to authorized users. An information file or record containing any
confidential information shall be identified, documented, and protected
in its entirety in accordance with §202.70(1) of this chapter.
(B) Information resources assigned from one institution
of higher education to another, or from an institution of higher education
to a contractor or other third party, at a minimum, shall be protected
in accordance with the conditions imposed by the providing institution
of higher education.
(3) Identification/Authentication.
(A) Each user of information resources shall be assigned
a unique identifier except for situations where risk analysis demonstrates
no need for individual accountability of users. User identification
shall be authenticated before the information resources system may
grant that user access.
(B) A user's access authorization shall be appropriately
modified or removed when the user's employment or job responsibilities
within the institution of higher education change.
(C) Information resources systems shall contain authentication
controls that comply with documented institution of higher education
risk management decisions.
(D) Information resources systems which use passwords
shall be based on industry best practices on password usage and documented
institution of higher education risk management decisions.
(E) For electronic communications where the identity
of a sender or the contents of a message must be authenticated, the
use of digital signatures is encouraged. Institutions of higher education
should refer to guidelines and rules issued by the department for
further information. (Ref. 1 TAC Chapter 203.)
(4) Encryption. Encryption requirements for information
storage devices and data transmissions, as well as specific requirements
for portable devices, removable media, and encryption key standards
and management shall be based on documented institution of higher
education risk management decisions.
(A) Confidential information that is transmitted over
a public network (e.g.: the Internet) must be encrypted.
(B) Confidential information stored in a public location
that is directly accessible without compensating controls in place
(e.g.: FTP without access control) must be encrypted.
(C) Storing confidential information on portable devices
is discouraged. Confidential information must be encrypted if copied
to, or stored on, a portable computing device, removable media, or
a non-agency owned computing device.
(D) An institution of higher education may also choose
to implement additional protections, which may include encryption,
for other data classifications.
(5) Auditing.
(A) Information resources systems shall provide the
means whereby authorized personnel have the ability to audit and establish
individual accountability for any action that can potentially cause
access to, generation of, modification of, or effect the release of
confidential information.
(B) Appropriate audit trails shall be maintained to
provide accountability for updates to mission critical information,
hardware and software and for all changes to automated security or
access rules.
(C) Based on the risk assessment, a sufficiently complete
history of transactions shall be maintained to permit an audit of
the information resources system by logging and tracing the activities
of individuals through the system.
(6) Systems development, acquisition, and testing.
(A) Test environments shall be kept either physically
or logically separate from production environments. Copies of production
data shall not be used for testing unless the data has been authorized
for public release or unless all custodians involved in testing are
otherwise authorized access to the data.
(B) Information security, security testing, and audit
controls shall be included in all phases of the system development
lifecycle or acquisition process.
(C) All security-related information resources changes
shall be approved by the information owner through a change control
process. Approval shall occur prior to implementation by the institution
of higher education or independent contractors.
(7) Security Policies. Each institution of higher education
head or his/her designated representative and information security
officer shall create, distribute, and implement information security
policies. The following policies are recommended; however, institutions
of higher education may elect not to implement some of the policies
based on documented risk management decisions and business functions.
These policies are not all inclusive and may be combined topically.
(A) Acceptable Use--Defines scope, behavior, and practices;
compliance monitoring pertaining to users of information resources.
(B) Account Management--Defines the rules for establishing
user identity, administering user accounts, and establishing and monitoring
user access to information resources.
(C) Administrator/Special Access--Establishes rules
for the creation, use, monitoring, control, and removal of accounts
with special access privileges.
(D) Application Security--Establishes processes and
coding practices to ensure development, deployment, and maintenance
of secure applications.
(E) Backup/Recovery--Establishes the rules for the
backup, storage, and recovery of electronic information.
(F) Change or Configuration Management--Establishes
the process for controlling modifications to hardware, software, firmware,
and documentation to ensure the information resources are protected
against improper modification before, during, and after system implementation.
(G) Electronic communication--Establishes prudent and
acceptable practices regarding the use of electronic communications
for the sending, receiving, or storing of electronic messages. Ensures
compliance with applicable statutes, regulations, and mandates.
(H) Encryption--Establishes encryption controls for
institution of higher education-specified data classifications (e.g.,
confidential information), portable devices, removable media, transmission
security, and encryption key standards and management.
(I) Firewall--Describes how to manage network traffic
coming into and going out of the security domain. The firewall policy
should address:
(i) Virtual and physical architecture;
(ii) Protocols and applications that are permitted
through the firewall, both inbound and outbound;
(iii) Traffic monitoring rule set;
(iv) Assignment of responsibility for monitoring and
enforcing the firewall policy;
(v) Approval process for updating or changing rule
sets; and
(vi) Auditing and testing to verify a firewall's configuration,
rule set accuracy, and effectiveness.
(J) Incident Management--Describes the requirements
for dealing with computer security incidents including prevention,
detection, response, remediation, and reporting.
(K) Identification/Authentication--Establishes the
rules for verifying the identity of a user, process, or device, as
a prerequisite for granting access to resources in an information
system, e.g., something you know (password), something you have (coded
identity card), or something you are (biometric information).
(L) Internet/Intranet Use--Establishes prudent and
acceptable practices regarding the use of the Internet and Intranet.
(M) Intrusion Detection--Establishes requirements for
auditing, logging, and monitoring to detect attempts to bypass the
security mechanisms of information resources.
(N) Network Access--Establishes the rules for the access
and use of the network infrastructure.
(O) Network Configuration--Establishes the rules for
the maintenance, expansion, and use of the network infrastructure.
(P) Physical Access--Establishes the rules for the
granting, control, monitoring, and removal of physical access to information
resources.
(Q) Portable Computing--Establishes the rules for the
use of mobile computing devices and their connection to the network.
(R) Privacy--Methodologies used to establish the limits
and expectations regarding privacy for the users of information resources.
(S) Security Monitoring--Defines a process that ensures
information resources security controls are in place, are effective,
and are not being bypassed.
(T) Security Awareness and Training--Establishes the
requirements to ensure each user of information resources receives
adequate training on computer security issues.
(U) Platform Management--Establishes the requirements
and the procedures for installing, configuring, maintaining, patching,
and monitoring the integrity of a platform in a secure fashion.
(V) Authorized Software--Establishes the rules for
software use on information resources.
(W) System Development and Acquisition--Describes the
security and business continuity requirements in the systems development
and acquisition life cycle.
(X) Third Party Access--Establishes the rules for contractor,
vendor, and other third party access to information resources, support
services and responsibilities for protection of information.
(Y) Malicious Code--Describes the requirements for
prevention, detection, response, and recovery from the effects of
malicious code (including but not limited to viruses, worms, Trojan
Horses, and unauthorized code used to circumvent safeguards).
(Z) Wireless Access--Establishes the requirements and
security restrictions for installing or providing access to the institution
of higher education information resources systems. Using the Wireless
Security Guidelines identified in §202.1(29) of this chapter,
the policy shall address the following topic areas:
(i) Wireless Local Area Networks. Ensure that Service
Set Identifiers (SSID) values are changed from the manufacturer default
setting. Some networks should not include organizational or location
information in the SSID. Additional equipment configuration recommendations
are included in the Wireless Security Guidelines.
(ii) Types of information that may be transmitted via
wireless networks and devices with or without encryption including
mission critical information or sensitive personal information. Institutions
of higher education shall not transmit confidential information via
a wireless connection to, or from a portable computing device unless
encryption methods, such as a Virtual Private Network (VPN), Wi-Fi
Protected Access, or other secure encryption protocols that meet appropriate
protection or certification standards, are used to protect the information.
(iii) Prohibit and periodically monitor any unauthorized
installation or use of Wireless Personal Area Networks on institution
of higher education IT systems by individuals without the approval
of the institution of higher education information resources manager.
(AA) Vulnerability Assessment--Establishes the requirements
to conduct periodic network, operating system, and application vulnerability
assessments.
(8) Perimeter Security Controls. Each institution of
higher education head or his/her designated representative and information
security officer shall establish a perimeter protection strategy to
include some or all of the following components: DMZ, firewall, intrusion
detection or prevention system, or router.
(9) System Identification/Logon Banner. System identification/logon
banners shall have warning statements that include the following topics:
(A) Unauthorized use is prohibited;
(B) Usage may be subject to security testing and monitoring;
(C) Misuse is subject to criminal prosecution; and
(D) Users have no expectation of privacy except as
otherwise provided by applicable privacy laws.
|
