|(a) The state agency head or his or her designated representative(s) shall review and approve information ownership and associated responsibilities to include personnel, equipment, or information technology hardware and software. (b) State agencies are responsible for defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the appropriate controls for each. (c) Information owners, custodians, and users of information resources shall be identified, and their responsibilities defined and documented by the state agency. In cases where information resources are used by more than one major business function, the owners shall reach consensus and advise the information security officer as to the designated owner with responsibility for the information resources. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles: (1) Information Owner Responsibilities. The owner or his or her designated representative(s) are responsible for and authorized to: (A) Approve access and formally assign custody of an information resources asset. (B) Determine the asset's value. (C) Specify data control requirements and convey them to users and custodians. (D) Specify appropriate controls, based on a risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources and services outsourced by the state agency. (E) Confirm that controls are in place to ensure the confidentiality, integrity, and availability of data and other assigned information resources. (F) Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures. (G) Review access lists based on documented risk management decisions. (H) Approve, justify, document, and be accountable for exceptions to security controls. The information owner shall coordinate exceptions to security controls with the agency information security officer or other person(s) designated by the state agency head. (I) The information owner, with the concurrence of the state agency head or his or her designated representative(s), is responsible for classifying business functional information. (2) Custodian responsibilities. Custodians of information resources, including third party entities providing outsourced information resources services to state agencies shall: (A) Implement the controls specified by the information owner(s); (B) Provide physical, technical, and procedural safeguards for the information resources; (C) Assist owners in evaluating the cost-effectiveness of controls and monitoring; and (D) Implement monitoring techniques and procedures for detecting, reporting, and investigating incidents. (3) User responsibilities. Users of information resources shall use the resources only for defined purposes and comply with established controls. (d) The Information Security Officer. Each state agency head or his or her designated representative(s) shall designate an information security officer to administer the state agency information security program. The Information Security Officer shall report to executive level management. (1) It shall be the duty and responsibility of this individual to develop and recommend policies and establish procedures and practices, in cooperation with owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure. (2) The Information Security Officer shall document and maintain an up-to-date information security program. The information security program shall be approved by the state agency head or his or her designated representative(s). (3) The Information Security Officer is responsible for monitoring the effectiveness of defined controls for mission critical information and shall verify that appropriate security controls are in place for all major information resources projects, including those projects being provided for a state agency, in whole or in part, by a state agency contractor, as required by §§2054.304 - 2054.307, Government Code. (4) The Information Security Officer shall report, at least annually, to the state agency head or his or her designated representative(s) the status and effectiveness of information resources security controls. (5) The Information Security Officer with the approval of the state agency head or his or her designated representative may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process. (e) A review of the state agency's information security program for compliance with these standards will be performed at least annually, based on business risk management decisions, by individual(s) independent of the information security program and designated by the state agency head or his or her designated representative(s).