1.0 Introduction

Copyright(c), 1995 - Management Analytics - All Rights Reserved

The Department of Information Resources (DIR) was established through the Information Resources Management Act [TEX. REV. CIV. STAT. ANN. art. 4413 (32j) (Vernon Supp.1992)] and is required by this act to "develop and publish policies, procedures, and standards relating to information resources management by state agencies, and ensure compliance with those policies, procedures, and standards." In accordance with this act the DIR has established the Information Security Standards (1 TAC 201.13(b)) requiring state agencies to provide for the confidentiality and security of state owned information and information resources.

Further, 1 TAC 201.13(b) requires that each agency must provide in its biennial strategic plan for information resource management, a general description of its existing information security program and its future plans for assuring the security of information resources. In its biennial strategic plan for information resource management, each agency must identify the computer security policies and standards planned for implementation during the planning period.

1.1 Background and Purpose

Continuing availability of information is essential to the operation of state programs. Rapid and continuing technical advances in information processing have increased the dependence of state agencies on information and automated systems. The value of state data and software, in terms of restoration costs or losses due to unauthorized disclosure, far exceeds the value of its associated hardware. For that reason, information processed by computers must be recognized as a major state asset and be protected accordingly.

Texas Administrative Code (TAC) assigns to each head of an agency of state government the responsibility for assuring an adequate level of security for all data and information technology resources within that agency. The purpose of the Texas Information Resources Security and Risk Management Policy, Standards and Guidelines is to:

1.2 Classification of Information

The state's information files and databases are essential and vital public resources which must be protected from unauthorized modification, deletion or disclosure. Subject to executive management review, agency program managers have responsibility for the information assets utilized in carrying out the programs under their direction and accordingly are responsible for classifying program information. For purposes of this document, two classifications of information are defined which require special protective precautions:

As defined above, sensitive information may be either public or confidential and requires a higher than normal assurance of accuracy and completeness. Likewise, confidential information may also be considered sensitive, requiring special measures to ensure its accuracy. Thus, the controlling factor for confidential information is dissemination, while the controlling factor for sensitive information is that of integrity.

1.3 Policy

It is the policy of the State of Texas that:

1.4 Scope of Policy

Information security policies and standards apply to all agencies of state government. They apply to state automated information systems which access, process, or have custody of data. They apply to mainframe, minicomputer, microcomputer, distributed processing, and networking environments of the state. They apply equally to all levels of management and to the personnel they supervise.

State information security policies and standards apply to information resources owned by others, such as political subdivisions of the state or agencies of the federal government, in those cases where the state has a contractual or fiduciary duty to protect the resources while in the custody of the state. In the event of a conflict, the more restrictive security measures apply.

1.5 Information Security

Expanded agency use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to management and staff than ever before. As a direct result of its growing commitment to the use of information technology, the state has realized increased productivity in terms of improved delivery of services, enhanced administrative capabilities, and lower operating costs.

Information technology has also brought new management concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies and practices must be established to ensure that hazards are eliminated or their effects minimized.

The focus of information security is on ensuring the protection of public health and safety and the continuation of agency program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining automated information systems. Protecting that information and the investment that surrounds it is the impetus for establishing an information security and risk management program.

Protecting information assets includes the:

Many program operations that were traditionally manual or partially automated are today fully dependent on the availability of automated information services to perform and support their daily functions. The interruption, disruption, or loss of information support services may adversely affect the state's ability to administer its programs and provide services or endanger the public's health or safety. The effects of such risks must be eliminated or minimized.

Additionally, information that is entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors and from misuse by individuals within or outside the organization. Specifically, it must be protected from unauthorized or accidental modification, destruction, or disclosure. Otherwise, we risk compromising the integrity of state programs, violating individual rights to privacy, facing criminal acts, or endangering the public's safety.

An effective and efficient security and risk management program requires active support and ongoing participation from multiple disciplines and all levels of management within the agency. Responsibilities include identifying the vulnerabilities that may affect information assets and implementing the cost-effective security and risk management practices that function to minimize or eliminate their effects.

1.6 Overview of This Guideline

This guideline has been prepared to assist state agencies in establishing effective security and risk management programs in compliance with state policy. It is intended to provide practical guidance to agency management and to the security practitioner.

Within this guideline, the term vulnerability refers to threats that information assets may be exposed to, such as:

Risk refers to the effects or consequences associated with the vulnerabilities, such as the:

This guideline identifies the responsibilities of agency management and staff from a variety of disciplines in relation to information security and risk management issues. Following the basic classification established in TAC, it categorizes the individuals and organizations involved with information technology (and participants of security and risk management efforts) as owners, custodians, and users of information technology.

Additionally, in accordance with the policies defined in TAC, the guideline discusses the basis for classifying the information that is entered, stored, processed, generated, or disseminated by automated information systems as confidential or sensitive. It provides the basis for identifying those critical applications of information technology that are absolutely essential to the continuance of agency operations. Classifying information and the applications that function to process it is at the heart of identifying and selecting appropriate security and risk management practices.

This guideline provides information related to establishing a risk analysis process within a state agency. This process is the vehicle for a systematic assessment of each agency's information assets to determine which are or may be at risk. It provides a factual foundation for establishing the internal policies and procedures necessary to eliminate or minimize the effects of those risks.

The guideline provides information for planning and building an information security and risk management program that is based on the findings of the risk analysis process. In so doing, it addresses issues related to physical security, information security, and personnel practices.

Disaster recovery planning is discussed in general terms. However, the risk analysis process described in this guideline functions to provide each agency with the basis for establishing a contingency plan for information resources services resumption (operational recovery plan).

It addresses the security of personal computer, communications, and word processing systems, as well as information systems with public access components.

As it becomes necessary to update, modify, or enhance this publication, supplementary information will be disseminated to the state's information management community for inclusion in this guideline.