The Department of Information Resources (DIR) was established through the Information Resources Management Act [TEX. REV. CIV. STAT. ANN. art. 4413 (32j) (Vernon Supp.1992)] and is required by this act to "develop and publish policies, procedures, and standards relating to information resources management by state agencies, and ensure compliance with those policies, procedures, and standards." In accordance with this act the DIR has established the Information Security Standards (1 TAC 201.13(b)) requiring state agencies to provide for the confidentiality and security of state owned information and information resources.
Further, 1 TAC 201.13(b) requires that each agency must provide in its biennial strategic plan for information resource management, a general description of its existing information security program and its future plans for assuring the security of information resources. In its biennial strategic plan for information resource management, each agency must identify the computer security policies and standards planned for implementation during the planning period.
Continuing availability of information is essential to the operation of state programs. Rapid and continuing technical advances in information processing have increased the dependence of state agencies on information and automated systems. The value of state data and software, in terms of restoration costs or losses due to unauthorized disclosure, far exceeds the value of its associated hardware. For that reason, information processed by computers must be recognized as a major state asset and be protected accordingly.
Texas Administrative Code (TAC) assigns to each head of an agency of state government the responsibility for assuring an adequate level of security for all data and information technology resources within that agency. The purpose of the Texas Information Resources Security and Risk Management Policy, Standards and Guidelines is to:
1. Establish and maintain management and staff accountability for the protection of information resources within agencies of state government.
2. Promulgate state policies regarding the security of data and information technology resources. Policies are broad principles underlying the state's information security program.
3. Define minimum security standards for the protection of state information resources. Standards are required administrative procedures or management controls.
4. Provide optional guidelines to assist agencies of state government in the implementation and interpretation of standards, and to recommend effective security practices which should be implemented where such controls are applicable, as determined by agency management.
5. Provide a compilation of information security material in support of security awareness and training programs.
The state's information files and databases are essential and vital public resources which must be protected from unauthorized modification, deletion or disclosure. Subject to executive management review, agency program managers have responsibility for the information assets utilized in carrying out the programs under their direction and accordingly are responsible for classifying program information. For purposes of this document, two classifications of information are defined which require special protective precautions:
As defined above, sensitive information may be either public or confidential and requires a higher than normal assurance of accuracy and completeness. Likewise, confidential information may also be considered sensitive, requiring special measures to ensure its accuracy. Thus, the controlling factor for confidential information is dissemination, while the controlling factor for sensitive information is that of integrity.
It is the policy of the State of Texas that:
1. Automated information and information resources residing in the various agencies of state government are strategic and vital assets belonging to the people of Texas. These assets require a degree of protection commensurate with their value. Measures shall be taken to protect these assets against accidental or unauthorized disclosure, modification or destruction, as well as to assure the security, reliability, integrity and availability of information.
2. The protection of assets is a management responsibility.
3. Access to state information resources must be strictly controlled. State law requires that state owned information resources be used only for official state purposes.
4. Information which is sensitive or confidential must be protected from unauthorized access or modification. Data which is essential to critical state functions must be protected from loss, contamination, or destruction.
5. Risks to information resources must be managed. The expense of security safeguards must be appropriate to the value of the assets being protected, considering value to both the state and a potential intruder.
6. The integrity of data, its source, its destination, and processes applied to it must be assured. Changes to data must be made only in authorized and acceptable ways.
7. In the event a disaster or catastrophe disables information processing and related telecommunication functions, the ability to continue critical governmental services must be assured. Information resources must be available when needed.
8. Security needs must be considered and addressed in all phases of development or acquisition of new information processing systems.
9. Security awareness and training of employees is one of the most effective means of reducing vulnerability to errors and fraud and must be continually emphasized and reinforced at all levels of management. All individuals must be accountable for their actions relating to information resources.
10. Agency information security programs must be responsive and adaptable to changing vulnerabilities and technologies affecting state information resources.
11. Agencies must ensure adequate separation of functions for tasks that are susceptible to fraudulent or other unauthorized activity.
Information security policies and standards apply to all agencies of state government. They apply to state automated information systems which access, process, or have custody of data. They apply to mainframe, minicomputer, microcomputer, distributed processing, and networking environments of the state. They apply equally to all levels of management and to the personnel they supervise.
State information security policies and standards apply to information resources owned by others, such as political subdivisions of the state or agencies of the federal government, in those cases where the state has a contractual or fiduciary duty to protect the resources while in the custody of the state. In the event of a conflict, the more restrictive security measures apply.
Expanded agency use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to management and staff than ever before. As a direct result of its growing commitment to the use of information technology, the state has realized increased productivity in terms of improved delivery of services, enhanced administrative capabilities, and lower operating costs.
Information technology has also brought new management concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies and practices must be established to ensure that hazards are eliminated or their effects minimized.
The focus of information security is on ensuring the protection of public health and safety and the continuation of agency program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining automated information systems. Protecting that information and the investment that surrounds it is the impetus for establishing an information security and risk management program.
Protecting information assets includes the:
Many program operations that were traditionally manual or partially automated are today fully dependent on the availability of automated information services to perform and support their daily functions. The interruption, disruption, or loss of information support services may adversely affect the state's ability to administer its programs and provide services or endanger the public's health or safety. The effects of such risks must be eliminated or minimized.
Additionally, information that is entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors and from misuse by individuals within or outside the organization. Specifically, it must be protected from unauthorized or accidental modification, destruction, or disclosure. Otherwise, we risk compromising the integrity of state programs, violating individual rights to privacy, facing criminal acts, or endangering the public's safety.
An effective and efficient security and risk management program requires active support and ongoing participation from multiple disciplines and all levels of management within the agency. Responsibilities include identifying the vulnerabilities that may affect information assets and implementing the cost-effective security and risk management practices that function to minimize or eliminate their effects.
This guideline has been prepared to assist state agencies in establishing effective security and risk management programs in compliance with state policy. It is intended to provide practical guidance to agency management and to the security practitioner.
Within this guideline, the term vulnerability refers to threats that information assets may be exposed to, such as:
Risk refers to the effects or consequences associated with the vulnerabilities, such as the:
This guideline identifies the responsibilities of agency management and staff from a variety of disciplines in relation to information security and risk management issues. Following the basic classification established in TAC, it categorizes the individuals and organizations involved with information technology (and participants of security and risk management efforts) as owners, custodians, and users of information technology.
Additionally, in accordance with the policies defined in TAC, the guideline discusses the basis for classifying the information that is entered, stored, processed, generated, or disseminated by automated information systems as confidential or sensitive. It provides the basis for identifying those critical applications of information technology that are absolutely essential to the continuance of agency operations. Classifying information and the applications that function to process it is at the heart of identifying and selecting appropriate security and risk management practices.
This guideline provides information related to establishing a risk analysis process within a state agency. This process is the vehicle for a systematic assessment of each agency's information assets to determine which are or may be at risk. It provides a factual foundation for establishing the internal policies and procedures necessary to eliminate or minimize the effects of those risks.
The guideline provides information for planning and building an information security and risk management program that is based on the findings of the risk analysis process. In so doing, it addresses issues related to physical security, information security, and personnel practices.
Disaster recovery planning is discussed in general terms. However, the risk analysis process described in this guideline functions to provide each agency with the basis for establishing a contingency plan for information resources services resumption (operational recovery plan).
It addresses the security of personal computer, communications, and word processing systems, as well as information systems with public access components.
As it becomes necessary to update, modify, or enhance this publication, supplementary information will be disseminated to the state's information management community for inclusion in this guideline.