Texas Security and Risk Management

2.0 Management & Staff Responsibilities

Copyright(c), 1995 - Management Analytics - All Rights Reserved

The state's approach to information security and risk management requires the active support and ongoing participation of individuals from multiple disciplines and all management levels. It requires the support of executive, program, and technical management, as well as all administrative and technical personnel whose duties bring them in contact with critical or sensitive state information resources.

This section provides suggestions as to specific roles and responsibilities for both management and staff and includes standards and guidelines for sound security practices which should be applicable to most state agencies.

2.1 Executive Management-The Agency Head

RESPONSIBILITY. The agency head is responsible for establishing and maintaining an information security and risk management program within the agency. It is the responsibility of the agency head to assure that the agency's information assets are protected from the effects of damage, destruction, and unauthorized or accidental modification, access, or disclosure.

Specifically, heads of agencies are responsible for:

The agency head retains ultimate responsibility for enforcement of all security and risk management policies but may delegate the remaining responsibilities to the Information Resources Manager (IRM).

2.2 Assignment of Security Related Responsibilities

STANDARD. The responsibilities of a position with respect to security and risk management shall be commensurate with its authority. Descriptions of security roles and responsibilities for agency personnel shall be included in written position descriptions and compiled in the agency security manual developed and maintained by the Information Security Function.

2.3 The Information Security Function

RESPONSIBILITY. The Information Security Function is responsible for directing the development of, and overseeing, agency policies and procedures designed to protect the agency's automated information assets.

STANDARD. Each agency head, or the IRM acting on delegated authority, shall institute an Information Security Function to administer the agency information security program. It shall be the duty and responsibility of this function to establish all procedures and practices necessary to ensure the security of information assets against unauthorized or accidental modification, destruction or disclosure.

STANDARD. The Information Security Function within each agency shall document and maintain an up-to-date internal information security program. The agency security program shall include written internal policies and procedures for the protection of information resources, be an instrument implementing state information security policies and standards, be applicable to all elements of the agency and be signed by the IRM or the agency head.

GUIDELINES. The security duties and functions below should be assigned in writing. The Information Security Function is tasked with overseeing the agency's security effort and should:

2.4 Owners, Custodians, and Users of Information

The Information Resources Management Act makes it clear that information and information resources residing in the various agencies of state government are assets owned by the people of Texas. For the purpose of information resources security and risk management, Texas Administrative Code defines the concept of owners, custodians and users of information resources, and their surrogate responsibilities to the people of Texas, in the development of an information security program designed to provide cost-effective controls to ensure that information is not subject to unauthorized modification, disclosure, or destruction. To achieve this objective, procedures which govern access to each collection of related information should be in place. The effectiveness of access rules depends to a large extent on the correct identification of those surrogate owners, custodians, and users of information.

RESPONSIBILITY. Normally, ownership responsibility resides with the program management that employs the data processed by an automated system.

Custodial responsibility resides with any person or group who is charged with the physical possession of information assets by the agency management. Custodians are normally technical managers (e.g., Data Processing Director, Network Services Director or even separate entities, such as another agency or private outsourcing firm) that provide technical facilities and support services to owners and users of information.

Users of information include the individuals and state agencies that utilize the information that is processed by an automated information system. This includes consultants, contractors and other non-employees of the state who utilize state-owned information assets.

The determination of ownership, custodian, and user responsibilities is specific to the data processed by an automated system.

STANDARD. Owners, custodians and users of data, software and other information resources shall be identified, documented and their responsibilities defined. All resources shall be assigned an owner. In cases where data or software is aggregated for purposes of ownership, the aggregation shall be at a level which assures individual accountability. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles:

2.5 Program Management

RESPONSIBILITY. Agency program managers have ownership responsibility for the information assets utilized in carrying out the program(s) under their direction. Program managers have responsibility and authority for acquiring, creating and/or maintaining the assets under their ownership.

STANDARD. The agency Information Security Function acting on behalf of the agency head and with cooperation from program and technical management, shall assign information asset ownership and ownership responsibilities for all information resources within the agency.

GUIDELINES. Program managers have the following ownership responsibilities in relation to their agency's information security and risk management program:

2.6 Technical Management

RESPONSIBILITY. Technical managers, such as Data Processing Directors, Data Center Managers and Network Directors, who are charged with physical possession of information assets for the purposes of providing information services, have custodial responsibility for the assets used in providing those services.

STANDARD. Program managers, having been assigned information resource ownership, shall assign custody of program assets to appropriate technical and data center managers and ensure they are provided the appropriate direction to implement the security controls and procedures that have been defined.

STANDARD. Technical managers, assigned information resource custodianship, are charged with executing the monitoring techniques and procedures for detecting, reporting and investigating breaches in information asset security. Custodial responsibilities apply to all entities providing outsourcing services to state agencies.

GUIDELINES. Technical managers assigned as custodians of information assets have the following responsibilities in relation to their agency's information security and risk management program:

2.7 Security Administrator

RESPONSIBILITY. Security Administrators are responsible for providing security and risk management related support services.

GUIDELINES. Personnel assigned as Security Administrators have the following responsibilities in relation to their agency's information security and risk management program:

2.8 User Personnel

RESPONSIBILITY. All program personnel and other users (including consultants, contractors and non-state employees) of the automated information assets for which the program is assigned ownership, assume secondary responsibility for those assets and in so doing must comply with all established security controls and procedures.

GUIDELINES. User personnel have the following security and risk management responsibilities:

2.9 Internal Auditor

STANDARD. An internal audit of the Information Security Function shall be performed periodically, based on risk assessment, as directed by the agency head or the Information Resources Manager acting on delegated authority for risk management decisions.

RESPONSIBILITY. Internal auditors have the following responsibilities in relation to the agency's security and risk management efforts:

2.10 Failure to Comply with Minimum Standards

The head of an agency is responsible for assuring that the state's security and risk management policies are enforced. Should any audit indicate that the state's security policies are not established or that the agency has not taken corrective action with respect to security deficiencies, the agency may be subject to any or all of the following: