In any organization, people represent the greatest possible assets in maintaining an active level of security. At the same time, people represent the greatest threats to information security. No security program can be effective without maintaining employee awareness and motivation.
STANDARD. Each agency shall prepare a security manual that lists the agency's security policies and procedures. All agency personnel shall be required to provide written acknowledgement that they have received, read and understand the security policies and procedures. The agency head, or the information resources manager acting on delegated authority, shall determine how often this written acknowledgement must be renewed.
GUIDELINES. The manual should:
1. Describe the roles and responsibilities of the agency head, Information Security Officer, data processing managers, program managers, internal auditors, and other technical and program personnel with respect to security and risk management.
2. Affirm that all personnel have a responsibility for maintaining the security and confidentiality of the agency's information assets and that each individual must comply with the agency's information security policies, and procedures.
3. Describe the general roles and responsibilities of the owners, custodians, and users of information within the agency.
4. Inform staff regarding the oversight responsibilities of internal and control agency auditors in terms of reviewing the adequacy of the agency's information security policies and procedures.
5. Identify and discuss the disciplinary actions that will occur if personnel do not comply with security policies and procedures. (Disciplinary actions must be in accordance with state statute and policy.)
6. List procedures to ensure that new employees are knowledgeable about, understand their role in, and acknowledge agency security policies and procedures.
7. List procedures whereby all employees review, on an annual basis, the agency's security policies and procedures. At the time of this review, the employee should acknowledge in writing that he or she is aware of and understands agency security policies and procedures.
The manual should avoid references to people, places, or things that frequently change within the organization. For example, avoid using individual names or system acronyms. Instead, describe the agency's security policies and procedures in terms of program goals and job functions.
Every employee should be held responsible for information security to the degree that the duties of the job require the use of information and associated systems. Fulfillment of security responsibilities should be mandatory and violations of security policies, procedures, and/or requirements may be cause for disciplinary action, up to and including dismissal, civil penalties, or criminal penalties per the relevant federal laws or Texas statutes.
Individual positions should be analyzed to determine the potential vulnerabilities associated with work in those positions. In some cases it may be appropriate for agencies to designate classes of employment as being positions of special trust or responsibility. It may also be appropriate to designate locations as sensitive and require appropriate procedures and safeguards for all employees whose duties include access to those areas.
STANDARD. Each agency shall establish procedures for reviewing information resource functions to determine which positions require special trust or responsibilities.
GUIDELINES. The review procedures should be based on risk analysis and should consider the following criteria:
1. Whether the assigned duties bring the person occupying the position into contact with information which is, or may reasonably be expected to be:
a. Required by law to be kept confidential.
b. Related to security systems, procedures, or reports, or other information which may reveal state security systems.
c. Valuable to persons outside the organizational unit employing the individual.
d. Readily convertible to a form which is valuable to persons outside the organizational unit employing the individual.
e. Required by the state to continue its critical information processing activities, whether such information is confidential or public.
f. Entrusted to the state under a licensing agreement or by similar means, and which remains proprietary to others, and which may be subject to laws protecting copyrights, patents, or trade secrets.
2. Whether the assigned duties bring the person occupying the position into contact with information resources which are necessary for the continued operation of critical information processing activities.
3. The degree of independence of the position, and whether the individual occupying the position is capable, by acting alone and without further review or approval, to direct or influence the disposition of state assets.
STANDARD. Agencies shall use non-disclosure agreements to document the acceptance by employees and contractors of special information security requirements as defined by agency standards and risk management decisions.
1. All persons occupying positions of special trust or responsibility;
a. Should acknowledge, by signing a non-disclosure agreement, that their duties will bring them into contact with information or information resources that are of value to the state and that require protection,
b. Should be required to uphold the policies and procedures adopted to safeguard the information and associated resources that may be entrusted to them, or that they may come into contact with, and,
c. Should be required to agree to report violations of policies or procedures to their supervisor, their Information Security Function, or other person designated by the agency head.
2. Copies of non-disclosure agreements should be maintained in employee or contract files, and the agreements should be updated at least annually. A discussion of the terms of the agreement should be conducted with new employees upon hiring, and with terminating employees.
3. In addition to persons occupying positions of special trust or responsibility or occupying positions in sensitive locations, agency management may require other information processing users to sign non-disclosure agreements in accordance with this requirement.
An effective level of awareness and training is essential to a viable information security program. Employees who are not informed of risks or of management's policies and interest in security are not likely to take steps to prevent the occurrence of violations.
STANDARD. Agencies shall provide an ongoing awareness and training program in information security and in the protection of state information resources for all personnel whose duties bring them into contact with confidential or sensitive state information resources. Security training sessions for these personnel shall be held at least annually. Further, awareness and training in security shall not be limited to formal training sessions, but shall include periodic briefings and continual reinforcement of the value of security consciousness in all employees whose duties bring them into contact with confidential or sensitive state information resources.
1. New Employee Orientation. Each new employee should be required to attend an orientation which explains the agency's security policies and procedures. After the orientation, each employee should sign an acknowledgement of having attended the orientation and understands the agency's security requirements. Each new employee should receive a copy of the acknowledgement and of the agency's security policies and procedures.
2. The Agency's Security Requirements. Annual training programs should address information security requirements and their importance to the organization in terms of agency operations and the activities of agency personnel. Examples of topics include:
3. Security Awareness. Employee awareness of the importance of information security to the agency should be an ongoing educational activity directed to agency personnel. Information security awareness programs may include:
4. Seminars and Conferences. Seminars can be an effective method of training the security professional. They provide an opportunity for open dialogue on a particular subject with both instructors and other participants. Seminars frequently focus on a single subject, such as communications or physical security. This focus allows in depth study of the subject matter.
Conferences are an effective means of acquiring information about security. They bring together a variety of security professionals and vendors marketing security related products. Conferences provide a variety of views and expose security staff to new perspectives.
RESPONSIBILITY. A significant portion of computer security problems are caused by careless, uninformed or disgruntled employees. It is necessary that supervisory and management personnel take precautionary actions when hiring and/or terminating state employees. Security privileges must be removed whenever appropriate.
STANDARD. State agencies shall take advantage of new employee orientation to establish security awareness and inform new employees and contractors of information security policies and procedures. If an employee leaves the employment of any agency of the state, for whatever reason (resignation, termination, retirement), all security privileges shall be immediately revoked and the employee shall be prevented from having any opportunity to access information.
1. Background checks should be made of all persons being considered for positions of special trust or responsibility, for work within sensitive areas, or where their duties will bring them into contact with critical or sensitive information. Agency security policies should specify the positions or work areas affected by this policy and should specify the nature and extent of the background check. Employees and independent contractors should not begin work in these areas until they have signed a non-disclosure agreement.
2. Upon the resignation, retirement, or termination of a person occupying a position of special trust or responsibility, or working in a sensitive area, or upon notification to the employee of impending involuntary termination, agency management should revoke all access authorizations and should take custody of, or ensure the safe return, modification, or destruction of all of the following items assigned, or relating, to the terminating or notified person:
3. Security awareness training should be a part of the orientation for all new employees whether or not they also are assigned specific security responsibilities.
4. Agencies should specify procedures to safeguard state property upon the resignation, retirement or termination of persons occupying positions in which they may have been in contact with valuable state information or related resources.
5. If there are special conditions to the employment, such as denial of right to use certain information after employment, these should be reviewed with the departing employee and the specific conditions should be acknowledged by the employee in writing.
Employees who abuse alcohol or use illegal drugs pose a security problem. The abuse of alcohol and the use of illegal drugs on state premises constitutes a hazard to the employee as well as a potential risk to state assets.
The use of alcohol or illegal drugs should be brought to the attention of management for appropriate action.
In the course of enforcing each agency's information security policies and procedures, it may be necessary to employ disciplinary actions. Disciplinary actions may include a letter of reprimand, time off without pay, or even dismissal from state service. The availability of each option depends, among other factors, upon the severity of the infraction. It must be demonstrated that the employee was informed of the agency's information security policies and procedures and of the possible disciplinary actions for failure to comply with requirements. Any disciplinary actions taken by the agency should be conducted in compliance with the agency personnel manual as well as the relevant state and federal statutes governing personnel matters, including all relevant labor laws and regulations.
Any person who commits an unlawful breach of computer security or harmful access may be subject to prosecution under appropriate state and/or federal law. For example, chapter 33 of Texas Penal Code states that any person commits an offense who knowingly accesses and/or without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network without the effective consent of the owner of the computer or data or a person authorized to license access to the computer or data.