Texas Administrative Code
Title 1 - ADMINISTRATION
Part 10 - DEPARTMENT OF INFORMATION RESOURCES
Chapter 202 - INFORMATION SECURITY STANDARDS
Subchapter B - INFORMATION SECURITY STANDARDS FOR STATE AGENCIES
Section 202.24 - Agency Information Security Program
Universal Citation: 1 TX Admin Code § 202.24
Current through Reg. 50, No. 13; March 28, 2025
(a) Each state agency shall develop, document, and implement an agency-wide information security program, approved by the agency head under § 202.20 of this chapter, that includes protections based on risk for all information and information resources owned, leased, or under the custodianship of any department, operating unit, or employee of the state agency including outsourced resources to another state agency, contractor, or other source (e.g., cloud computing). The program shall include:
(1) periodic assessments in alignment with minimum legal reporting requirements of the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information, information systems, and applications that support the operations and assets of the agency;
(2) policies, controls, standards, and procedures that:
(A) are based on the risk assessments required by §
202.25 of this chapter;
(B) cost-effectively reduce information security risks to a level acceptable to the agency head;
(C) ensure that information security is addressed throughout the lifecycle of agency information resources; and
(D) ensure compliance with:
(i) the requirements of this subchapter;
(ii) minimally acceptable system configuration requirements as determined by the state agency; and
(iii) the control catalog published by the department;
(3) strategies to address risk to high impact information resources;
(4) plans for providing information security for networks, facilities, and systems or groups of information systems and applications based on risk;
(5) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; and
(6) a process to justify, grant, and document any exceptions to specific program requirements in accordance with requirements and processes defined in this chapter.
(b) State agencies are responsible for:
(1) defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the controls for each;
(2) administering an ongoing information security awareness education program in compliance with the requirements of Texas Government Code §
2054.5191 -.5192 for all users; and
(3) introducing information security awareness and informing new employees of information security policies and procedures during the onboarding process.
Disclaimer: These regulations may not be the most recent version. Texas may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
