Policy 7.3 Information Security Program
SCOPE: FACULTY, STAFF, AND STUDENTS
1. POLICY STATEMENTS
1.1. Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the institution head of each Texas state agency and public institution of higher education to protect their institution’s information resources by establishing an information security program consistent with the TAC 202 standards. In compliance with TAC 202, this policy statement and its references reflect the policies, procedures, standards and guidelines comprising LIT’s information security program.
1.2. The purpose of this policy is to articulate a framework for LIT’s information security program.
2. ROLES AND RESPONSIBILITIES
2.1. Information Resources Manager (IRM)
2.1.1. The IRM’s responsibilities include
a) Preparing a biennial operating plan in accordance with 2054 Texas Government Code.
b) Overseeing the implementation of LIT’s project management practices.
c) Overseeing the acquisition and use of information technology for LIT.
d) Approving of all information technology-related purchases, with the exception of computing hardware devices and components used strictly for hands on teaching purposes.
2.1.2. The IRM shall receive continuing professional education in accordance with the guidelines established by the Texas Department of Information Resources.
2.1.3. The Director of Information Technology is the designated IRM for LIT.
2.2. Information Security Officer (ISO)
2.2.1. The ISO has authority over information security for LIT.
2.2.2. The ISO must possess the appropriate training and experience required to administer the functions described in this section.
2.2.3. The ISO’s responsibilities include
a) Developing and recommending policies and establishing procedures and practices, in cooperation with the IRM, information owners, and information custodians, necessary to ensure the security of information and information resources 257 against unauthorized or accidental modification, destruction, or disclosure
b) Developing, documenting, implementing, and maintaining a security incident response plan to ensure that security events are thoroughly investigated, documented, and reported, that damage is minimized, that risks are mitigated, and that remedial actions are taken to prevent recurrence.
c) Developing, documenting, and maintaining all aspects of LIT’s Information Security Program.
d) Serving as the LIT internal and external point of contact for information security matters.
e) Monitoring the effectiveness of strategies, activities, measures, and controls designed to protect LIT information resources.
f) Providing guidance and training to institution officials, information owners, information custodians, and end users concerning their security-related responsibilities as part of LIT’s information security awareness program.
g) Providing consulting and technical support services to information owners and custodians to define and deploy cost-effective security controls and protections that address all applicable security requirements and LIT’s information security risks.
h) Informing appropriate parties of LIT’s security requirements in the event of non-compliance
i) Coordinating and overseeing LIT’s annual security risk assessment process.
j) Coordinating the review of the data security requirements, specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential or sensitive data.
k) Verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or share confidential or sensitive data
2.2.4. The ISO, with the approval of the state institution of higher education head, may issue exceptions to required information security controls. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.
2.2.5. The ISO reports directly to the IRM. If there is no other LIT employee that currently holds the role of ISO, that role shall be assigned to the IRM.
2.3. All members of the LIT community share responsibility for protecting LIT’s information resources and, as such, are essential components of LIT’s information security organization. LIT has defined and assigns three generic roles with respect to the security of information resources: owner, custodian, and user. Each individual assumes one or more of these roles with respect to each information resource they use, and as a result, are accountable for the responsibilities attendant to their roles. Responsibilities associated with each role are noted throughout this and other LIT information resources policies.
3.1. LIT’s information security program is positioned within the Information Technology unit and is administered by the Information Security Officer (ISO). LIT Information Technology implements the information security program in collaboration with all LIT constituents that use and support LIT’s information resources. 3.2. The program shall contain risk-based administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of LIT information resources.
3.3. The program shall be informed by relevant federal and state legislative requirements, Texas State University System policies, regulatory requirements, and industry standards.
3.4. All units with operational responsibility for various aspect of information security (e.g., physical security, personnel security, technical security controls) shall contribute to program creation, maintenance, and implementation.
3.5. The program will be monitored regularly and the ISO will provide executive management with periodic reports.
3.6. The program and associated plans and procedures shall be reviewed and updated on an annual basis. Additional review and updates shall be triggered by any changes that impact information security, security risk assessments, and implementation issues.
3.7. Program, plan, and procedure documentation, including security-related plans identified in this and other LIT information resources policies, shall be protected from unauthorized disclosure or modification.
3.8. The program shall ensure that adequate separation of duties exists for tasks that are susceptible to fraudulent activity.
4. INFORMATION SECURITY RISK MANAGEMENT
4.1. The ISO shall annually complete or commission completion of a risk assessment with the assistance of relevant owners and custodians. The assessment must include a classification of their information according to its need for security protection (i.e., its need for confidentiality, integrity, and availability) (see 7.4 Information Asset Management).
4.2. Where possible and practical, the assessment must also include the following elements:
4.2.1. Reasonable, foreseeable, internal, and external risks to the security, confidentiality, integrity, and availability of those resources.
4.2.2. Assessment of the sufficiency of safeguards in place to control these risks and document their level of risk acceptance (i.e., the exposure remaining after implementing appropriate protective measures, if any).
4.2.3. Consideration of employee training and management, information systems architecture and processes, business continuity planning and prevention, detection and response to intrusion and attack.
4.3. The assessment results shall be documented in a written report, protected from unauthorized disclosure, modification, or destruction, and retained until superseded by a subsequent documented assessment, plus one year.
4.4. The ISO and owners shall identify remedial actions to correct weaknesses or deficiencies noted during the risk assessment process. These actions shall be documented in a plan of action and milestones, which is updated based on findings from subsequent risk assessments, security impact analyses, and monitoring activities.
4.5. The IRM shall commission periodic reviews of LIT’s information security program for compliance with TAC 202 standards. Reviews will be conducted at least biennially by individuals independent of the information security program and will be based on business risk management decisions
5. INFORMATION SECURITY AWARENESS
5.1. All new employees shall complete basic security training within 45 days of hire.
5.2. Where applicable and appropriate, employees shall complete information systemspecific security training before being authorized to access said information system.
5.3. As part of general security awareness, the ISO shall
5.3.1. Provide notification of security threats via email and other appropriate communication media.
5.3.2. Maintain a security awareness web site with content suitable for employees and students.
5.4. All security awareness educational materials will be reviewed and updated on an annual basis and when triggered by relevant events such as information system changes that impact security, updates to security-related policies, and security incidents.
5.5. Unit heads are authorized to assign security training to their employees.
5.6. Completion of security training shall be documented and documentation retained as per records retention requirements.
6. INFORMATION SECURITY EXCEPTIONS
6.1. Exceptions may be granted to address circumstances or business needs.
6.2. Requests for exceptions must be initiated by the information resource owner (as the accountable party) and submitted to LIT Information Technology.
6.3. Requests must contain the following information:
a) The policy for which the exception is sought.
b) The information resources and the data included in the exception.
c) The reason for the exception (e.g.; why compliance with the policy is not feasible).
d) Workarounds, compensating security controls, or other mitigation activities in place.
e) Risk management rationale
6.4. Each request will be reviewed by the ISO and IRM. After any questions or concerns are addressed, the ISO will accept or reject the exception with the concurrence of the IRM and the approval of the LIT President and executive management.
6.5. Approvals may be contingent upon the application of compensating security controls to reduce risk resulting from the exception. All approvals with have an expiration date no longer than two (2) years from the request date.
6.6. A record of all requests and their disposition shall be maintained by the LIT Information Technology department.
7. INFORMATION SECURITY REPORTING
7.1. The ISO shall report to the LIT President and executive management at least annually on the following topics:
a) The adequacy and effectiveness of LIT’s information security policies, procedures, and practices, as determined by risk assessment.
b) Compliance with information security requirements.
c) Changes to information security requirements that may impact LIT information security and privacy policies, procedures, and practices.
d) The effectiveness of the current information security program and the status of key initiatives.
e) Security-related requests, such as security exceptions and requests for resources.
7.2. The ISO shall comply with the following Texas Department of Information Resources reporting requirements:
a) Prompt reporting of security incidents involving criminal violations, disclosure or modification of confidential information or sensitive personal information, other state-owned systems, or those requiring public notification.
b) Monthly reporting of security-related events no later than nine (9) calendar days after the end of the month.
c) Biennial reporting of LIT’s Information Security Plan, in accordance with 2054.133 Texas Government Code.
8. INFORMATION SYSTEM SECURITY PLANS
8.1. Information systems that store, process, or transmit regulated information shall have a security plan on file with the office of the ISO that address security requirements for regulatory compliance.
8.2. Information system security plans shall be approved by the ISO and appropriate information owners.
8.3. Information system security plans shall include the following elements, as appropriate:
a) Operational context of the information system in terms of mission and business processes.
b) Classification of data stored, processed, or transmitted by the system.
c) Overview of the security requirements for the system, including applicable legislative or regulatory requirements.
d) Security controls in place or planned for meeting identified requirements.
e) Operating environment for the information system and relationships with or connections to other information systems.
9. INFORMATION SECURITY INCIDENT RESPONSE
9.1. LIT Information Technology shall act as an incident response support resource for users of LIT information resources in all phases of the incident handling process.
9.2. Detection and Notification
9.2.1. LIT personnel shall report suspected security incidents to LIT Information Technology immediately upon discovery, or as soon thereafter as is practical.
9.2.2. LIT Information Technology shall report all suspected and confirmed security incidents to the ISO and IRM in a timely manner.
9.2.3. The ISO shall notify executive management and relevant information owners in a timely manner.
9.3. Analysis and Containment
9.3.1. Appropriate measures shall be taken to contain the incident. This includes but is not limited to removal of computing devices from the LIT network, disabling affected accounts, or limiting available services.
9.3.2. If it is possible that unauthorized access to confidential or sensitive information occurred during the incident, LIT Information Technology must determine whether or not unauthorized disclosure occurred or is reasonably believed to have occurred.
9.3.3. If it is determined that unauthorized disclosure did occur, the ISO will work with all appropriate personnel and offices, including LUPD where appropriate, to ensure that all required information is identified and all persons whose information may have been subject to unauthorized disclosure are notified in accordance with applicable laws.
9.4. Incidents shall be tracked and documentation shall be maintained by the ISO as per records retention requirements
10. AUTHORITY AND RESPONSIBILITY
Questions related to this policy should be addressed to the IRM at firstname.lastname@example.org.