UPPS 04.01.01 - Security of Texas State Information Resources
Security of Texas State Information Resources
UPPS No. 04.01.01
Issue No. 11
Effective Date: 5/09/2019
Next Review Date: 4/01/2021 (E2Y)
Sr. Reviewer: Chief Information Security Officer
Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the institution head of each Texas State agency and public institution of higher education to protect their institution’s information resources by establishing an information security program consistent with TAC 202 standards. In compliance with TAC 202, this policy statement and its references reflect the policies, procedures, standards, and guidelines comprising the information security program of Texas State University. The terms and phrases in this policy statement shall have the meanings ascribed to them in TAC 202.1, unless otherwise provided herein.
The Texas State Information Security program is positioned within the Office of the Vice President for Information Technology (VPIT) and administered by the university’s Information Security officer (ISO). The ISO’s Information Technology (IT) Security team implements the Information Security program in collaboration with all university constituents that use and support the university’s information resources (see TAC 202.70(3) and TAC 202.71(b)).
Information resources that support the operations of Texas State are strategic and vital assets belonging to the people of Texas. These assets must be available when needed and protected commensurate with their value. All members of the university community, regardless of position or role, share responsibility for protecting the university’s information resources. The Texas State community shall take appropriate measures to protect the university’s information resources against accidental or unauthorized disclosure, contamination, modification, or destruction, and to assure the confidentiality, authenticity, utility, integrity, and availability of university information (see TAC 202.72).
All individuals are accountable for their use of the university’s information resources. Individuals shall comply with applicable laws, The Texas State University System (TSUS) Regents’ Rules, and all university policies in their use of these resources (see TAC 202.72).
In addition to this policy, the following university policies are particularly relevant and noteworthy:
UPPS No. 04.01.05, Network Use Policy – describes policy and procedures for administration, maintenance, and operation of the university’s network infrastructure;
UPPS No. 04.01.07, Appropriate Use of Information Resources – describes both intended and prohibited uses of information resources;
UPPS No. 04.01.09, Server Management Policy – describes policies and standards for administration, maintenance, and operation of the university’s computer servers;
UPPS No. 04.01.10, Information Security Incident Management – establishes incident response procedures and reporting requirements;
UPPS No. 04.01.11, Risk Management of Information Resources – describes the process and procedures to manage risk to information resources;
UPPS No. 05.01.02, University Surplus Property (Equipment and Consumable Supplies) – provides guidance in the appropriate disposal of computer equipment and digital media; and
UPPS No. 05.02.06, Acquisition of Information Technology Products and Services – provides guidance regarding the purchase, rental, lease, or free acceptance of information technology products or services from third-party providers.
Information that is sensitive or confidential must be protected from unauthorized access or modification. Data that is essential to critical university functions must be protected from loss, contamination, or destruction (see NIST 800-53 AC-2).
Risks to information resources must be managed. The expense of security safeguards must be appropriate to the value of the assets being protected, considering value of the asset to the university, regulatory agencies, the public, potential intruders, and any other person or organization with an interest in the assets (see NIST 800-53 PM-9, RA-3 and UPPS No. 04.01.11, Risk Management of Information Resources).
The integrity of data, its source, its destination, and processes applied to it are critical to its value. Changes to data must be made only in authorized and acceptable ways (see TAC 202.70(5)).
Information resources must be available when needed. Continuity of information systems supporting critical university functions must be ensured in the event of a disaster or disruption in normal operations (see TAC 202.70(6)).
Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources (see NIST 800-53 SA-3).
Security awareness of employees must be introduced during the onboarding process, and continually emphasized and reinforced at all levels of management. All individuals must be accountable for their actions relating to information resources (see NIST 800-53 AT-2 and TAC 202.24(b)).
The Information Security program must be responsive and adaptable to changing vulnerabilities and technologies affecting information resources. Its components shall be reviewed and modified in a timely fashion to meet emerging and evolving threats.
The university must ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or other unauthorized activity (see NIST 800-53 AC-5).
INFORMATION SECURITY ORGANIZATION
The VPIT is the university’s information resources manager (IRM) as defined in the Information Resources Management Act (IRMA) (Tex. Gov’t Code § 2054). The IRM oversees the acquisition and use of information technology within a state agency or university.
IRMA and the Texas Administrative Code (see TAC, Title 1, Part 10, Chapter 211) establish rules and responsibilities for the designated IRM that include executive level oversight for security and risk management of the university’s information resources. Consequently, the Office of the VPIT directs the university’s information technology security function.
The ISO is the designated administrator of the Information Security program. As such, the ISO is responsible for all aspects of the university’s Information Security program (see TAC 202.71).
The ISO is specifically charged with the following responsibilities:
develop, recommend, and establish policies, procedures, and practices as necessary to protect the university’s information resources against unauthorized or accidental modification, destruction, or disclosure;
identify and implement proactive and reactive technical measures to detect vulnerabilities and to defend against external and internal security threats;
provide consulting and technical support services to owners, custodians, and users in defining and deploying cost-effective security controls and protections;
establish, maintain, and institutionalize security incident response procedures to ensure that security events are thoroughly investigated, documented, and reported; that damage is minimized; that risks are mitigated; and that remedial actions are taken to prevent recurrence;
establish and publicize a security training and awareness program to achieve and maintain a security-conscious user community;
document, maintain, and obtain ongoing support for all aspects of the Information Security program;
monitor the effectiveness of strategies, activities, measures, and controls designed to protect the university’s information resources;
assure executive management awareness of legal and regulatory changes that might impact the university’s information security and privacy policies and practices;
serve as the university’s internal and external point of contact for information security matters;
report frequently (at least annually) on the status and effectiveness of the Information Security program as directed by the VPIT (see TAC 202.73(a)); and
have authority for information security for the entire institution (see TAC 202.71(a)(2)).
As stated in Section 01.02, all members of the university community share responsibility for protecting the university’s information resources and, as such, are essential components of the university’s Information Security program. Nonetheless, individual responsibilities can vary significantly according to an individual’s relationship with any given information resource. In recognition of those variances, the university has defined and assigned three generic roles with respect to the security of information resources: the owner role, the custodian role, and the user role. Each individual assumes one or more of these roles with respect to each information resource they use, and as a result, are accountable for the responsibilities attendant to their roles (see UPPS No. 04.01.11, Risk Management of Information Resources).
HUMAN RESOURCES SECURITY PROCEDURES
In any organization, people represent both the greatest information security assets, as well as the greatest information security threats. Consequently, employee awareness and motivation are integral parts of any comprehensive Information Security program.
To emphasize security awareness and the importance of individual responsibility with respect to information security, all Texas State employees shall explicitly affirm their agreement to abide by the university’s information security, copyright, and appropriate use policies annually (see TAC 202.70(3)).
Information Security shall provide training and literature during the employee onboarding process, as well as recurring information security education through periodic workshops, educational events, and online training. All such training and events will provide references to relevant university policy and procedure documents and promote the Information Security website as a valuable repository of information security policies, procedures, guidelines, and best practices. Department heads shall continually reinforce the value of security consciousness in all employees whose duties entail access to sensitive or confidential information resources (see NIST 800-53 AT).
Department heads are responsible for implementing the measures necessary to ensure that department members maintain the confidentiality of information used in departmental operations. Examples of such information include personnel and payroll records, transcript and grade records, financial aid information, and other sensitive or confidential information. Such information shall not be used for unauthorized purposes or accessed by unauthorized individuals. Department heads are encouraged to obtain and retain signed non-disclosure agreements from their employees prior to granting those employees access to departmental information resources. Template non-disclosure agreements are available, together with other Policies, Standards and Guides, on the Information Security website (see TAC 202.70 and TAC 202.72).
Department heads are responsible for ensuring that access privileges are revoked or modified as appropriate for any employee in their charge who is terminating, transferring, or changing duties. Department heads should provide written notification to the appropriate security administrator whenever an employee’s access privileges should be revoked or changed as a result of the employee’s change in status (a list of major Information System Assets and Security Administrators is available on the Information Security website) (see TAC 202.72).
Owners of information resources shall obtain and retain signed non-disclosure agreements from all temporary employees, consultants, contractors, and other external parties prior to their obtaining access to Texas State information resources. The agreements shall affirm their compliance with Texas State’s security policies and procedures. Template non-disclosure agreements are available, together with other Policies, Standards and Guides, on the Information Security website (see TAC 202.72).
PHYSICAL AND ENVIRONMENTAL SECURITY PROCEDURES
Physical access to mission critical information resources facilities shall be managed and documented by the facility’s custodian. The facilities must be protected by physical and environmental controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated within those facilities (see NIST 800-53 PE-1).
The information owner must review physical security measures annually in conjunction with each facility’s risk assessment, as well as whenever facilities or security procedures are significantly modified (see TAC 202.72).
Physical access to information resources facilities administered by the IT division is restricted to individuals having prior authorization from the associate vice president, or designee, responsible for the facility. The responsibility for securing departmentally-administered computer facilities or equipment from unauthorized physical access ultimately rests with the designated owner and designated custodian of the facility or equipment.
A log will be maintained of all persons entering or leaving the university’s primary data centers, including date, time, and purpose of the visit. Access to the equipment rooms in these data centers shall be electronically secured and visually monitored and recorded.
Employees and information resources shall be protected from the environmental hazards posed by information resources facilities. Employees with duty stations inside information resources facilities shall be trained to monitor any installed environmental controls and equipment, and to respond appropriately to emergencies or equipment malfunctions. Emergency procedures shall be developed, documented, and regularly tested in collaboration with the university’s Office of Environmental Health, Safety & Risk Management (see NIST 800-53 PE).
Terminals, computers, workstations, mobile devices (e.g., laptops, portable storage devices, smart phones, etc.), communication switches, network components, and other devices outside the university’s primary data centers shall receive the level of protection necessary to ensure the integrity and confidentiality of the university information accessible through them. The required protection may be achieved by physical or logical controls, or a combination thereof.
No authenticated work session (e.g., a session in which the user’s identity has been authenticated and authorization has been granted) shall be left unattended on one of these devices unless appropriate measures have been taken to prevent unauthorized use. Examples of appropriate measures include:
manually locking the device to be left unattended through use of a password-protected lock screen;
automatic activation of a password-protected screensaver after a brief inactivity period (15 minutes or less, based upon risk assessment); and
location or placement of the device in a locked enclosure preventing access to the device by unauthorized parties.
The creator of the work session is responsible for any activity that occurs during a work session logged in under their account.
CONTINUITY OF OPERATIONS MANAGEMENT PROCEDURES
Administrative heads responsible for delivering mission critical university services should maintain written continuity of operations plans (COOP) that provide for continuation or restoration of such services following a disruption in critical information systems, communication systems, utility systems, or similar required support systems.
The COOP should incorporate:
a business impact analysis that addresses the maximum possible downtime for critical service delivery components and resources including: key personnel, facilities, components of electronic information and communication systems (e.g., voice and data network, hardware, and software), and vital electronic and hard copy records and materials;
to the extent practicable, alternate methods and procedures for accomplishing its program objectives in the absence of one or more of the critical service delivery components;
a security risk assessment to weigh the cost of implementing preventive measures against the risk of loss from not taking preventive action;
a recovery strategy assessment that documents realistic recovery alternatives and their estimated costs; and
reference to a disaster recovery plan that provides for the continuation or restoration of electronic information and communication systems as described later in this section.
Key aspects of the COOP should be tested or exercised at least annually and updated as necessary to assure the plan’s continued viability. Results of such tests and exercises should be documented and retained until the end of the current fiscal year, plus three years (see NIST 800-53 CP).
Technology Resources shall prepare and maintain a written and cost-effective disaster recovery plan that addresses key infrastructure components in its custody. The plan should provide for the prompt and effective continuation or restoration of critical university information systems and processes if a disaster were to occur that might otherwise severely disrupt these systems and processes. The plan should provide for the scheduled backup of mission critical information and for the off-site storage of that backup in a secure, environmentally-safe and locked facility accessible only to authorized IT staff. The plan should also identify other key continuation and recovery strategies, required resources, alternate sources of required resources, as well as measures employed to minimize harmful impacts. Technology Resources shall exercise or test key aspects of the disaster recovery plan and make periodic updates as necessary to assure its viability (see NIST 800-53 CP).
Owners and custodians of departmental information resources are responsible for disaster recovery plans associated with those resources. The plans should include regular schedules for making backup copies of all data and software resident in their systems and for ensuring that the backups are stored in a safe location. Users are responsible for ensuring that the data and software resident on their personal computers are backed up as required by their individual circumstances. The security controls over the backup resources should be as stringent as the protection afforded to the primary resources. See the Server Backup and Recovery Guide available from the Information Security website or ITAC for assistance in the design of backup and recovery solutions.
PROCEDURES FOR COMPLIANCE
The VPIT shall commission periodic reviews of the university’s Information Security program for compliance with TAC 202 standards. Reviews will be conducted at least biennially by individuals independent of the Information Security program and will be based on business risk management decisions (see TAC 202.70).
Key aspects of the university’s Information Security program shall be a prominent component of any university program designed to encourage or enhance legal and policy compliance by university constituents.
REVIEWERS OF THIS UPPS
Reviewers of this UPPS include the following:
Position Date Chief Information Security Officer April 1 E2Y Director, Environmental Health, Safety & Risk Management April 1 E2Y Associate Vice President for Technology Resources April 1 E2Y Vice President for Information Technology and Chair, Campus Information Resource Advisory Council April 1 E2Y
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Chief Information Security Officer; senior reviewer of this UPPS
Vice President for Information Technology