Advanced Search

RULE §202.71 Responsibilities of Information Security Officer

Published: 2015

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
(a) Each institution of higher education shall have
a designated Information Security Officer (ISO), and shall provide
that its Information Security Officer:
  (1) reports to executive level management;
  (2) has authority for information security for the
entire institution;
  (3) possesses training and experience required to administer
the functions described under this chapter; and
  (4) whenever possible, has information security duties
as that official's primary duty.
(b) The Information Security Officer shall be responsible
  (1) developing and maintaining an institution-wide
information security plan as required by §2054.133, Texas Government
  (2) developing and maintaining information security
policies and procedures that address the requirements of this chapter
and the institution's information security risks;
  (3) working with the business and technical resources
to ensure that controls are utilized to address all applicable requirements
of this chapter and the institution's information security risks;
  (4) training and overseeing personnel with significant
responsibilities for information security with respect to such responsibilities;

  (5) providing guidance and assistance to senior institution
of higher education officials, information owners, information custodians,
and end users concerning their responsibilities under this chapter;
  (6) ensuring that annual information security risk
assessments are performed and documented by information-owners;
  (7) reviewing the institution's inventory of information
systems and related ownership and responsibilities;
  (8) developing and recommending policies and establishing
procedures and practices, in cooperation with the institution Information
Resources Manager, information-owners and custodians, necessary to
ensure the security of information and information resources against
unauthorized or accidental modification, destruction, or disclosure;
  (9) coordinating the review of the data security requirements,
specifications, and, if applicable, third-party risk assessment of
any new computer applications or services that receive, maintain,
and/or share confidential data;
  (10) verifying that security requirements are identified
and risk mitigation plans are developed and contractually agreed and
obligated prior to the purchase of information technology hardware,
software, and systems development services for any new high impact
computer applications or computer applications that receive, maintain,
and/or share confidential data;
  (11) reporting, at least annually, to the state institution
of higher education head the status and effectiveness of security
controls; and
  (12) informing the parties in the event of noncompliance
with this chapter and/or with the institution's information security
(c) The Information Security Officer, with the approval
of the state institution of higher education head, may issue exceptions
to information security requirements or controls in this chapter.
Any such exceptions shall be justified, documented and communicated
as part of the risk assessment process.

Source Note: The provisions of this §202.71 adopted to be effective March 17, 2015, 40 TexReg 1357