- (a) The state agency head or his or her designated representative(s) shall review and approve ownership of information resources and their associated responsibilities.
- (b) The owner of an information resource, with the state agency head's or his or her designated representative's(s') concurrence, is responsible for classifying business functional information. State agencies are responsible for defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the appropriate controls for each.
(c) Owners, custodians, and users of information resources shall be identified, and their responsibilities defined and documented by the state agency. In cases where information resources are used by more than one major business function, the owners shall reach consensus and advise the information security function as to the designated owner with responsibility for the information resources. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles:
(1) Owner Responsibilities. The owner or his or her designated representatives(s) are responsible for and authorized to:
- (A) Approve access and formally assign custody of an information resources asset;
- (B) Determine the asset's value;
- (C) Specify data control requirements and convey them to users and custodians;
- (D) Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the state agency.
- (E) Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data.
- (F) Ensure compliance with applicable controls;
- (G) Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures.
- (H) Review access lists based on documented security risk management decisions.
(2) Custodian responsibilities. Custodians of information resources, including entities providing outsourced information resources services to state agencies must:
- (A) Implement the controls specified by the owner(s);
- (B) Provide physical and procedural safeguards for the information resources;
- (C) Assist owners in evaluating the cost-effectiveness of controls and monitoring; and
- (D) Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents.
- (3) User responsibilities. Users of information resources shall use the resources only for defined purposes and comply with established controls.
(d) The Information Security Officer. Each state agency head or his or her designated representative(s) shall designate an information security officer to administer the state agency information security program. The Information Security Officer shall report to executive level management.
- (1) It shall be the duty and responsibility of this individual to develop and recommend policies and establish procedures and practices, in cooperation with owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure.
- (2) The Information Security Officer shall document and maintain an up-to-date information security program. The information security program must be approved by the state agency head or his or her designated representative(s).
- (3) The Information Security Officer is responsible for monitoring the effectiveness of defined controls for mission critical information.
- (4) The Information Security Officer shall report, at least annually, to the state agency head or his or her designated representative(s) the status and effectiveness of information resources security controls.
- (e) A review of the state agency's information security program for compliance with these standards will be performed at least annually, based on business risk management decisions, by individual(s) independent of the information security program and designated by the state agency head or his or her designated representative(s).
Source Note:The provisions of this §202.21 adopted to be effective November 28, 2004, 29 TexReg 10703.