The following Information Resources Security Safeguards should apply to state agencies based on documented security risk management decisions.
- (1) Access to information resources shall be managed to ensure authorized use.
(2) Confidentiality of data and systems.
- (A) Confidential information shall be accessible only to authorized users. Information containing any confidential data shall be identified, documented, and protected in its entirety.
- (B) Information resources assigned from one state agency to another shall be protected in accordance with the conditions imposed by the providing state agency.
(3) Identification/Authentication.
- (A) Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access.
- (B) A user's access authorization shall be appropriately modified or removed when the user's employment or job responsibilities within the state agency change.
- (C) Information resources systems shall contain authentication controls that comply with documented state agency security risk management decisions.
- (D) Information resources systems which use passwords shall be based on industry best practices on password usage and documented state agency security risk management decisions.
- (E) For electronic communications where the identity of a sender or the contents of a message must be authenticated, the use of digital signatures is encouraged. Agencies should refer to guidelines and rules issued by the department for further information. (Ref. 1 T.A.C., Chapter 203. Additional information and guidelines are included in PART 2: Risks Pertaining to Electronic Transactions and Signed Records in "The Guidelines for the Management of Electronic Transactions and Signed Records" that are available at http://www.dir.state.tx.us/UETA_Guideline.htm.)
- (4) Encryption. Encryption for storage and transmission of information shall be used based on documented state agency security risk management decisions.
(5) Auditing.
- (A) Information resources systems must provide the means whereby authorized personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or effect the release of confidential information.
- (B) Appropriate audit trails shall be maintained to provide accountability for updates to mission critical information, hardware and software and for all changes to automated security or access rules.
- (C) Based on the security risk assessment, a sufficiently complete history of transactions shall be maintained to permit an audit of the information resources system by logging and tracing the activities of individuals through the system.
(6) Systems development, acquisition, and testing.
- (A) Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless the data has been declassified or unless all state and independent contractor employees involved in testing are otherwise authorized access to the data.
- (B) Information security and audit controls shall be included in all phases of the system development lifecycle or acquisition process.
- (C) All security-related information resources changes shall be approved by the owner through a quality assurance process. Approval must occur prior to implementation by the state agency or independent contractors.
(7) Security Policies. Each state agency head or his/her designated representative and information security officer shall create, distribute, and implement information security policies. The following policies are recommended; however, state agencies may elect not to implement some of the policies based on documented risk management decisions and business functions. These policies are not all inclusive and may be combined topically.
- (A) Acceptable Use--Defines scope, behavior, and practices; compliance monitoring pertaining to users of information resources.
- (B) Account Management--Establishes the rules for administration of user accounts.
- (C) Administrator/Special Access--Establishes rules for the creation, use, monitoring, control, and removal of accounts with special access privileges.
- (D) Backup/Recovery--Establishes the rules for the backup, storage, and recovery of electronic information.
- (E) Change Management--Establishes the process for controlling modifications to hardware, software, firmware, and documentation to ensure the information resources are protected against improper modification before, during, and after system implementation.
- (F) Email--Establishes prudent and acceptable practices regarding the use of email for the sending, receiving, or storing of electronic mail. Ensures compliance with applicable statutes, regulations, and mandates. The policy shall prohibit sending an individual's name along with any restricted personal information unless the data (individual's name and restricted personal information) is encrypted.
- (G) Incident Management--Describes the requirements for dealing with computer security incidents including prevention, detection, response, and remediation.
- (H) Internet/Intranet Use--Establishes prudent and acceptable practices regarding the use of the Internet and Intranet.
- (I) Intrusion Detection--Establishes requirements for auditing, logging, and monitoring to detect attempts to bypass the security mechanisms of information resources.
- (J) Network Access--Establishes the rules for the access and use of the network infrastructure.
- (K) Network Configuration--Establishes the rules for the maintenance, expansion, and use of the network infrastructure.
- (L) Password/Authentication--Establishes the rules for the creation, use, distribution, safeguarding, termination, and recovery of user authentication mechanisms.
- (M) Physical Access--Establishes the rules for the granting, control, monitoring, and removal of physical access to information resources.
- (N) Portable Computing--Establishes the rules for the use of mobile computing devices and their connection to the network.
- (O) Privacy--Methodologies used to establish the limits and expectations regarding privacy for the users of information resources.
- (P) Security Monitoring--Defines a process that ensures information resources security controls are in place, are effective, and are not being bypassed.
- (Q) Security Awareness and Training--Establishes the requirements to ensure each user of information resources receives adequate training on computer security issues.
- (R) Platform Hardening--Establishes the requirements for installing and maintaining the integrity of a platform in a secure fashion.
- (S) Authorized Software--Establishes the rules for software use on information resources.
- (T) System Development and Acquisition--Describes the security and business continuity requirements in the systems development and acquisition life cycle.
- (U) Vendor Access--Establishes the rules for vendor access to information resources, support services (Air Conditioning, Universal Power Supply, Power Distribution Unit, fire suppression, etc.), and vendor responsibilities for protection of information.
- (V) Malicious Code--Describes the requirements for prevention, detection, response, and recovery from the effects of malicious code (including but not limited to viruses, worms, Trojan Horses, and unauthorized code used to circumvent safeguards.)
(W) Wireless Access--Establishes the requirements and security restrictions for installing or providing access to the state agency information resources systems. Using the wireless security guidelines, the policy shall address the following topics areas:
- (i) For Wireless Local Area Networks, ensure that Service Set Identifiers (SSID) values are changed from the manufacturer default setting. Some networks should not include organizational or location information in the SSID. Additional equipment configuration recommendations are included in the Wireless Security Guidelines.
- (ii) Types of information that may be transmitted via wireless networks and devices with or without encryption. State agencies shall not allow access to confidential information, mission critical information or restricted personal information unless the cryptographic keys used are larger than 80-bits (See §3.3 Security of 802.11 Wireless LANs in the Wireless Security Guidelines).
- (iii) Types of information that may be stored on laptop computers or wireless handheld devices with or without encryption.
- (iv) Prohibit the installation of Wireless Personal Area Networks on state agency IT systems by individuals without the approval of the state agency information resources manager.
- (X) Vulnerability Assessment--Establishes the requirements to conduct periodic information vulnerability assessments and specific focus areas for the assessments based on the results of the security risk assessment.
(8) Perimeter Security Controls. Each state agency head or his/her designated representative and information security officer shall establish a perimeter protection strategy to include some or all of the following components.
- (A) DMZ (Demilitarized Zone)--The DMZ is the network area created between the public Internet and internal private network(s). This neutral zone is usually delineated by some combination of routers, firewalls, and bastion hosts. Typically, the DMZ contains devices accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers, and DNS servers.
- (B) Firewall--A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both and are used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially Intranets. They can also regulate traffic between networks within the same state agency.
- (C) Intrusion Detection System--Hardware and/or software which is installed on a network and compares network traffic and host log entries to the known and likely methods of attackers. Suspicious activities trigger administrator alarms and other configurable responses.
- (D) Router--A device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks to which it is connected. A router is located at any gateway where one network meets another.
(9) System Identification/Logon Banner. System identification/logon banners shall have warning statements that include the following topics:
- (A) Unauthorized use is prohibited;
- (B) Usage may be subject to security testing and monitoring;
- (C) Misuse is subject to criminal prosecution; and
- (D) No expectation of privacy except as otherwise provided by applicable privacy laws.
Source Note:The provisions of this §202.25 adopted to be effective November 28, 2004, 29 TexReg 10703; amended to be effective April 24, 2006, 31 TexReg 3373.