(a) The agency head of each state agency is ultimately responsible for the agency's information resources.
(b) The agency head or their designated representative shall:
  (1) designate an Information Security Officer who has the explicit authority and the duty to administer the information security requirements of this chapter agency wide;
  (2) allocate resources for ongoing information security remediation, implementation, and compliance activities that reduce risk to a level acceptable to the agency head;
  (3) ensure that senior agency officials and information-owners, in collaboration with the Information Resources Manager and Information Security Officer, support the provision of information security for the information systems that support the operations and assets under their direct or indirect (e.g., cloud computing or outsourced) control;
  (4) ensure that the state agency has trained personnel to assist the agency in complying with the requirements of this chapter and related policies;
  (5) ensure that senior agency officials support the state agency Information Security Officer in developing, at least annually, a report on the state agency information security program, as specified in §202.21(b)(10) and §202.23(a) of this chapter;
  (6) approve high residual risk management decisions as required by §202.25(4) of this chapter;
  (7) review and approve at least annually the agency information security program required under §202.24 of this chapter; and
  (8) ensure that information security management processes are integrated with state agency strategic and operational planning processes.

Source Note: The provisions of this §202.20 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective November 17, 2021, 46 TexReg 7775