(a) Information owners, custodians, and users of information resources shall, in consultation with the state agency Information Resources Manager and Information Security Officer, be identified and their responsibilities defined and documented by the state agency. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles:
(1) Information Owner Responsibilities. The owner or their designated representative(s) are responsible for:
(A) classifying information under their authority or responsibility, with the concurrence of the agency head or their designated representative(s), in accordance with the state agency's established information classification categories;
(B) approving access to information resources and periodically reviewing access lists based on documented risk management decisions;
(C) formally assigning custody of information or an information resource;
(D) coordinating data security control requirements with the Information Security Officer;
(E) conveying data security control requirements to custodians;
(F) providing authority to custodians to implement security controls and procedures;
(G) justifying, documenting, and being accountable for exceptions to security controls issued by the Information Security Officer for the information for which the Information Owner is responsible;
(H) coordinating and obtaining approval for exceptions to security controls with the state agency Information Security Officer; and
(I) performing risk assessments as provided under §202.25 of this chapter.
(J) Information owners, in coordination with the information custodian, shall ensure that information resources provide a clear and conspicuous prohibition against unauthorized access or use as detailed by Texas Penal Code § 33.02(b-1).
(2) Information Custodian Responsibilities. Custodians of information resources, including third party entities providing outsourced information resources services to state agencies shall:
(A) implement controls required to protect information and information resources required by this chapter based on the classification and risks specified by the information owner(s) or as specified by the policies, procedures, and standards defined by the state agency information security program;
(B) provide owners with information to evaluate the cost-effectiveness of controls and monitoring;
(C) adhere to monitoring techniques and procedures, approved by the Information Security Officer, for detecting, reporting, and investigating incidents;
(D) supply any information and/or documents necessary to provide appropriate information security training to employees; and
(E) ensure information is recoverable in accordance with risk management decisions.
(3) User Responsibilities. The user of information resources has the responsibility to:
(A) use the resource only for the purpose specified by the agency or information owner;
(B) comply with information security controls and agency policies to prevent unauthorized or accidental disclosure, modification, or destruction of information and information resources; and
(C) formally acknowledge that they will comply with the security policies and procedures in a method determined by the agency head or his or her designated representative.
(4) State agency information resources designated for use by the public shall be configured to enforce security policies and procedures without requiring user participation or intervention. Information resources must require the acceptance of a banner or notice prior to use.
(b) State agency information resources designated for use by the public shall be configured to enforce security policies and procedures without requiring user participation or intervention. Information resources must require the acceptance of a banner or notice prior to use.
Source Note: The provisions of this §202.22 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective November 17, 2021, 46 TexReg 7775