(a) Each Information Security Officer shall directly report to the agency head, at least annually, on the adequacy and effectiveness of information security policies, procedures, practices, compliance with the requirements of this chapter, and:
  (1) effectiveness of current information security program and status of key initiatives;
  (2) residual risks identified by the state agency risk management process; and
  (3) state agency information security requirements and requests.
(b) Each state agency shall submit to the department a Biennial Information Security Plan in accordance with Texas Government Code § 2054.133.
(c) At least every two years, each state agency shall complete and submit an information security assessment in compliance with the requirements of Texas Government Code § 2054.515 and this subsection.
  (1) The agency's Biennial Information Security Plan may be considered to satisfy the information security assessment requirements of Texas Government Code § 2054.515(a)(1) if the agency's Biennial Information Security Plan assesses:
    (A) The security of the agency's information resources systems, network systems, and digital data storage systems;
    (B) The measures in place to establish digital data security; and
    (C) The vulnerabilities of the agency's information resources, including an evaluation determining how well the organization's security policies protect its data and information systems.
  (2) To comply with Texas Government Code § 2054.515(a)(2), a state agency must complete a data maturity assessment in alignment with the requirements established at 1 Texas Administrative Code § 218.10.
  (3) Upon completion of its information security assessment, a state agency shall report the results of its assessment to the department in the form and manner identified by the department. A state agency must comply with a request for the results of its assessment received from the Office of the Governor, Lieutenant Governor, or speaker of the House of Representatives.
(d) Each state agency shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Security incidents shall be promptly reported to immediate supervisors and the agency Information Security Officer.
  (1) A state agency shall report security incidents to the department within 48 hours of discovery in the form and manner specified by the department where the security incident is assessed to:
    (A) propagate to other state systems;
    (B) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;
    (C) involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in Texas Business and Commerce Code § 521.002(a)(2) and other applicable laws that may require public notification; or
    (D) be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way.
  (2) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Texas Penal Code Chapter 33 or Texas Penal Code Chapter 33A), the state agency shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.
  (3) Depending on the nature of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams shall continue to report information to the department as it is collected. The department shall instruct state agencies as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an agency shall submit such reports to the agency in the form and manner specified by the department, unless otherwise directed by the agency. Agencies shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.
  (4) Ten days after the date of the eradication, closure, and recovery from a security incident, a state agency shall notify the department and the chief information security officer in the form and manner prescribed by the department of the security incident details and an analysis of the security incident cause.
(e) A local government shall report security incidents that are assessed by the entity to meet the criteria listed in subsection (d)(1) of this section to the department within 48 hours of discovery.
  (1) A local government must submit its report of the security incident in the form and manner specified by the department.
  (2) A local government is not required to report a security incident described by subsection (d) of this section where statute expressly states that compliance with the department reporting requirements is excluded for a security incident of that type.
  (3) Ten days after the date of the eradication, closure, and recovery from a security incident, a local government shall notify the department and the chief information security officer in the form and manner prescribed by the department of the security incident details and an analysis of the security incident cause.

Source Note: The provisions of this §202.23 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831; amended to be effective November 17, 2021, 46 TexReg 7775; amended to be effective November 16, 2023, 48 TexReg 6579