(a) Information owners, custodians, and users of information resources shall, in consultation with the institution Information Resources Managers and Information Security Officer, be identified and their responsibilities defined and documented by the state institution of higher education. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles:
  (1) Information Owner Responsibilities. The owner or their designated representative(s) are responsible for:
    (A) classifying information under their authority or responsibility, with the concurrence of the agency head or their designated representative(s), in accordance with the institution of higher education's established information classification categories;
    (B) approving access to information resources and periodically reviewing access lists based on documented risk management decisions;
    (C) formally assigning custody of information or an information resource;
    (D) coordinating data security control requirements with the Information Security Officer;
    (E) conveying data security control requirements to custodians;
    (F) providing authority to custodians to implement security controls and procedures;
    (G) justifying, documenting, and being accountable for exceptions to security controls issued by the Information Security Officer for the information for which the Information Owner is responsible;
    (H) coordinating and obtaining approval for exceptions to security controls with the agency Information Security Officer; and
    (I) performing risk assessments as provided under §202.75 of this subchapter.
    (J) Information owners, in coordination with the information custodian, shall ensure that information resources provide a clear and conspicuous prohibition against unauthorized access or use as detailed by Texas Penal Code § 33.02(b-1).
  (2) Information Custodian Responsibilities. Custodians of information resources, including third party entities providing outsourced information resources services to state institutions of higher education shall:
    (A) implement controls required to protect information and information resources required by this chapter based on the classification and risks specified by the information owner(s) or as specified by the policies, procedures, and standards defined by the institution of higher education information security program;
    (B) provide owners with information to evaluate the cost-effectiveness of controls and monitoring;
    (C) adhere to monitoring techniques and procedures, approved by the Information Security Officer, for detecting, reporting, and investigating incidents;
    (D) supply any information and/or documents necessary to provide appropriate information security training to employees; and
    (E) ensure information is recoverable in accordance with risk management decisions.
  (3) User Responsibilities. The user of information resources has the responsibility to:
    (A) use the resource only for the purpose specified by the institution or information owner;
    (B) comply with information security controls and institutional policies to prevent unauthorized or accidental disclosure, modification, or destruction of information and information resources; and
    (C) formally acknowledge that they will comply with the security policies and procedures in a method determined by the institution head or his or her designated representative.
(b) Institution information resources designated for use by the public shall be configured to enforce security policies and procedures without requiring user participation or intervention. Information resources must require the acceptance of a banner or notice prior to use.

Source Note: The provisions of this §202.72 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective November 17, 2021, 46 TexReg 7775