(a) Each Information Security Officer shall directly report to the agency head, at least annually, on the adequacy and effectiveness of information security policies, procedures, practices, compliance with the requirements of this chapter, and:
(1) effectiveness of current information security program and status of key initiatives;
(2) residual risks identified by the institution of higher education risk management process; and
(3) institution of higher education information security requirements and requests.
(b) Each institution of higher education shall submit to the department a Biennial Information Security Plan in accordance with Texas Government Code §2054.133.
(c) At least every two years, each institution of higher education shall complete and submit an information security assessment in compliance with the requirements of Texas Government Code §2054.515 and this subsection.
(1) The institution of higher education's Biennial Information Security Plan may be considered to satisfy the information security assessment requirements of Texas Government Code §2054.515(a)(1) if the institution's Biennial Information Security Plan assesses:
(A) The security of the institution's information resources systems, network systems, and digital data storage systems;
(B) The measures in place to establish digital data security; and
(C) The vulnerabilities of the institution's information resources, including an evaluation determining how well the organization's security policies protect its data and information systems.
(2) To comply with Texas Government Code §2054.515(a)(2), an institution of higher education must complete a data maturity assessment in alignment with the requirements established at 1 Texas Administrative Code §218.10.
(3) Upon completion of its information security assessment, an institution of higher education shall report the results of its assessment to the department in the form and manner identified by the department. An institution of higher education must comply with a request for the results of its assessment received from the Office of the Governor, Lieutenant Governor, or speaker of the House of Representatives.
(d) Each state institution of higher education shall assess the significance of a security incident based on the business impact on the affected resources and the current and potential technical effect of the incident (e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of confidential information, or propagation to other networks). Confirmed or suspected incidents shall be reported to immediate supervisors and the institution of higher education Information Security Officer.
(1) An institution of higher education shall report security incidents to the department within 48 hours of discovery in the form and manner specified by the department where the security incident is assessed to:
(A) propagate to other state systems;
(B) result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;
(C) involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in Texas Business and Commerce Code §521.002(a)(2) and other applicable laws that may require public notification; or
(D) be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way.
(2) If the security incident is assessed to involve suspected criminal activity (e.g., violations of Texas Penal Code Chapters 33 or 33A), the institution of higher education shall contact law enforcement, as required, and the security incident shall be investigated, reported, and documented in accordance with the legal requirements for handling of evidence.
(3) Depending on the nature of the incident, it will not always be feasible to gather all the information prior to reporting. In such cases, incident response teams shall continue to report information to the department as it is collected. The department shall instruct state institutions of higher education as to the manner in which they shall report such information to the department. Supporting vendors or other third parties that report security incident information to an institution of higher education shall submit such reports to the institution of higher education in the form and manner specified by the department, unless otherwise directed by the institution of higher education. Institutions of higher education shall ensure that compliant reporting requirements are included in any contract where incident reporting may be necessary.
(4) Ten days after the date of the eradication, closure, and recovery from a security incident, an institution of higher education shall notify the department and the chief information security officer in the form and manner prescribed by the department of the security incident details and an analysis of the security incident cause.
Source Note: The provisions of this §202.73 adopted to be effective March 17, 2015, 40 TexReg 1357; amended to be effective March 16, 2016, 41 TexReg 1831; amended to be effective November 17, 2021, 46 TexReg 7775; amended to be effective November 16, 2023, 48 TexReg 6579