(a) Each Application Services Center Customer shall provide to the department the name, title, contact information, including emergency contact, of the designated employee(s) authorized to initiate, change, modify, or amend services. At a minimum it shall include:
  (1) Executive level technology officer such as a Chief Information Officer or Information Resources Manager; and
  (2) Customer Representative.
(b) Each Application Services Center Customer is responsible for ensuring that its use of Application Services Center services is in compliance with applicable law, policy, and procedures.
(c) Each state agency customer that receives funding through the state appropriations shall coordinate with the department and the Legislative Budget Board to establish anticipated needs for each subsequent biennium. In coordination with the department, the state agency shall consider:
  (1) Type and volume of future service; and
  (2) Planned IT projects.
(d) Audit notification.
  (1) Application Services Center Customers shall promptly notify the department whenever the customer becomes aware that an audit or compliance review is planned by external, internal, software vendor, or federal oversight auditors that will require audit assistance from the Application Services Center program Service Providers. In any event, where audit assistance is required, the Application Services Center Customer shall notify the department of planned audit or compliance review no less than five business days prior to anticipated start of audit or compliance review.
  (2) In performing audits, Application Services Center Customers shall endeavor to avoid unnecessary disruption of the DCS program operations and duplication of other audits. Therefore, Application Services Center Customers shall leverage SOC or comparable audits provided for under the Application Services Center contract, to the extent possible.
  (3) The state auditor, the department's internal auditors, a state agency's internal auditors, and if applicable, the Office of Inspector General of the agency, or federal auditors, may conduct audits or investigations of any entity receiving funds from the state directly under a contract or indirectly under a subcontract for Statewide Technology Center services.
  (4) An Application Services Center Customer may request copies of audit reports submitted to the department as required by the Statewide Technology Center services contract and governed by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) or successor group. The requesting Application Services Center Customer should submit the request to the department's designated audit representative. Due to the confidential nature of information in the report, the requesting Application Services Center Customer shall only distribute the report to its staff that have a legitimate business need for access to the report and may not distribute the report to external auditors or entities. External auditors that require access to a report in connection with an audit of a Application Services Center Customer must contact the department's designated audit representative and sign a non-disclosure agreement prior to receiving a copy of the report.
(e) Technology planning.
  (1) Each Application Services Center Customer will participate in an annual Application Services Center technology planning process based on instructions provided in the technology planning process as documented in the applicable Service Management Manual. This planning will relate to the services the Application Services Center Customer receives or expects to receive through the program.
  (2) All Application Services Center Customers shall follow the technology standards for hardware and software configurations as specified in the annual technology plan and Service Management Manual. Application Services Center Customers seeking exception to specified technology standards shall comply with the relevant Service Management Manual.
(f) Governance process.
  (1) All Application Services Customers will participate in the governance process designed to facilitate individual customer input into enterprise decisions that affect all customers. Each customer is assigned to a group of similar customers, called a "partner group", and that group will be given one membership position on each governance committee. Members of the partner group are expected to represent the interests of all partner group members in governance decisions.
  (2) Enterprise-level decisions and resolution of escalated Application Services Center Customer-specific issues shall be addressed through standing governance committees, organized by subject area and comprised of representatives from the department, DCS Customers, and service providers. Participation on committees is selected from each designated partner group.
(g) Confidential data.
  (1) Application Services Center Customer shall provide its specific confidentiality requirements as determined by the nature of the data stored in the Application Services Center program. Generally, the specific confidentiality requirements shall be appended to the interagency or interlocal contract. The applicable Service Management Manual shall provide additional documentation on the specific procedures, including the process Application Services Center Customers shall follow to identify confidential information.
  (2) In general, an Application Services Center Customer shall include in the interagency or interlocal agreement:
    (A) General notification as to the type of confidential data and the laws that guide in the handling of such data; and
    (B) Subsequent changes to laws that apply to previously identified confidential data.
(h) Security.
  (1) Application Services Center Customers shall comply with the Security Incident Management and Response process available in the Service Management Manual.
  (2) Application Services Center Customers shall be in compliance with 1 Texas Administrative Code Chapter 202.

Source Note: The provisions of this §215.42 adopted to be effective August 1, 2021, 46 TexReg 4681