PM-1: Information Security Program Plan
DIR Required By: 07/20/2023
Review Date: 07/31/2024
Purpose –
The Information Security Program Plan is a formal document that provides an overview of the security requirements for the Tarleton State University (Tarleton) information security program. This family of controls describes requirements related to the Information Security Program Plan.
Scope and Roles –
This policy applies to information resources owned or managed by Tarleton. The intended audience includes the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians.
Compliance –
The Information Security Program Plan and associated controls are implemented to ensure compliance with Title 1 Texas Administrative Code (TAC) §202.70, §202.71, §202.72, §202.73, §202.74, Texas Government Code (Tex Gov’t Code) §2054.133, the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by TAC §202.76, and Texas A&M University System (TAMUS) Regulation 29.01.03, Information Security.
Implementation –
- Tarleton Security Program and Plans
- The Tarleton CISO or their designee is responsible for:
- Documenting and disseminating procedures that address the Information Security Program Plan family of controls;
- Developing an Information Security Program Plan that satisfies the requirements of TAC 202, as required by TAC §202.71, Tex Gov’t Code §2054.133 and TAMUS Regulation 29.01.03, Information Security;
- Annually reviewing and updating the Information Security Program Plan informed by ongoing risk assessments and considering changes in business, technology, threats, incidents, and Tarleton priorities;
- Delivering the Tarleton Information Security Program Plan to the DIR before June 1st of every even-numbered year as required by TAC §202.73 and Tex Gov’t Code §2054.133; and
- Ensuring that the Information Security Program Plan is independently reviewed every two years at a minimum as required by TAC §202.70, §202.71, and §202.76.
- The Tarleton Information Security Program Plan must be approved by the Tarleton CEO/President as required by TAC §202.73, and TAMUS Regulation 29.01.03, Information Security.
- The Information Security Program Plan must be protected from unauthorized disclosure and modification.
- The Tarleton CISO or their designee is responsible for:
- Information Security Responsibility and Accountability
- The Tarleton CISO –
The Tarleton CEO/President is responsible for designating a Chief Information Security Officer (CISO) who has the explicit authority and duty to administer the information security requirements of TAC §202 across the institution. The CISO shall fulfill the detailed responsibilities established by TAC §202, including providing required reports to the CEO/President and/or DIR. - Information Resource Owners –
Tarleton information resource owners shall fulfill the detailed responsibilities established by TAC 202, and the CISO; The CISO will help ensure that information owners have appropriate training, standards, guidance, and assistance to comply with these responsibilities. Significant information owner responsibilities include, but are not limited to:- Inventory and classify information under their authority according to Control RA-2, Security Categorization; and
- Perform the risk assessments provided in Control RA-3, Risk Assessment, including identify, recommend, and document acceptable risk levels for information resources under their authority.
- Information Resource Custodians –
Tarleton information resource custodians shall fulfill the detailed responsibilities established by TAC §202 and the CISO. Information resource owners will help ensure that information custodians have appropriate training, standards, guidance and assistance to comply with these responsibilities. Information resource custodian responsibilities include, but are not limited to:- Implement approved controls and access to information resources under their care; and
- Adhere to information security policies and procedures to manage risk levels for information resources.
- Users of Information Resources –
Users of university information resources shall fulfill the detailed responsibilities established by TAC §202, including but not limited to:- Use the information resources only for the purpose(s) specified by the university or information owner;
- Comply with information security controls, system standards, and applicable university guidelines or standards to prevent unauthorized or accidental disclosure, modification, or destruction;
- Formally acknowledge that they will comply with university information security requirements in a method determined by the President; and
- Users of system or member information resources who fail to comply with these university information security requirements are subject to disciplinary action, up to and including termination of employment.
- The Tarleton CISO –
- Annual Risk Assessment
- Tarleton shall annually conduct and document a university-wide information security risk assessment as required by TAC §202. The assessment shall be presented to the President or designee, in accordance with Control RA-3, Risk Assessment. The purpose of the annual risk assessment is to identify, evaluate, and document the level of impact on the university’s mission, functions, image, reputation, assets, or individuals that may result from the operation of the university’s information systems.
- Security Awareness Education and Training
- All users of Tarleton information resources shall complete information security awareness training (See Control AT-2, Literacy Training and Awareness).