URP: I.19.j Information Security Planning

Tags techurp

STATEMENT OF PURPOSE

This document establishes the information security planning regulations and procedures. The purpose of these regulations and procedures are to manage Texas Woman’s University’s (TWU) risks from inadequate security planning through the establishment of an effective security planning program.

 

DEFINITIONS

Authorized Boundary is all of the components of an information system to be authorized for operation.

 

Scope

The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.

 

Regulations and PROCEDURES

The State of Texas has chosen to adopt the information security planning principles established in NIST SP 800-53 “Security Planning,” Control Family guidelines.  The following subsections outline the Security Planning standards that constitute TWU’s regulations and procedures. 

  • PL-1 Security Planning: 
    • Regulations:
      • TWU must develop, adopt, update and review annually, a documented security plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
    • Procedures:
      • As required by TAC 202.71(d)(4), the Office of Technology (OOT) will maintain develop, adopt, update an information security plan.
      • The Information Security Officer (ISO) will review the information security plan with the Chief Information Officer (CIO) annually.
  • PL-2 System Security Plan: 
    • Regulations:
      • TWU must develop an information security plan that:
        • Is consistent with the organization’s enterprise architecture;
        • Explicitly defines the authorization boundary for the each information system;
        • Describes the operational context of the information system in terms of missions and business processes;
        • Provides the security categorization of the information system including supporting rationale;
        • Describes the operational environment for the information system and relationships with or connections to other information systems;
        • Provides an overview of the security requirements for the information system;
        • Identifies any relevant overlays, if applicable;
        • Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and
        • Is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
        • Is updated to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments
      • TWU must securely share the information security plan with appropriate individuals.
    • Procedures:
      • The Office of Technology (OOT) will maintain an information security plan that:
        • Is consistent with the organization’s enterprise architecture;
        • Explicitly defines the authorization boundary for the each information system;
        • Describes the operational context of the information system in terms of missions and business processes;
        • Provides the security categorization of the information system including supporting rationale;
        • Describes the operational environment for the information system and relationships with or connections to other information systems;
        • Provides an overview of the security requirements for the information system;
        • Identifies any relevant overlays, if applicable;
        • Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions;
        • Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; and
        • Is updated to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
      • The OOT Security Team shares the plan on a secured server with the ISO and CIO.

APPLICABILITY

TWU Students, Faculty, Staff, and Guest

COMPLIANCE

Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

 

SPECIAL NOTES

Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

 

Details

Article ID: 56378
Created
Fri 6/22/18 10:51 AM
Modified
Mon 3/25/19 11:18 AM