URP: I.19.k Information Security Program

Tags techurp

STATEMENT OF PURPOSE

This document establishes the information security program regulations and procedures. The purpose of these regulations and procedures are to manage Texas Woman’s University’s (TWU) risks from compromise of sensitive information due to loss of integrity or confidentiality through the establishment of an information security program.

 

DEFINITIONS

Enterprise Architecture is the model by which all information systems are implemented into the TWU’s environment.

Threats are the possible danger that an information system might be attacked or used in an unauthorized manner.

 

Scope

The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.

 

Regulations and PROCEDURES

The State of Texas has chosen to adopt the information security program principles established in NIST SP 800-53 “Program Management,” Control Family guidelines.  The following subsections outline the information security program standards that constitute TWU’s regulations and procedures. 

  • PM-1 Information Security Program Plan: 
    • Regulations:
      • TWU must develop and disseminate an organization-wide information security program plan that:
        • Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
        • Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
        • Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical);
        • Is approved by the appropriate person;
        • Is reviewed and updated annually; and
        • Is securely shared with appropriate individuals.
    • Procedures:
      • The Office of Technology (OOT) maintains TWU’s information security program plan that:
        • Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
        • Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
        • Reflects coordination among organizational entities responsible for the different aspects of information security;
        • Is updated annually by the Information Security Officer (ISO); and
        • Is approved annually by the Chief Information Officer (CIO).
        • Is securely shared with appropriate individuals.
  • PM-2 Senior Information Security Officer: 
    • Regulations:
      • TWU appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
    • Procedures:
      • As required in TAC 202.71(a), the CIO appoints an Information Security Officer (ISO) and notifies the Texas Department of Information Resources.
  • PM-3 Information Security Resources: 
    • Regulations:
      • TWU must ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement.
    • Procedures:
      • OOT Security Team performs a risk assessment on all technology purchases. The risk assessment includes recommendations for meeting or enhancing security standards. 
  • PM-4 Plan of Action and Milestones Process: 
    • Regulations:
      • TWU must implement a process for ensuring that plans of action, including milestones, for the information security program are developed, documented, and executed.
    • Procedures:
      • OOT Security Team uses OOT project management system to record plans of action and includes milestones when appropriate.
      • Plans of action older than 90 days must be reviewed by the ISO.
  • PM-5 Information System Inventory
    • Regulations:
      • TWU must develop and maintain an inventory of its information systems.
    • Procedures:
      • OOT Denton Client Service Manager an inventory of its information systems.
  • PM-6 Information Security Measures of Performance
    • Regulations:
      • TWU must develop and maintain reports on the results of information security measures of performance.
    • Procedures:
      • OOT Security Team develop and maintain reports on the results of information security measures of performance.
  • PM-7 Enterprise Architecture
    • Regulations:
      • TWU must develop information systems architecture with consideration for information security and the resulting risk to TWU operations, assets, individuals, other organizations, and the nation.
    • Procedures:
      • OOT Security Team reviews new information systems as needed and critical information systems annually to ensure information security architecture is appropriate and up to date.
  • PM-16 Threat Awareness Program
    • Regulations:
      • TWU must implements an information security threat awareness program.
    • Procedures:
      • OOT Security Team maintains an information security threat awareness program by sending emails, as needed and monthly, on current threats.

APPLICABILITY

TWU Students, Faculty, Staff, and Guest

COMPLIANCE

Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

SPECIAL NOTES

Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

Details

Article ID: 56379
Created
Fri 6/22/18 10:52 AM
Modified
Mon 3/25/19 11:18 AM