RULE §202.26 Security Control Standards Catalog (United States)

RULE §202.26 Security Control Standards Catalog

Published: 2015

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

(a) Mandatory Requirements. Mandatory security controls
shall be defined by the department in a Control Standards document
published on the department's website.
(b) Minimum Requirements for Security Controls. The
controls required by subsection (a) shall include:
  (1) minimum information security requirements for all
State information and information systems; and
  (2) standards to be used by all agencies to provide
levels of information security according to risk levels.
(c) A review of the agency's information security program
for compliance with these standards will be performed at least biennially,
based on business risk management decisions, by individual(s) independent
of the information security program and designated by the agency head
or his or her designated representative(s).
(d) Development of Control Standards. Prior to publishing
new or revised standards as required by subsections (a) and (b), the
department shall:
  (1) solicit comment through the department's electronic
communications channels for proposed standards from the Information
Resource Managers, ITCHE, and Information Security Officers of agencies
and institutes of higher education at least 30 days prior to publication
of proposed standards;
  (2) after reviewing comments provided in paragraph
(1), present proposed standards to the department's Board and obtain
approval from the Board for publication; and
  (3) minimize the impact to an affected agency, to the
extent possible by:
    (A) ensuring that such standards and guidelines do
not require the use or procurement of specific products, including
any specific hardware or software;
    (B) ensuring that such standards provide for flexibility
to permit alternative solutions to provide equivalent levels of protection
for identified information security risks; and
    (C) using flexible, performance-based standards and
guidelines that permit the use of off-the-shelf commercially developed
information security products.
  (4) New standards required by the department will have
an effective date, not to exceed 18 months from the date of adoption,
after which agencies are required to adhere to the new standard.
(e) Application of More Stringent Standards. The head
of an agency may employ standards for the cost-effective information
security of information and information resources within or under
the supervision of that agency that are more stringent than the standards
the department prescribes under this section if the more stringent
standards:
  (1) contain at least the applicable standards issued
by the department; or
  (2) are consistent with applicable federal law, policies
and guidelines issued under state rule, industry standards, best practices,
or deemed necessary to adequately protect the information held by
the agency.

Source Note: The provisions of this §202.26 adopted to be effective March 17, 2015, 40 TexReg 1357