Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
(A) The responsibilities of a position with respect to security and
risk management shall be commensurate with its authority.
Descriptions of security roles and responsibilities for agency
personnel shall be included in written position descriptions and
compiled in the agency security manual developed and maintained by
the information security function.
(B) The information security function. Each agency head, or the
information resources manager acting on delegated authority, shall
institute an information security function to administer the agency
information security program. It shall be the duty and
responsibility of this function to establish all procedures and
practices necessary to ensure the security of information assets
against unauthorized or accidental modification, destruction or
disclosure. The information security function within each agency
shall document and maintain an up-to-date internal information
security program. The agency security program shall include written
internal policies and procedures for the protection of information
resources, be an instrument implementing state information security
policies and standards, be applicable to all elements of the
agency and be signed by the information resources manager or the
agency head.
(C) Owners, custodians, and users of information. The Information
Resources Management Act makes it clear that information and
information resources residing in the various agencies of state
government are assets owned by the people of Texas. For the purpose
of information resources security and risk management, the concept
of owners, custodians and users of information resources, and their
surrogate responsibilities to the people of Texas, is utilized in
the development of an information security program. The
effectiveness of the program depends to a large extent on the
correct identification of those surrogate owners, custodians, and
users of information. Owners, custodians and users of data,
software and other information resources shall be identified,
documented and their responsibilities defined. All resources shall
be assigned an owner. In cases where data or software is aggregated
for purposes of ownership, the aggregation shall be at a level
which assures individual accountability. The following distinctions
among owner, custodian, and user responsibilities should guide
determination of these roles:
(i) Owner responsibilities. The owner of information resources is
the designated individual upon whom responsibility rests for
carrying out the program that uses the resources. That person
is referred to herein as a program manager. The owner, or
program manager, is responsible and authorized to: approve
access and formally assign custody of the asset; judge the
asset's value; specify data control requirements and convey
them to users and custodians; and ensure compliance with
applicable controls. Ownership responsibilities apply in the
development of outsourcing contracts with private firms or
with other agencies. These contracts must specify appropriate
controls, based on risk assessment, to ensure protection of
the state's confidential or sensitive information files,
databases and software from unauthorized modification,
deletion or disclosure.
(ii) Custodian responsibilities. A custodian is the agent in
charge of the organizational unit providing technical
facilities, data processing and other support services to
owners and users of automated information. The custodian of
information resources is assigned the responsibility to:
implement the controls specified by the owner; provide
physical and procedural safeguards for the information
resources within the facility; assist owners in evaluating
the cost-effectiveness of controls; administer access to the
information resources; and to make provisions for timely
detection, reporting, and analysis of unauthorized attempts
to gain access to information resources. Custodial
responsibilities apply to all entities providing outsourcing
services to state agencies.
(iii) User responsibilities. The users of information resources
have the responsibility to: use the resource only for the
purposes specified by its owner; comply with controls
established by the owner; and prevent disclosure of
confidential or sensitive information.
(D) The agency information security function acting on behalf of the
agency head and with cooperation from program and technical
management, shall assign information asset ownership and ownership
responsibilities for all information resources within the agency.
(E) Program managers, having been assigned information resource
ownership, shall assign custody of program assets to appropriate
technical and data center managers and ensure they are provided the
appropriate direction to implement the security controls and
procedures that have been defined.
(F) Technical managers, assigned information resource custodianship,
are charged with executing the monitoring techniques and procedures
for detecting, reporting and investigating breaches in information
asset security.
(G) An internal audit of the information security function shall be
performed periodically, based on risk assessment, as directed by
the agency head or the information resources manager acting on
delegated authority for risk management decisions.