Section 7: Information Resources

On this page:

• 7.1 Information Resources Management
• 7.2 Appropriate Use of Information Resources
• 7.3 Electronic and Information Resources Accessibility
• 7.4 Information Security Program
• 7.5 Information Security Control Standards
• 7.6 Use of Cloud Services

---

7.1 Information Resources Management

Scope: Faculty and Staff

Policy Statement

Lamar State College Orange’s (LSCO) information resources are vital academic and administrative assets which require appropriate safeguards to avoid compromising their confidentiality, integrity, and availability. As a public higher institution of education, LSCO is subject to various federal, state, and industry regulations that provide requirements and guidance for achieving this goal.
The purpose of this policy is to establish the framework on which LSCO’s information resources policies, standards, guidelines, and procedures are created and maintained.

Definitions

1. A listing of initialisms used in this and other information resources policies can be found in Appendix A.
2. A glossary with definitions of terms used in this and other information resources policies can be found in Appendix B.

Roles and Responsibilities

1. President
   • The President may delegate some or all the operational duties in Section 3(a)(2).
   • The President or designated representative shall:
   • Designate an Information Resources Manager (IRM) as required by Texas Government Code §2054.071, with the mission and resources to coordinate, implement, and maintain the College’s information resources.
   • Ensure that College personnel cooperate as necessary with the IRM to enable the IRM to perform their duties.
   • Appoint an Information Security Officer (ISO) with the mission and resources to coordinate, develop, implement, and maintain a College-wide information security program.
2. Information Resources Manager (IRM)
   • The IRM has authority and oversight over the College’s information resources and use of information technology.
   • The IRM is part of the College’s executive management.
   • The IRM reports directly to the Vice President of Finance and Operations.
   • The IRM has the following responsibilities:
   • Preparing information resources operational reports in accordance with Texas Government Code §2054.074.
   • Overseeing the implementation of the College’s project management practices as they relate to information resources.
   • Overseeing and approving the College’s acquisition and use of information technology.
   • Maintaining information resources policies as described in Section 5 of this policy.
   • The IRM must maintain relevant knowledge and skills by participating in continuing professional education activities in accordance with the guidelines established by the Texas Department of Information Resources.
3. Information Security Officer (ISO)
   • The ISO has authority over information security for LSCO.
   • The ISO reports directly to the Vice President for Finance and Operations.
   • The ISO must possess the appropriate training and experience required to administer the functions described in the College’s information resources policies.
   • The ISO’s primary duties are related to information security.
4. Information Security Department
   • LSCO’s Information Security department (IS) is responsible for maintaining information standards, guidelines, and procedures related to information security.
5. Information Technology Services Department
   • LSCO’s Information Technology Services department (ITS) is responsible for maintaining information resources standards, guidelines, and procedures related to IT operations and administration.

General

1. Documentation for LSCO’s information resources policy framework is separated into four (4) categories of documentation: policies, standards, guidelines, and procedures.
2. Information resources policies shall be managed formally as described in Section 5 of this policy.
3. If standards, guidelines, or procedures are included in policy documents, they are also subject to the same policy management process as described in Section 5 of this policy.
4. Standards, guidelines, or procedures referenced by policies but not directly included in policy shall be managed as described in Section 6 of this policy.

Information Resources Policy Management

1. New and revised information resources policies shall originate from the IRM, the ISO, or a designated committee.
2. The review and approval process is as follows:
   • Policies must be reviewed by the ISO prior to being submitted for approval.
   • Policies must be reviewed by the IRM prior to being submitted for approval.
   • LSCO has the option to forward the policy to general counsel, human resources, or other appropriate entities for review.
   • Policies must be reviewed by executive management and LSCO’s President grants final approval.
3. Minor revisions to existing information resources policies shall originate from the IRM. Minor revisions include changes to the numbering sequence, minor grammatical edits, formatting changes, and updates to hyperlinks. These changes do not require approval under the process described in Section 5(b) of this policy.
4. Information resources policies shall be reviewed and updated every 3 years at a minimum. Review of policies may also be triggered by changes to Texas State University System policies, federal and state laws, and other regulatory requirements.
5. Unit procedures derived from information resources policies shall be reviewed annually and revised as necessary.

Information Resources Standards, Guidelines, and Procedures Management

1. New and revised standards, guidelines, and procedures shall originate from the IRM, the ISO, or the Information Technology Services department.
2. New and revised standards, guidelines, or procedures that impact only the Information Technology Services department require only IRM and ISO approval.
3. New and revised standards, guidelines, or procedures that impact other units or the College as a whole require the timely approval of executive management.
4. Minor revisions to existing standards, guidelines, and procedures require approval only from the IRM and ISO. Minor revisions include changes to the numbering sequence, minor grammatical edits, formatting changes, and updates to hyperlinks.
5. Standards, guidelines, and procedures must be reviewed by the Information Technology Services department and the Information Security department annually and revised as necessary.

Related Policies, Regulations, Standards, and Guidelines

• 1 Tex. Admin. Code § 202.70
• 1 Tex. Admin. Code § 202.71
• Texas Government Code §2054 Subchapter D
• LSCO Policy 7.4 Information Security Program

---

7.2 Appropriate Use of Information Resources

Scope: Faculty and Staff

1.  Policy Statement

1. Lamar State College Orange recognizes the importance of information resources and facilities to students, faculty, and staff. This policy establishes the appropriate use of information resources in order to:
   • achieve College-wide compliance with applicable statutes, regulations, and mandates regarding the management of information resources;
   • establish prudent and appropriate practices regarding the use of information resources; and
   • educate individuals about the responsibilities they assume when using Lamar State College Orange’s information resources.
2. Governing laws, regulations, and policies include:
   • College policies, procedures, and standards that address the use of information resources and that prohibit harassment, plagiarism, or unethical conduct.
   • Texas State University System policies pertaining to information resources.
   • Laws pertaining to theft, copyright infringement, insertion of malicious software into computer systems, and other computer-related crimes.

2.  Applicability

1. This policy applies to LSCO faculty, staff, students, contractors, vendors, and anyone else who uses College information resources.
2. This policy applies to all College information resources, regardless of where they reside.

3. General

1. LSCO provides each of its authorized users with a computer account, known as an LSCO User ID, which facilitates access to LSCO’s information resources. In accepting an LSCO User ID or any other access ID, the recipient agrees to abide by applicable LSCO policies and federal, state, and local laws. LSCO reserves the right at any time to limit, restrict, or deny access to its information resources and to take disciplinary or legal action against anyone in violation of these policies or statutes.
2. LSCO provides information resources for the purpose of accomplishing tasks related to the College’s mission. LSCO expects its faculty and staff to employ these resources as their first and preferred option for satisfying their business, research, or instructional needs.
3. LSCO’s information resources are not a public forum.
4. LSCO considers email a significant information resource and an appropriate mechanism for official College communication. LSCO provides official College email addresses and services to its students, faculty, staff, and organizational units for this purpose and to enhance the efficiency of educational and administrative processes. In providing these services, the College anticipates that email recipients will access and read College communications in a timely fashion.
5. Subject to applicable College policies and procedures, students are allowed to use the College’s information resources for school-related purposes.
6. LSCO employees are allowed to use the College’s information resources in the performance of their job duties and must adhere to all applicable College policies and federal, state, and local laws. State law and College policy permit incidental personal use of College information resources, subject to review and reasonable restrictions by the employee’s supervisor.
7. Censorship is not compatible with LSCO’s goals. The College will not limit access to any information due to its content, as long as it meets the standard of legality. The College reserves the right, however, to impose reasonable time, place, and manner restrictions on expressive activities that use its information resources. Furthermore, the College reserves the right to block or impose necessary safeguards against files and other information, such as malicious software and phishing emails, that are inherently malicious or pose a threat to the confidentiality, integrity, or availability of information resources for the College and its stakeholders.
8. LSCO’s information resources are subject to monitoring, review, and disclosure as provided in Policy 7.5 Information Security Control Standards, Section 20. Consequently, users should not expect privacy in their use of LSCO’s information resources, even in the case of incidental personal use.
9. Intellectual property laws extend to the electronic environment. Users should assume that works communicated through LSCO’s network and other information resources are subject to copyright laws, unless specifically stated otherwise.
10. The state of Texas and LSCO consider information resources as valuable assets. Further, computer software purchased or licensed by the College is the property of the College or the company from whom it is licensed. Any unauthorized access, use, alteration, duplication, destruction, or disclosure of any of these assets may constitute a computer-related crime, punishable under Texas and federal statutes.
11. All policies that apply to College-owned computing devices (e.g., desktop computers, laptop computers, or mobile devices) used on campus also apply to those used off-campus (e.g., College-owned home-based computers, mobile devices, or laptop use while travelling), including restrictions on use as listed in Section 4 of this policy.

4.  Inappropriate Uses of Information Resources

1. The following activities exemplify inappropriate use of the College’s information resources. These and similar activities are strictly prohibited for all users:
   • Use of College information resources for illegal activities or purposes. The College will deal with such use appropriately and will report such use to law enforcement authorities. Examples of illegal activities or purposes include unauthorized access, intentional corruption or misuse of information resources, theft, and child pornography.
   • Failure to comply with laws, policies, procedures, license agreements, and contracts that pertain to and limit the use of the College’s information resources.
2. The abuse of information resources, including any willful act that:
   • endangers or damages any specific computer, software, hardware, program, network, data, or the system as a whole, whether located on campus or elsewhere on the global Internet;
   • creates or allows a computer malfunction or interruption of operation;
   • injects malicious software into an information system;
   • sends a message with the intent to disrupt College operations or the operations of outside entities;
   • produces output that occupies or monopolizes information resources for an unreasonable time period to the detriment of other authorized users;
   • consumes an unreasonable amount of College-controlled communications bandwidth to the detriment of other authorized users; or
   • fails to adhere to time limitations that apply at computer facilities on campus.
3. Use of College information resources for personal financial gain or commercial purpose.
4. Failure to protect a password or LSCO User ID from unauthorized use.
5. Falsely representing one’s identity through the use of another individual’s LSCO User ID or permitting the use of an LSCO User ID and password by someone other than their owner. This restriction also applies to Personal Identification Numbers (PINs), Security Tokens (e.g., Smartcard), or similar information or devices used for identification and authorization purposes.
6. Successful or attempted unauthorized use, access, duplication, disclosure, alteration, damage, or destruction of data contained on any College owned or controlled information resource.
7. Installing any software on College-owned information resources without Information Technology Services department approval.
8. Unauthorized duplication, use, or distribution of software and other copyrighted digital materials (including copyrighted music, graphics, videos, etc.). All software and many other digital materials are covered by some form of copyright, trademark, service mark, license, or agreement with potential civil and criminal liability penalties. The copyright or trademark holder must specifically authorize duplication, use, or distribution, or a specific exception of the Copyright Act, such as the Fair Use exception, the Library exception, or exceptions under the TEACH Act, must apply.
9. Participating or assisting in the deliberate circumvention of any security measure or administrative access control that pertains to College information resources.
10. Using College information resources in a manner that violates other College policies (including those found in the Student Handbook), such as racial, ethnic, religious, sexual, or other forms of harassment.
11. Using College information resources for malicious activities such as phishing or the transmission of spam mail, chain letters, malicious software (e.g., viruses, worms, or spyware).
12. Using College information resources for personal advertisements, solicitations, or promotions.
13. Modifying any wiring or attempting to extend College owned or controlled networks beyond the port (e.g., adding hubs, switches, wireless access points, or similar devices) in violation of Policy 7.5 Information Security Control Standards, Section19.
14. Using LSCO’s information resources to affect the result of a local, state, or national election or to achieve any other political purpose (consistent with Texas Government Code §556.004).
15. Using LSCO’s information resources to state, represent, infer, or imply an official College position without appropriate authorization.
16. Unauthorized network scanning, foot printing, reconnaissance, or eavesdropping on information resources for available ports, file shares, or vulnerabilities.
17. Unauthorized alteration or relay of network traffic (e.g., man in the middle attacks).
18. Employee use of computing devices not under the direct ownership of the employee or LSCO (e.g., public-use computers in libraries, hotels, and other locations) to access Confidential or Sensitive data stored on College information resources.
19. The following restrictions apply to incidental use of College information resources:
    • Incidental personal use of information resources is restricted to College-approved users; it does not extend to family members or other acquaintances.
    • Incidental use must not result in direct cost to the College.
    • Incidental use must not interfere with the normal performance of an employee’s work duties.

5.  Responsibilities of Users

1. Each user shall utilize College information resources responsibly and respect the needs of other users.
2. In keeping with LSCO’s core values, all use of its information resources should reflect high ethical standards, mutual respect, and civility.
3. Users are responsible for any activity that takes place using their account.
4. Users must report any suspected weaknesses in computer security, any incidents of possible abuse or misuse, or any violation of this agreement to the Information Technology Services department and/or the ISO immediately upon discovery.
5. Unit heads and supervisors must report ongoing or serious problems regarding the use of LSCO information resources to the Information Technology Services department.
6. Each user shall immediately notify the Information Technology Services department and/or the ISO of the loss of any fixed or portable storage device or media, regardless of ownership, that contains College data. (See Policy 7.5 Information Security Control Standards, Section 12.)

6.  Access to College Information Resources by Auditors

7. Consistent with TSUS policies, the TSUS director of Audits and Analysis and auditors reporting to them, either directly or indirectly, while in the performance of their assigned duties, shall have full, free, and unrestricted access to all College information resources, with or without notification or consent of the assigned owner of the resources. This includes personal information stored on College information resources. The College shall afford this access consistent with Policy 7.5 Information Security Control Standards, Section 9.
8. The College shall provide state, federal, and other external auditors with access to College information resources with prior approval by the IRM. The College shall afford this access consistent with Policy 7.5 Information Security Control Standards, Section 9.

7.  Consequences for Failure to Adhere to this Policy

1. Failure to adhere to this policy may lead to the revocation of a user’s LSCO User ID, suspension, dismissal, or other disciplinary action by the College, as well as referral to legal and law enforcement agencies.
2. Statutes pertaining to the use of College information resources include the following:
   • The Federal Family Educational Rights and Privacy Act (FERPA) – restricts access to personally identifiable information from students’ education records.
   • 1 Tex. Admin. Code §202 – establishes information security requirements for Texas state agencies and public higher education institutions.
   • Texas Penal Code, Chapter 33: Computer Crimes – specifically prohibits unauthorized use of College computers, unauthorized access to stored data, or dissemination of passwords or other confidential information to facilitate unauthorized access to the College’s computer system or data.
   • Texas Penal Code, §37.10: Tampering with Governmental Record – prohibits any alteration, destruction, or false entry of data that impairs the validity, legibility, or availability of any record maintained by the College.
   • United States Code, Title 18, Chapter 47, §1030: Fraud and Related Activity in Connection with Computers – prohibits unauthorized and fraudulent access to information resources, accessing a computer to obtain restricted information without authorization; altering, damaging, or destroying information on a government computer without authorization; trafficking in passwords or similar information used to gain unauthorized access to a government computer; and transmitting viruses and other malicious software.
   • Copyright Law, 17 U.S.C. §101-1332, – forms the primary basis of copyright law in the United States, as amended by subsequent legislation. The Law spells out the basic rights of copyright holders and codifies the doctrine of fair use.
   • Digital Millennium Copyright Act (DMCA), 17 U.S.C. §512 as amended and 28 U.S.C. §4001 – criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works. The Act amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of internet service providers (like LSCO) for copyright infringement by their users, provided the service provider removes access to allegedly infringing materials in response to a properly formed complaint.
   • Electronic Communications Privacy Act (S.C., Title 18) – prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal.
   • Computer Software Rental Amendments Act of 1990 – deals with the unauthorized rental, lease, or lending of copyrighted software.
   • Texas Government Code §556.004 – prohibits using state resources or programs to influence elections or to achieve any other political purpose.
   • Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R 164 – sets security management requirements and broad management controls to protect the privacy of patient health information.
   • Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. §3541 – requires every federal agency to develop, document, and implement an agency-wide information security program. The law was amended by FISMA 2010, which changed the focus from paperwork compliance to continuous monitoring and threat mitigation.

8.  Related Policies, Regulations, Standards, and Guidelines

• Computer Software Rental Amendments Act of 1990
• Copyright Law, 17 U.S.C. §101-1332, 18 U.S.C. §2318-2323.
• Digital Millennium Copyright Act (DMCA), 17 U.S.C. §512 as amended and 28 U.S.C. §4001
• Electronic Communications Privacy Act (S.C., Title 18)
• Federal Family Educational Rights and Privacy Act (FERPA)
• Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. §3541
• Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R 164
• United States Code, Title 18, Chapter 47, §1030: Fraud and Related Activity in Connection with Computers
• 1 Tex. Admin. Code §202
• Texas Government Code §556.004
• Texas Penal Code, Chapter 33: Computer Crimes
• Texas Penal Code, §37.10: Tampering with Governmental Record
• TSUS Sexual Misconduct Policy and Procedures

---

7.3 Electronic and Information Resources Accessibility

Scope: Faculty and Staff

1.  Policy Statement

Lamar State College Orange (LSCO) is committed to providing equal access to all users of its electronic and information resources (EIR), including persons with disabilities. Ensuring EIR are accessible is required by state and federal laws and supports the success of LSCO’s mission.

2.  Definitions

1. A listing of initialisms used in this and other information resources policies can be found in Appendix A.
2. A glossary with definitions of terms used in this and other information resources policies can be found in Appendix B.

3. Applicability

1. This policy applies to:
   • EIR developed, procured, acquired, or materially changed by LSCO, whether by an LSCO employee or third party acting as an agent of or on behalf of LSCO, or through a procured services contract.
   • EIR services provided through hosted or managed services contracts.
   • EIR developed, procured, acquired, or materially changed by a contractor under a contract with LSCO which requires the use of such product or requires the use, to a significant extent, of such product in the performance of a service or the furnishing of a product.
   • Documentation and services that support the use of applicable EIR.
   • Web content and mobile applications subject to compliance with Title II of the Americans with Disabilities Act.
2. This policy does not apply to:
   • EIR that have been exempted by the Texas Department of Information Resources (DIR), a list of which is posted on the Texas DIR website.
   • Status indicators and operable parts of EIR hardware located in maintenance or monitoring spaces, and where status indicators and operable parts are located in spaces that are frequented only by service personnel for maintenance, repair, or occasional monitoring of equipment.
   • Medical equipment in which electronic and information resources are integral to operation.
   • Equipment that contains embedded information resources that are used as an integral part of the product, but the principal function of which is not the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of information.
3. EIR that complies with previous accessibility standards set forth in 1 Tex. Admin. Code §206.70 or 1 Tex. Admin. Code §213 shall not be required to conform to revised standards, provided that the user interface has not been altered on or after April 18, 2020.

4. Roles and Responsibilities

1. Institution of Higher Education President. The LSCO President has the following responsibilities, which may be delegated:
   • Designate an EIR Accessibility Coordinator to facilitate institution-wide EIR accessibility compliance and practices in support of this policy.
   • Inform DIR within 30 days whenever the EIR Accessibility Coordinator position is vacant or a new/replacement EIR Accessibility Coordinator is designated.
   • Ensure appropriate staff receive training necessary to meet EIR accessibility-related requirements.
   • Approve requests for exception as per Section 9 of this policy.
2. EIR Accessibility Coordinator. The EIR Accessibility Coordinator is the central point of contact concerning accessibility issues and solutions for LSCO’s EIR. The EIR Accessibility Coordinator serves in a coordinating and facilitating role, with responsibilities that include the following:
   • Develop, support, and maintain EIR accessibility policies, standards, and procedures.
   • Process EIR accessibility exception requests and maintain records of approved exceptions.
   • Maintain documentation of accessibility testing validation procedures and results.
   • Develop and support a plan by which EIR (including websites and web applications) will be brought into compliance. The plan shall include a process for corrective actions to remediate non-compliant items, compliance goals, and a method of measuring progress measurement towards those goals.
   • Facilitate a response to concerns, complaints, reported issues, and Texas DIR surveys.
   • Facilitate the development or acquisition of training solutions necessary to meet EIR accessibility-related requirements.
3. Unit Heads and EIR Owners
   • Each administrative and academic Unit Head is the default designated EIR owner for all EIR owned and/or operationally supported by the unit.
   • Unit Heads may designate appropriate functional leads as EIR owners.
   • EIR owners shall ensure compliance with this policy. Operational responsibility for compliance with this policy may be delegated by the EIR owner to appropriate personnel within the unit.

5. General

1. LSCO is required to comply with EIR accessibility standards and requirements in 1 Tex. Admin. Code §206 and 1 Tex. Admin. Code §213.
2. Excepting EIR specifically mentioned in Section 9 of this policy, when compliance cannot be accomplished for an EIR, an alternative design or technology may be used provided it results in substantially equivalent or greater access for people with disabilities.

6. Procurement and Acquisition

1. LSCO is required to make procurement decisions and utilize contract language that supports the acquisition of accessible EIR products and services.
2. LSCO shall require vendors to provide documented accessibility information for EIR products or services. If credible accessibility documentation cannot be provided by the vendor, the product or service shall be considered noncompliant. Acceptable forms of documentation include:
   • Voluntary Product Accessibility Template (VPAT) or equivalent reporting template.
   • Credible evidence of the vendor’s capability or ability to produce accessible EIR products and services. Such evidence may include, but is not limited to, a vendor's internal accessibility policy documents, contractual warranties for accessibility, accessibility testing documents, and examples of prior work results.
3. LSCO shall monitor contracts and accessibility-related procurement processes for compliance with this policy.
4. LSCO must contractually require the manufacturer of telecommunications equipment or provider of telecommunications services to ensure that the equipment or services are compliant with 47 U.S.C. §255 and 36 C.F.R. §1194.2, Appendix B, when such products are readily available or compliance is achievable.

7. Accessibility Testing and Validation

1. Accessibility testing shall be coordinated with the EIR Accessibility Coordinator.
2. New and modified web EIR shall be tested using one or more EIR accessibility validation tools to validate compliance with accessibility requirements. Tools include, but are not limited to, automated methods, manual methods, and assistive technologies.
3. Accessibility testing shall be performed and documented by a knowledgeable LSCO employee or third party testing resource to validate compliance with 1 Tex. Admin. Code §206.70 and 1 Tex. Admin. Code §213 on all information resources technology projects for which development cost exceeds $500,000 and that meet one or more of the following criteria:
   • Requires one year or longer to reach operations status
   • Involves more than one institution of higher education or state agency.
   • Substantially alters work methods or the delivery of services to clients.
4. Accessibility testing and validation procedures and their results shall be documented, and a copy provided to the EIR Accessibility Coordinator in a timely manner.

8. Web Content and Mobile Application Accessibility

1. Web content and mobile applications must comply 1 Tex. Admin. Code §206.70 and 1 Tex. Admin. Code §213, Title II of the Americans with Disabilities Act, and this policy.
2. When compliance cannot be accomplished, an alternative version of the EIR must be provided. The alternative version must have equivalent information or functionality and must be updated when the primary web EIR changes.
3. The LSCO home page must include an Accessibility link to a web page that contains LSCO’s website accessibility policy statement, site validation standard, contact information for LSCO’s EIR Accessibility Coordinator, and a link to the Governor’s Committee on People with Disabilities web site.
4. LSCO web sites shall be monitored for compliance with this policy.
5. College websites shall be scanned periodically (at least quarterly) using an appropriate validation tool.
6. Detailed validation reports shall be distributed to appropriate unit heads and EIR owners.
7. Compliance reports shall be distributed to executive management.
8. Based on a request for accommodation, the college must consider captioning and alternative forms of accommodations for video or live/real time open meetings posted on its websites.

9. Exceptions

1. An exception from this policy may be granted under certain circumstances, based on risk. The exception process should be completed prior to the procurement, acquisition, completion, use, or deployment of the EIR or at the point non-compliance with required accessibility standards is identified if the vendor is unable to immediately remedy the issue.
2. The following exceptions are pre-approved by the President and may be issued by the EIR Accessibility Coordinator without the need for formal exception:
   • Blanket exceptions apply when the EIR is determined to affect 10 or fewer employees and 10 or fewer students or guests.
   • Single user exceptions apply when the EIR is determined to be used by a single user.
   • Title II exceptions apply when the EIR is specifically excepted in Title II of the Americans with Disabilities Act.
3. Formal exceptions apply for all other cases in which EIR is unable to comply with this policy.
4. Exception requests shall be submitted to the EIR Accessibility Coordinator for review and processing.
5. Approval of formal exception requests is delegated to the Information Resources Manager unless:
   • the EIR is mission critical to the institution;
   • compliance imposes a significant difficulty or expense; or
   • the cost of the EIR exceeds $500,000.
6. Documentation for approved exceptions shall be retained as per the appropriate records retention schedule.

10. Related Policies, Regulations, Standards, and Guidelines

• 1 Tex. Admin. Code §206.70
• 1 Tex. Admin. Code §213
• Texas Government Code §2054.456-464
• Americans with Disabilities Act
• Section 508 Requirements and Standards (36 CFR, Section 1194)
• Web Content Accessibility Guidelines (WCAG) 2
• Texas State University System Policies

---

7.4 Information Security Program

Scope: Faculty and Staff

1. Policy Statement

1. 1 Tex. Admin. Code §202 requires each institution of higher education to develop, document, and implement an institution-wide information security program, approved by the institution head or delegate, that includes protections, based on risk, for all information and information resources owned, leased, or under the custodianship of an department, operating unit, or employee of the institution of higher education including outsourced resources to another institution of higher education, contractor, or other source. In compliance with 1 Tex. Admin. Code §202, this policy statement and its references reflect the policies, procedures, standards, and guidelines comprising Lamar State College Orange’s (LSCO) information security program.
2. Information that is Sensitive or Confidential must be protected from unauthorized access or modification. Data that is essential to critical university functions must be protected from loss, contamination, or destruction.
3. Information must be identified and assigned the appropriate data classification in order to be protected appropriately.
4. Appropriate roles and responsibilities must be identified to facilitate data protection.
5. This policy articulates a framework for LSCO’s information security program.

2. Definitions

1. A listing of initialisms used in this and other information resources policies can be found in Appendix A.
2. A glossary with definitions of terms used in this and other information resources policies can be found in Appendix B.

3. Roles and Responsibilities

1. All members of the LSCO community share responsibility for protecting LSCO’s information resources and, as such, are essential components of LSCO’s information security organization. Although some roles are reserved for certain positions within the College, each individual may assume one or more roles with respect to each information resource they use, and as a result, are accountable for the responsibilities attendant to their roles. Responsibilities associated with each role are noted throughout this and other LSCO information resources policies.
2. President
   • The President may delegate some or all the operational duties in Section 3(a)(2) of this policy; however, the President remains ultimately responsible for the security of College information resources.
   • The President or designated representative must:
     • Designate an Information Security Officer (ISO). The ISO must possess the training and experience required to perform the duties required by 1 Tex. Admin. Code §202, must report to executive management and must have the explicit authority and duty to administer the information security requirements of this policy College wide.
     • Allocate sufficient resources for ongoing information security remediation, implementation, and compliance activities that reduce risk to an acceptable level to the President.
     • Ensure senior management and information resource owners, in collaboration with the Information Resources Manager (IRM) and ISO, support the provision of information security for the information systems that support the operation and assets under their direct or indirect control.
     • Ensure that the College has trained personnel to assist in complying with the requirements of the College’s information security and related policies.
     • Ensure senior management support the ISO in developing required security reporting as described in Section 8 of this policy.
     • Approve any risk management decisions for information systems with residual risk assigned a ranking of High identified through risk assessment.
     • Annually, review and approve the College’s information security program.
     • Ensure that information security management processes are part of the College’s strategic planning and operational processes.
     • Approve exceptions to information security requirements or controls as per the exception process described in Section 6 of this policy.
3. Information Security Officer (ISO)
   1. The ISO must:
      1. Develop and maintain a College-wide information security plan, in accordance with Texas Government Code §2054.133.
      2. Develop and maintain information security policies and procedures that address the requirements of 1 Tex. Admin. Code §202 and the College’s information security risks.
      3. Work with the College’s business and technical resources to ensure that controls are utilized to address all applicable security requirements and the College’s information security risks.
      4. Provide for training and direction of personnel with significant responsibilities for information security with respect to those responsibilities.
      5. Administer an ongoing information security awareness education program.
      6. Provide guidance and assistance to senior College officials, information owners, information custodians, and users concerning their responsibilities under 1 Tex. Admin. Code §202.
      7. Ensure risk assessments are performed by the information owners and supported by the information custodians at least biennially for systems containing confidential data and periodically for systems containing institution of higher education sensitive or public data.
      8. Ensure information security assessments are conducted biennially for systems containing confidential data and periodically for systems containing sensitive or public data.
      9. Review the College’s inventory of information systems and related ownership and responsibilities.
      10. Verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the acquisition of new information systems and/or related services and applications.
      11. Verifying that security requirements are identified and risk mitigation plans are developed and implemented prior to the deployment of internally-developed information systems and/or related applications or services.
      12. Coordinate the review of the data security requirements specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data.
      13. Report, at least annually, to the President and executive management of the College the status and effectiveness of the security program and its controls.
      14. Inform any relevant parties in the event of noncompliance with the College’s information security and related policies.
      15. Approve, in coordination with the information owner, risk management decisions for information systems with residual risk assigned a ranking of Low or Moderate identified through risk assessment.
      16. Implement a threat awareness program that includes a cross-organization information-sharing capability.
4. Information Resources Manager (IRM)
   • The IRM is the designated default Authorizing Official for all LSCO information systems.
5. Information Owners
   • LSCO (and consequently the state of Texas) is the legal owner of all the information assets of the College. Ownership of data, information, and records (all hereinafter referred to as information) maintained in the manual and automated information and records systems of LSCO is identified in Table 1.
   • Table 1: Information Owners

     • Information Type	Information Owner
       Employment Records	Executive Director for Human Resources
       Current and Former Student Information	Dean of Student Services
       Financial Information	Vice President for Finance and Operations
       Donor Information	President
       Prospective Student Information	Dean of Student Services
       Student Financial Aid Information	Dean of Student Services
       Information Security	Chief Information Security Officer
       Unit Administrative Information	Unit Head
       Other	President

   • Ownership responsibility for on-premises network and system infrastructure hardware is assigned to the IRM by default.
   • Information owners must:
     1. Classify information under their authority, with the concurrence of the IRM and ISO, in accordance with this policy.
     2. Approve access to information resources and periodically review access lists based on documented risk management decisions.
     3. Formally assign custody and authorize the custodian(s) to implement required security controls.
     4. Coordinate data security control requirements with the ISO and convey said requirements to information custodians.
     5. Justify, document, and accept accountability for exceptions to security controls issued by the ISO for the information for which the Information Owner is responsible.
     6. Coordinating and obtaining approval for exceptions to security controls as per the process described in Section 7 of this policy.
     7. Complete risk assessments as described in Policy 7.5 Information Security Control Standards, Section 17.
     8. Coordinate with the ISO on the approval of risk management decisions for information systems with residual risk assigned a ranking of Low or Moderate identified through risk assessment.
6. Information Custodians

• 1. • Multiple entities may be designated as information custodians. LSCO Information Technology Services department is, by default, a custodian of all information resources for which it has system administration responsibilities. Third party entities providing outsourced information resources services to the College may be designated as information custodians, as appropriate.
     • Information custodians must:
       1. Participate in risk assessments as described in Policy 7.5 Information Security Control Standards, Section 17.
       2. Provide information necessary to support appropriate employee information security training.
       3. In consultation with the IRM and ISO where possible and practical, information custodians must:
       4. Implement required security controls based on the classification and risks specified by the owner or as specified by LSCO’s policies, procedures, and standards.
       5. Provide owners with information to evaluate the cost-effectiveness of controls and monitoring.
       6. Adhere to monitoring techniques and procedures, approved by the ISO, for detecting, reporting, and investigating incidents.
       7. Supply any information and/or documents necessary to provide appropriate information security training to employees.
       8. Ensure information is recoverable in accordance with risk management decisions
  2. Users

• • • Users of information resources must use them only for the purpose specified by the College or the information owner.
    • Users must comply with College policies, procedures, security bulletins, and alerts issued by LSCO Information Technology Services or the ISO to prevent unauthorized or accidental disclosure, modification, or destruction of information.
    • Users must formally acknowledge that they will comply with College information security policies and procedures in a method determined by the College.
    • Employee users are responsible for ensuring the privacy and security of the information they access in the normal course of their work. They are also responsible for the security of any computing equipment used in the normal course of work.

4.  General

1. The College must develop, document, and implement a College-wide information security program.
2. The ISO will lead the development of the program.
   • All units with operational responsibility for various aspects of information security (e.g., physical security, personnel security, technical security controls) must contribute to program creation, maintenance, and implementation.
   • The program must include:
     1. Risk-based protections for all information and information resources owned by, leased by, or under the custodianship of the College, including outsourced resources to another institution of higher education, contractor, or other source (e.g., cloud computing).
     2. Periodic assessments (in alignment with minimum legal reporting requirements) of the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information, information systems, and applications that support College operations and assets.
     3. Policies, controls, standards, and procedures that:
        1. Are based on risk assessments.
        2. Cost-effectively reduce information security risks to a level acceptable to the President.
        3. Ensure that information security is addressed throughout the life cycle of each College information resource.
        4. Ensure compliance with relevant federal and state legislative requirements (e.g., 1 Tex. Admin. Code §202), Texas State University System policies, College information security policies, and minimally acceptable system configuration requirements as determined by the College.
     4. Strategies to address risk to information resources assigned an impact ranking of High through risk assessment.
     5. Risk-based plans for providing information security for networks, facilities, and systems or groups of information systems and applications.
     6. A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in College information security policies, procedures, and practices.
   • A process to justify, grant and document any exceptions to specific program requirements in accordance with Section 7 of this policy.
3. The program and associated plans and procedures must be reviewed and updated on an annual basis. Additional review and updates must be triggered by any changes that impact information security, security risk assessments, and implementation issues.
4. Program, plan, and procedure documentation, including security-related plans identified in this and other College information resources policies is confidential under Texas Government Code §552.139 and must be protected from unauthorized disclosure or modification.

5. Data Classification

1. All information stored, processed, or transmitted using LSCO’s information systems must be identified and assigned the appropriate classification of Public, Sensitive, or Confidential.
2. Information that meets the criteria for Mission Critical must be assigned that classification in addition to the primary classification.
3. Sensitive or Confidential information must be protected from unauthorized access or modification.
4. Mission Critical information must be protected from loss, misuse, unauthorized disclosure or access, unauthorized modification, or unauthorized destruction, as applicable.
5. Assigned classifications must be included in an information asset inventory maintained by LSCO’s Information Technology Services department.
6. All information must be reviewed and classified prior to prior to being posted on a publicly accessible information system (e.g., public website) to ensure nonpublic information is not included.

6. Information Security Risk Management

1. Risk assessments for information and information systems must be completed as per Policy 7.5 Information Security Control Standards, Section 13.
2. The ISO and owners must identify remedial actions to correct weaknesses or deficiencies noted during the risk assessment process. These actions must be documented in a plan of action and milestones, to be updated based on findings from subsequent risk assessments, security impact analyses, and monitoring activities.
3. The ISO will commission periodic reviews of LSCO’s information security program. Reviews will be conducted at least biennially by individuals independent of the information security program and will be based on business risk management decisions.

7. Information Security Exceptions

1. Exceptions to security requirements or controls may be granted to address circumstances or business needs. They must be justified and documented.
2. Requests for exceptions must be initiated by the information resource owner (as the accountable party) and submitted to the ISO.
3. Requests must contain the following information:
   • The policy for which the exception is sought.
   • The information resources and the data included in the exception.
   • The reason for the exception (e.g., why compliance with the policy is not feasible).
   • Workarounds, compensating security controls, or other mitigation activities in place.
   • Risk management rationale.
4. Each request will be reviewed by the ISO and IRM. After any questions or concerns are addressed, the ISO will accept or reject the exception with the concurrence of the IRM. Exceptions for which there is high residual risk, require the approval of the LSCO President.
5. Approval may be contingent upon the application of compensating security controls to reduce risk resulting from the exception. All approvals will have an expiration date no longer than two (2) years from the request date.
6. A record of all requests and their disposition must be maintained by the ISO.
7. Approved security exceptions must be included in LSCO’s risk assessment process.

8. Information Security Reporting

1. The ISO will report to the LSCO President and executive management at least annually on the following topics:
   • The adequacy and effectiveness of LSCO’s information security policies, procedures, and practices, as determined by risk assessment.
   • Compliance with information security requirements.
   • Residual risks identified by the College’s risk management process.
   • The effectiveness of the current information security program and the status of key initiatives.
   • The College’s information security requirements and requests such as security exceptions and requests for resources.
2. The ISO will complete the Biennial Information Security Plan, in accordance with Texas Government Code §2054.133.
3. The ISO will complete and submit an information security assessment in compliance with the requirements of Texas Government Code §2054.515 and 1 Tex. Admin. Code 202.73(c)
4. The ISO will comply with the following Texas State University System (TSUS) reporting requirements:
   • Notification to System Administration via the Vice Chancellor and Chief Financial Officer and the Chief Audit Executive of any Urgent Incident Reports made to the Texas Department of Information Resources. (See Policy 7.5 Information Security Control Standards, Section 10.)

9. Related Policies, Regulations, Standards, and Guidelines

• 1 Tex. Admin. Code §202.70
• 1 Tex. Admin. Code §202.71
• 1 Tex. Admin. Code §202.72
• 1 Tex. Admin. Code §202.73
• 1 Tex. Admin. Code §202.74
• 1 Tex. Admin. Code §202.75
• Texas Government Code §2054.133
• Texas Government Code § 552.139
• LSCO Policy 7.1 Information Resources Management
• LSCO Policy 7.5 Information Security Control Standards

---

7.5 Information Security Control Standards

Scope: Faculty and Staff

1. Policy Statement

1. Purpose: The purpose of this policy is to define information security control standards for Lamar State College Orange (LSCO) information systems and data, guided by required elements of the Texas Department of Information Resources Security Control Standards Catalog.
2. Scope: This policy applies to the Lamar State College Orange (LSCO). All users are responsible for understanding and observing these and all other applicable policies, regulations, and laws in connection with their use of the college’s information resources.
3. Application: The statements in this document establish the requirements for Lamar State College Orange. At the discretion of the college, more stringent, restrictive, or enhanced requirements may be established.
4. Management: This policy is managed by the Lamar State College Orange Chief Information Security Officer and will be reviewed at minimum every five years, or more frequently as needed, by the chief information security officer and appropriate college personnel.

2. Definitions

1. A listing of initialisms used in this and other information resources policies can be found in Appendix A.
2. A glossary with definitions of terms used in this and other information resources policies can be found in Appendix B.

3. Access Control

1. Procedures (Authority - DIR Controls Catalog (CC): AC-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Access Control policy and associated access controls;
   2. Review and update Access Control procedures at a college defined frequency; and
   3. Designate a college-defined individual as responsible for managing, developing, documenting, and disseminating college Access Control procedures related to the controls in this policy.

2. Account Management & Disable Accounts (Authority - DIR CC: AC-2, AC-2(3), TAC 202.72)

LSCO must:

1. 1. Define and document, in consultation with the college’s ISO and IRM, the types of information system accounts that support organizational missions and business functions.
   2. Assign account manager responsibilities for information system accounts to the respective information owner.
   3. Establish conditions for group and role membership.
   4. Require the respective information owner to specify authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account.
   5. Require approval from the information owner for requests to create information system accounts.
   6. Require the respective information custodian to create, enable, modify, disable, and remove information system accounts in accordance with college-defined procedures and conditions.
   7. Require the respective information custodian to monitor the use of information system accounts.
   8. Notify account managers (i.e., information owners) within a college-defined period of time for each of the following conditions:
   • when the accounts are no longer required;
   • when users are terminated or transferred; and
   • when individual information system usage or need-to-know changes.
     9. Require that determinations to authorize access to each information system by the respective information owner are based on:
   • a valid access authorization request;
   • intended system usage; and
   • other attributes as required by mission or business functions.
     10. Require respective information custodians to review accounts for compliance with account management requirements at least once every two years or more frequently as defined by LSCO.
     11. Require respective information owners and information custodians to establish and implement processes for changing shared/group account credentials (if deployed) when individuals are removed from a group.
     12. Align account management processes with personnel termination and transfer processes.
     13. Disable accounts within a college-defined period of time when the accounts:
         • Have expired,
         • Are no longer associated with a user or individual,
         • Are in violation of college policy, or
         • Have been inactive for a college-defined period of time.
2. Access Enforcement (Authority - DIR CC: AC-3)

LSCO must ensure that information systems enforce approved authorizations for logical access to information and system resources in accordance with applicable, college-defined access control policies.

4. Separation of Duties (Authority - DIR CC: AC-5)

LSCO must:

1. 1. Identify and document separation of duties of individuals based on college-defined criteria; and
   2. Require that information owners define information system access authorizations to support separation of duties.

5. Least Privilege (Authority - DIR CC: AC-6)

LSCO must:

5. 1. Establish the principle of least privilege as a critical and strategic component of college-level information security policies and procedures; and
   2. Ensure that access to information systems for users and processes acting on behalf of users is based on the principle of least privilege.
6. Unsuccessful Logon Attempts (Authority - DIR CC: AC-7).

LSCO must ensure that each information system:

1. 1. Enforces a college-defined limit of consecutive, invalid logon attempts by a user or source of authentication during a college-defined period of time; and
   2. Automatically performs at least one of the following actions when the maximum number of unsuccessful attempts is exceeded:
      1. Locks the account or node for a college-defined period of time;
      2. Locks the account or node until released by an administrator;
      3. Delays the next logon prompt according to a college-defined delay algorithm; and/or
      4. Notifies the information custodian.
2. System Use Notification (Authority - DIR CC: AC-8)

LSCO must ensure that each information system:

1. 1. Displays to human users at logon interfaces a college-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, state laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:
      1. Users are accessing a college information system;
      2. Information system usage may be monitored, recorded, and subject to audit;
      3. Unauthorized use of the information system is prohibited and subject to criminal prosecution and civil penalties; and
      4. Use of the information system indicates consent to monitoring and recording;
   2. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to logon to or further access the information system; and
   3. For publicly accessible systems that do not have logon interfaces:
      1. Displays system use information under college-defined conditions before granting further access.
      2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
      3. Includes a description of the authorized uses of the system.
2. Permitted Actions Without Identification or Authentication (Authority - DIR CC: AC-14)

LSCO must:

1. 1. Identify and define user actions that can be performed on college information systems without identification or authentication consistent with college missions and business functions; and
   2. Document and provide supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

9. Remote Access (Authority - DIR CC: AC-17)

LSCO must:

1. 1. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
   2. Authorize each type of remote access to each information system prior to allowing such connections.

10. Wireless Access (Authority - DIR CC: AC-18)

LSCO must:

1. 1. Establish configuration and connection requirements, and implementation guidance for each type of wireless access; and
   2. Authorize each type of wireless access to each information system prior to allowing such connections.

11. Access Control for Mobile Devices (Authority - DIR CC: AC-19)

LSCO must:

1. 1. Establish configuration requirements, connection requirements, and implementation guidance for college-controlled mobile devices, to include when such devices are outside of college-controlled networks; and
   2. Authorize the connection of mobile devices to college information systems.

12. Use of External Systems (Authority - DIR CC: AC-20)

LSCO must establish terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:

1. 1. Access the information system from external information systems; and
   2. Process, store, or transmit college-controlled information using external information systems.

13. Publicly Accessible Content (Authority- DIR CC: AC-22)

LSCO must:

1. 1. Designate individuals authorized to make information publicly accessible.
   2. Train authorized individuals to ensure that publicly accessible information does not contain non-public information.
   3. Review the proposed content of information prior to posting onto publicly accessible information systems to ensure that non-public information is not included; and
   4. Review the content on the publicly accessible information system for non-public information at college defined frequencies and remove such information, if discovered.

4. Awareness and Training

1. Procedures (Authority - DIR CC: AT-1, TGC 2054.519, TGC 5054.5191, TGC 2054.5192)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Awareness and Training policy and associated controls.
   2. Review and update Awareness and Training procedures at a college-defined frequency; and
   3. Designate a college employee as responsible for managing, developing, documenting, and disseminating college Awareness and Training procedures related to the controls in this policy; and
   4. Provide information security training for all users of college information systems in accordance with applicable state and federal law, including, but not limited to, Texas Government Code § 2054.519, §2054.5191, and §2054.5192.

2. Literacy Training and Awareness & Insider Threat (Authority - DIR CC: AT-2, AT-2(2), TGC 2054.519, TGC 2054.5191, TGC 2054.5192)

LSCO must:

1. 1. Provide security literacy training to:
   2. Employees at least annually or as required by changes to information systems;
   3. New employees during the onboarding process; and
   4. Contractors who have access to a component institution’s computer system or database.
   5. Update security awareness and literacy training at an institution-defined frequency; and
   6. Provide literacy training on recognizing and reporting potential indicators of insider threat

3. Role-Based Training (Authority - DIR CC: AT-3, TGC 2054.519, TGC 2054.5191, TGC 2054.5192)

LSCO must:

1. 1. Provide role-based security training:
   2. To information resource employees with administrative privileges and responsibilities.
   3. Before authorizing access to information systems, information, or performing assigned duties.
   4. To information resource employees on a recurring basis (at least annually) and when required by system changes.
   5. Update role-based training content at a college-defined frequency.

4. Training Records (Authority - DIR CC: AT-4, TGC 2054.519, TGC 2054.5191, TGC 2054.5192)

LSCO must:

1. 1. Document and monitor information security training activities, including security awareness training and specific role-based security training; and
   2. Retain individual training records for a college-defined time period.

5. Audit and Accountability

1. Procedures (Authority - DIR CC: AU-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Audit and Accountability policy and associated controls;
   2. Review and update Audit and Accountability procedures at a college-defined frequency; and
   3. Designate a college-defined individual as responsible for managing, developing, documenting, and disseminating college Audit and Accountability procedures related to the controls in this policy.

2. Event Logging (Authority - DIR CC: AU-2)

LSCO must:

1. 1. Document a standard defining the types of events that each information system shall log, including the frequency at which the types of events selected for logging are reviewed and updated;
   2. Identify, for each information system, the types of events that the system is capable of logging in support of the audit function as specified in the college’s Standard;
   3. Require information owners and information custodians to coordinate with the college’s ISO (or their designee) to coordinate event logging functions;
   4. Specify the types of events from its standard that are configured for logging within each information system along with the frequency of (or situation requiring) logging for each identified type of event;
   5. Provide a rationale for why the college-defined auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
   6. Review and update event types selected for logging according to the Standard for each information system.
   7. Ensure information systems provide the means whereby authorized personnel have the ability to audit and establish individual accountability for each action that can potentially cause access to, generation or modification of, or affect the release of confidential information;
   8. Ensure appropriate audit trails are maintained to provide accountability for updates to mission-critical information, hardware and software, and for all changes to automated security or access rules; and
   9. Based upon an assessment of risk, maintain a sufficiently complete history of transactions to permit an audit of the information system by logging and tracing the activities of individuals through each information system

3. Content of Audit Records (Authority - DIR CC: AU-3)

LSCO must ensure that each information system’s audit records contain the following information:

• • What type of event occurred;
  • When the event occurred;
  • Where the event occurred;
  • Source of the event;
  • Outcome of the event; and
  • Identity of any individuals, subjects, or objects/entities associated with the event.

Events should contain all information needed to determine the logical location of the user.

4. Audit Log Storage Capacity (Authority - DIR CC: AU-4)

LSCO must allocate audit-log storage capacity to accommodate the college’s audit log retention requirements.

5. Response to Audit Logging Process Failures (Authority - DIR CC: AU-5)

LSCO must: 

1. 1. Document in a standard the audit processing failures that generate alerts, the appropriate personnel or roles to alert, the time period in which to be alerted, and any additional actions to take;
   2. In accordance with the standard, configure information systems to send designated alerts to appropriate personnel or roles in the event of applicable audit processing failures; and
   3. Take any additional actions in accordance with the standard in the event of an audit logging process failure of an information system.

6. Audit Review, Analysis, and Reporting (Authority - DIR CC: AU-6)

LSCO must:

1. 1. Document in a standard the frequency at which information system audit records are reviewed and analyzed;
   2. Review and analyze information system audit records in accordance with the frequency specified in the standard and report actionable findings to the appropriate information system custodians; and
   3. Adjust the level of audit record review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

7. Time Stamps (Authority - DIR CC: AU-8)

LSCO must:

1. 1. Configure each information system to:
      1. Use internal system clocks to generate time stamps for audit records; and
      2. Synchronize internal system clocks with an authoritative source of time specified by the ISO and IRM;
   2. Ensure that audit records record time stamps in milliseconds and:
      1. Use Coordinated Universal Time;
      2. Have a fixed local time offset from Coordinated Universal Time; or
      3. Include the local time offset as part of the timestamp.
2. Protection of Audit Information (Authority - DIR CC: AU-9)

LSCO must protect audit information and audit tools from unauthorized access, modification, and deletion.

9. Audit Record Retention (Authority - DIR CC: AU-11)

LSCO must:

1. 1. Ensure records retention policies for audit records meets regulatory and college information retention requirements; and
   2. Retain audit records for a period no less than is required by its records retention policy to provide sufficient support for after-the-fact investigations of security incidents.

10. Audit Record Generation (Authority - DIR CC: AU-12)

LSCO must ensure that information systems:

1. 1. Provide audit record generation capability for the auditable events required by this policy and related college policies and standards;
   2. Allow authorized personnel or roles to select which auditable events are to be audited by specific components of the information system; and
   3. In alignment with this policy and related college policies and standards, generate audit records for necessary types of events and ensure the generated records contain sufficient content.

6.     Assessment, Authorization and Monitoring Policy

1. Procedures (Authority - DIR CC: CA-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Security Assessment, Authorization, and Monitoring policy and associated controls;
   2. Review and update Security Assessment, Authorization, and Monitoring procedures at a college-defined frequency; and
   3. Designate a college-defined individual as responsible for managing, developing, documenting, and disseminating college Assessment, Authorization, and Monitoring procedures related to the controls in this policy.

2. Control Assessments (Authority - DIR CC: CA-2)

LSCO must:

1. 1. Develop a control assessment plan that describes the scope of the assessment including:

• • Controls and control enhancements under assessment;
  • Assessment procedures to be used to determine control effectiveness; and
  • Assessment environment, assessment team, and assessment roles and responsibilities;
    2. Ensure the control assessment plan is reviewed and approved by the authorizing official or the authorizing official’s designated representative prior to conducting the assessment;
    3. Assess the controls in the information system and its environment of operation on a recurring frequency established by the college’s ISO to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
    4. Produce a control assessment report that documents the results of the assessment; and
    5. Provide the results of the control assessment to appropriate personnel including information owners and information custodians.
    6. LSCO must ensure that a review of the college’s information security program for compliance with security standards set by the Texas Department of Information Resources is performed at least biennially, based on college risk management decisions. The review must be performed by individual(s) independent of the college’s information security program and designated by the college’s head or their designated representative(s).

3. Information Exchange (Authority - DIR CC: CA-3)

LSCO must:

1. 1. Through relevant information system owners, authorize the exchange of information (i.e., interconnections) between college information systems and other information systems, including those external to the college;
   2. Use a formalized Interconnection Security Agreement to document interconnections. At minimum, Interconnection Security Agreements must include the following information for each information system:

• • Interface characteristics;
  • Security requirements, controls, and responsibilities;
  • Information system category; and
  • The nature of the information communicated, including data classification.

Regularly review and update as necessary established Interconnection Security Agreements at the time of periodic risk assessments or at a college-defined frequency.

4. Plan of Action and Milestones (Authority - DIR CC: CA-5)

LSCO must:

1. 1. Develop a Plan of Action and Milestones for each information system to document the college's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of security controls relevant to an information system and to reduce or eliminate known vulnerabilities in the assessed system; and
   2. Update existing plans of action and milestones at a college-defined frequency based on the findings from controls assessments, audits, and continuous monitoring activities.

5. Authorization (Authority - DIR CC: CA-6)

LSCO must:

1. 1. Assign a senior-level executive or manager as the Authorizing Official for each information system;
   2. Assign a senior-level executive or manager as the Authorizing Official for common controls available for inheritance by college information systems;
   3. Ensure that the Authorizing Official for an information system accepts the use of common controls inherited by the system and authorizes the information system for processing before commencing operations;
   4. Ensure that the Authorizing Official for common controls authorizes the use of those controls for inheritance by college information systems; and

1. 5. Update the security authorization at the time of periodic risk assessment for the information system or at a college-defined frequency.

6. Continuous Monitoring & Risk Monitoring (Authority - DIR CC: CA-7, CA-7(4))

LSCO must develop a continuous monitoring strategy and implement an information system-level continuous monitoring program that includes:

1. 1. Establishment of system-level metrics to be monitored;
   2. Establishment of frequencies for monitoring and for control assessments supporting such monitoring;
   3. Ongoing control assessments in accordance with the college continuous monitoring strategy;
   4. Ongoing monitoring of information system and college-defined metrics in accordance with the college continuous monitoring strategy;
   5. Correlation and analysis of security-related information generated by control assessments and monitoring;
   6. Response actions to address results of the analysis of control assessment and monitoring information; and
   7. Reporting the security status of each information system to appropriate stakeholders at a college-defined frequency.

LSCO must ensure that risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

1. 1. 1. Effectiveness monitoring;
      2. Compliance monitoring; and
      3. Change monitoring.
2. Penetration Testing (Authority - DIR CC: CA-8; TGS §2054.516(a)(2))
   1. LSCO must conduct penetration testing at a college-defined frequency on college-defined information systems and information system components.
   2. LSCO must ensure that:
      • Internet websites or mobile applications that process any sensitive personal information, personally identifiable information, or confidential information are subjected to a vulnerability and penetration test at a college-defined frequency; and
      • Ensure that any vulnerability identified in each test is addressed in a fashion commensurate to the risks presented as determined by the college’s ISO (or designee).

8. Internal System Connections (Authority - DIR CC: CA-9)

LSCO must:

1. 1. Authorize internal connections of college-defined information system components or classes of components to each information system;
   2. Document, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated;
   3. Terminate internal system connections based on college-defined conditions; and
   4. Review the need for each internal connection at a college-defined frequency.

7. Configuration Management

1. Procedures (Authority - DIR CC: CM-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Configuration Management policy and associated controls;
   2. Review and update Configuration Management procedures at a college-defined frequency; and
   3. Designate a college-defined individual as responsible for managing, developing, documenting, and disseminating college Configuration Management procedures related to the controls in this policy.

2. Baseline Configuration (Authority - DIR CC: CM-2)

LSCO must: 

1. 1. Develop, document, and maintain under configuration control, a current baseline configuration of each information system; and
   2. Review and update the baseline configuration of each information system:
      1. At a college-defined frequency;
      2. When required because of college-defined circumstances; and
      3. When information system components are installed or upgraded.
2. Configuration Change Control (Authority - DIR CC: CM- 3

LSCO must:

1. 1. Determine and document the types of changes to information systems that are configuration-controlled;
   2. Review proposed configuration-controlled changes to information systems and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
   3. Document configuration change decisions associated with the information systems;
   4. Implement approved configuration-controlled changes to the information systems;
   5. Retain records of configuration-controlled changes to information systems for an institution-defined period of time;
   6. Monitor and review activities associated with configuration-controlled changes to information systems; and
   7. Coordinate and provide oversight for configuration change control activities through college-defined configuration change control elements that convenes at a college-defined frequency and/or when college-denied configuration change conditions are met.

LSCO must ensure that all security-related information resources changes are approved by the information owner (or designee) through a change control process.

4. Impact Analyses (Authority - DIR CC: CM- 4)
   1. LSCO must analyze changes to each information system to determine potential security impacts prior to change implementation.
   2. LSCO must ensure that:

• • All security-related information resources changes are approved by the information owner (or designee) through a change control process; and
  • Such approval occurs prior to implementation by the college or independent contractors.
  • Access Restrictions for Change (Authority - DIR CC: CM- 5)
  • LSCO must define, document, approve, and enforce physical and logical access restrictions associated with changes to each information system.

5. Configuration Settings (Authority - DIR CC: CM- 6)

LSCO must:

1. 1. Establish and document configuration settings for components employed within information systems using college-defined, common security configurations that reflect the most restrictive mode consistent with operational requirements;
   2. Implement the configuration settings;
   3. Identify, document, and approve any deviations from established configuration settings for college-defined information system components based on college-defined operational requirements; and
   4. Monitor and control changes to the configuration settings in accordance with college policies and procedures.

6. Least Functionality (Authority - DIR CC: CM- 7)

LSCO must:

1. 1. Configure each information system to provide only college-defined, mission-essential capabilities; and
   2. Prohibit or restrict the use of college-defined functions, ports, protocols, software and/or services.

7. System Component Inventory (Authority - DIR CC: CM- 8)

LSCO must:

1. 1. Develop and document an inventory of information system components that:
      1. Accurately reflects the information system;
      2. Includes all components within each information system;
      3. Is at the level of granularity deemed necessary for tracking and reporting; and
      4. Includes college-defined information deemed necessary to achieve effective information system component accountability.
   2. Review and update the information system component inventory at a college-defined frequency.

8. Software Usage Restrictions (Authority - DIR CC: CM- 10)

LSCO must:

1. 1. Use software and associated documentation in accordance with contract agreements and copyright laws;
   2. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
   3. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

9. User-Installed Software (Authority - DIR CC: CM- 11)

LSCO must:

1. 1. Establish college-defined policies governing the installation of software by users;
   2. Enforce software installation policies through college-defined methods; and
   3. Monitor policy compliance at college-defined frequency.

8. Contingency Planning

1. Procedures (Authority -DIR CC: CP-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Contingency Planning policy and associated controls;
   2. Review and update Contingency Planning procedures at a college-defined frequency;
   3. Designate a college-defined individual as responsible for managing, developing, documenting, and disseminating college Contingency Planning procedures related to the controls in this policy; and
   4. Maintain written continuity of operations plans that address information resources.

2. Contingency Plan (Authority - DIR CC: CP-2)

LSCO must:

1. 1. Develop a contingency plan for each information system that:
      1. Identifies essential missions and business functions and associated contingency requirements;
      2. Provides recovery objectives, restoration priorities, and metrics;
      3. Addresses contingency roles, responsibilities, and assigned individuals with contact information;
      4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;
      5. Addresses eventual, full information system restoration without deterioration of the controls originally planned and implemented; and
      6. Is reviewed and approved by college designated personnel or roles;
   2. Distribute copies of the contingency plan to college designated key contingency personnel (identified by name and/or by role) and college elements;
   3. Coordinate contingency planning activities with incident handling activities;
   4. Review the contingency plan for each information system at a college-defined frequency;
   5. Update the contingency plan to address changes to the college, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
   6. Communicate contingency plan changes to college designated key contingency personnel (identified by name and/or by role) and college elements; and
   7. Protect the contingency plan from unauthorized disclosure and modification.

3. Contingency Training (Authority - DIR CC: CP-3)

LSCO must provide contingency training to information system users consistent with assigned roles and responsibilities:

1. 1. Within a college-defined time period of assuming a contingency role or responsibility;
   2. When required by information system changes; and
   3. On a college-defined frequency thereafter.

4. Contingency Plan Testing (Authority - DIR CC: CP-4)

LSCO must:

1. 1. Test the contingency plan for information systems at least annually using college-defined tests to determine the effectiveness of the plan and the college readiness to execute the plan;
   2. Review the contingency plan test results; and
   3. Initiate corrective actions, if needed.

5. Alternate Storage Site (Authority - DIR CC: CP-6)

LSCO must:

1. 1. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of information system backup information; and
   2. Ensure that the alternate storage site provides controls equivalent to that of the primary site.

6. Telecommunications Services (Authority - DIR CC: CP-8)

LSCO must establish alternate telecommunications services, including necessary agreements to permit the resumption of college-defined information system operations for essential mission and business functions within an college-defined period of time when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

7. System Backup (Authority - DIR CC: CP-9)

LSCO must:

1. 1. Conduct backups of the following types of information at a frequency consistent with college-defined recovery time and recovery point objectives:
   2. User-level information contained in information systems;
   3. System-level information contained in information systems; and
   4. Information system documentation, including security-related documentation;
   5. Protect the confidentiality, integrity, and availability of backup information.

8. System Recovery and Reconstitution (Authority - DIR CC: CP-10)

LSCO must have the capability for recovery and reconstitution of each information system to a known state after a disruption, compromise, or failure consistent with college-defined recovery time and recovery point objectives.

9. Alternate Communications Protocols (Authority - DIR CC: CP-11)

LSCO must have the capability to employ college-defined alternative communications protocols in support of maintaining continuity of operations.

9. Identification and Authentication

1. Procedures (Authority - DIR CC: IA-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Identification and Authentication policy and associated controls;
   2. Review and update Identification and Authentication procedures at a college-defined frequency; and
   3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Identification and Authentication procedures related to the controls in this policy.

2. Identification and Authentication (Organizational Users), Multifactor Authentication to Privileged Accounts, & Multifactor Authentication to Non-privileged Accounts (Authority - DIR CC: IA-2, IA-2(1), IA-2(2); TAC 202.1)

LSCO must ensure that information systems uniquely identify and authenticate college users or processes acting on behalf of college users prior to granting the user or process access to a given information system.

1. 1. Non-unique identifiers may only be used in situations in which risk analysis performed by college-defined personnel demonstrates no need for individual accountability of users.

1. 2. LSCO must implement multifactor authentication for access to privileged accounts on college information systems.
   3. LSCO must implement multifactor authentication for access to non-privileged accounts on college information systems.

3. Identifier Management (Authority - DIR CC: IA-4)

LSCO must manage information system identifiers by:

1. 1. Receiving authorization from college-defined personnel to assign an individual, group, role, service, or device identifier;
   2. Selecting an identifier that identifies an individual, group, role, service, or device;
   3. Assigning the identifier to the intended individual, group, role, service, or device; and
   4. Preventing reuse of identifiers for a college-defined time period.

LSCO must ensure a user’s access authorization is appropriately modified or removed when the user’s employment, job responsibilities, or affiliation with the college changes.

4. Authenticator Management (Authority - DIR CC: IA-5)

LSCO must manage information system authenticators by:

1. 1. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
   2. Establishing initial authenticator content for authenticators defined by the college;
   3. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
   4. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;
   5. Changing default authenticators prior to first use;
   6. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
   7. Changing or refreshing authenticators at a college-defined time period by authenticator type;
   8. Protecting authenticator content from unauthorized disclosure and modification;
   9. Requiring individuals to take, and having devices implement, specific security controls to protect authenticators; and
   10. Changing authenticators for group or role accounts when membership to those accounts changes.

5. Password-based Authentication (Authority - DIR CC: IA-5(1))

For password-based authentication, LSCO must:

1. 1. Maintain a list of commonly used, expected, or compromised passwords and update the list at a college-defined frequency and when college passwords are suspected to have been compromised directly or indirectly;
   2. Verify, when users create or update passwords, that the passwords are not found on the college-defined list of commonly used, expected, or compromised passwords;
   3. Transmit passwords only over cryptographically protected channels;
   4. Store passwords using an approved salted key derivation function, preferably using a keyed hash;
   5. Require immediate selection of a new password upon account recovery;
   6. Allow user selection of long passwords and passphrases, including spaces and all printable characters;
   7. Employ automated tools to assist the user in selecting strong password authenticators; and
   8. Enforce college-defined password composition and complexity rules.

6. Authenticator Feedback (Authority - DIR CC: IA-6)

LSCO must ensure that information systems obscure feedback of authentication information entered during authentication processes.

7. Cryptographic Module Authentication (Authority - DIR CC: IA-7)

LSCO must:

1. 1. Implement mechanisms for authentication to cryptographic modules in information systems; and
   2. Ensure that implemented cryptographic modules meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

8. Identification and Authentication (Non-Organizational Users) (Authority - DIR CC: IA-8)

LSCO must ensure that information systems uniquely identify and authenticate non-college users or processes acting on behalf of non-college users.

9. Re-Authentication (Authority - DIR CC: IA-11)
   1. LSCO must document a Standard defining the circumstances or situations which require users to re-authenticate.
   2. LSCO must require users to re-authenticate according to the component college’s Standard.
   3. LSCO’s standard for re-authentication must include the following minimum requirements:
      • Users must be required to re-authenticate when a device automatically locks; and
      • Users must be required to re-authenticate when the user’s password is known to be compromised or publicly disclosed.

10.  Incident Response

1. Procedures (Authority - DIR CC: IR-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Incident Response policy and associated controls; and
   2. Review and update Incident Response procedures at a college-defined frequency; and
   3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Incident Response procedures related to the controls in this policy.
   4. LSCO must assess the significance of a security incident based upon the business impact on the affected resources and the current and potential technical effect of the incident.

2. Incident Response Training (Authority - DIR CC: IR-2)

LSCO must provide incident response training to information system users consistent with their assigned roles and responsibilities:

1. 1. Within a college-defined time period of assuming an incident response role or responsibility or acquiring information system access;
   2. When required by information system changes; and
   3. At an annual frequency thereafter.

3. Incident Response Testing (Authority - DIR CC: IR-3)

LSCO must test the effectiveness of the incident response capability for each information system at a college-defined frequency using the college-defined tests for each information system.

4. Incident Handling (Authority - Texas Administrative Code (TAC): 202.73(b); DIR CC: IR-4)

LSCO must:

1. 1. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery
   2. Coordinate incident handling activities with contingency planning activities;
   3. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
   4. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the college.

5. Incident Monitoring (Authority - TAC 202.73(b); DIR CC: IR-5)

LSCO must track and document security and supply chain incidents.

6. Incident Reporting (Authority - TAC 202.73(b); DIR CC: IR-6)

LSCO must:

1. 1. Require personnel to report suspected security and supply chain incidents to the college’s ISO (or their designee) using college-defined procedures within a college-defined time period;
   2. Develop policies and mechanisms providing for notification to the ISO (or their designee) any Suspected Data Breach within 48 hours of discovery;
   3. Promptly report security and supply chain incidents to the Department of Information Resources (DIR) when the security incident is assessed to:
      1. Propagate to other state information systems;
      2. Result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;
      3. Involve the unauthorized disclosure or modification of confidential information; or
      4. be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way.
   4. Report summary security and supply chain incident information monthly to DIR no later than 9 calendar days after the end of the month.

If an information security or supply chain incident is required to be reported to the DIR under Texas Government Code Sec. 2054.1125 or the “Urgent Incident Report” rules per Texas Administrative Code 202.73(b), the college’s established reporting and escalation procedures shall also require notification to the Texas State University System Administration via the Vice Chancellor and Chief Financial Officer and the Chief Audit Executive in a similar reporting manner and timeline.

7. Incident Response Assistance (Authority - DIR CC: IR-7)

LSCO must provide an incident response resource, integral to the college’s incident response capability, that advises and assists users of information systems in handling and reporting security and supply chain incidents. The incident response resource must be determined by the college’s ISO and may be comprised of technical support personnel, verified third-party consultants, and other resources.

8. Incident Response Plan (Authority - DIR CC: IR-8)

LSCO must:

1. 1. Develop an incident response plan that:
   2. Provides the college with a roadmap for implementing its incident response capability;
   3. Describes the structure and organization of the incident response capability;
   4. Provides a high-level approach for how the incident response capability fits in to the overall college;
   5. Meets the unique requirements of the college, which relate to mission, size, structure, and functions;
   6. Defines reportable incidents;
   7. Provides metrics for measuring the incident response capability within the college;
   8. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and
   9. Is reviewed and approved by appropriate, college-defined leadership; and
   10. Explicitly designates responsibility for incident response to college-defined roles.
   11. Distribute copies of the incident response plan to college elements charged with incident response responsibilities defined by name and/or role;
   12. Update the incident response plan to address system and college changes or problems encountered during plan implementation, execution, or testing;
   13. Communicate changes to the incident response plan to college elements charged with incident response responsibilities defined by name and/or role; and
   14. Protect the incident response plan from unauthorized disclosure and modification.

9. Information Spillage Response (Authority - DIR CC: IR-9)

LSCO must respond to information spills by:

1. 1. Assigning, in the incident response plan, personnel or roles with responsibility for responding to information spills;
   2. Identifying the specific information involved in the information system contamination;
   3. Alerting personnel identified in the incident response plan of the information spill using a method of communication not associated with the spill;
   4. Isolating the contaminated information system or information system component;
   5. Eradicating the information from the contaminated information system or component;
   6. Identifying other information systems or information system components that may have been subsequently contaminated; and
   7. Performing any additional actions defined in the incident response plan.

11. Maintenance

1. Procedures (Authority - DIR CC: MA-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Maintenance policy and associated controls;
   2. Review and update Maintenance procedures at a college-defined frequency; and
   3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Maintenance procedures related to the controls in this policy.

2. Controlled Maintenance (Authority - DIR CC: MA-2)

LSCO must require information custodians to:

1. 1. Schedule, document, and review records of maintenance, repair, and/or replacement on information system components in accordance with manufacturer or vendor specifications and/or college-defined requirements;
   2. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the information system or information system components are serviced on site or removed to another location;
   3. Explicitly approve the removal of the information system or information system components from college facilities for off-site maintenance, repair, and/or replacement;
   4. Sanitize equipment to remove all information from associated media prior to removal from college facilities for off-site maintenance, repair, and/or replacement;
   5. Check all potentially impacted security controls to verify that the controls are still functioning properly following maintenance, repair, and/or replacement actions; and
   6. Update appropriate college maintenance records following maintenance, repair, and/or replacement actions.

3. Nonlocal Maintenance (Authority - DIR CC: MA-4)

LSCO, directly or contractually, must:

1. 1. Approve and monitor nonlocal maintenance and diagnostic activities;
   2. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with college policy and documented in the security plan for the information system;
   3. Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
   4. Maintain records for nonlocal maintenance and diagnostic activities; and
   5. Terminate session and network connections when nonlocal maintenance is completed.

4. Maintenance Personnel (Authority - DIR CC: MA-5)

LSCO must:

1. 1. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;
   2. Verify that non-escorted personnel performing maintenance on information systems possess the required access authorizations; and
   3. Designate college personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

12.  Media Protection

1. Procedures (Authority - DIR CC: MP-1)

LSCO must:

1. 1. Develop procedures to facilitate the implementation of the Media Protection policy and associated controls;
   2. Review and update Media Protection procedures at a college-defined frequency; and

1. 3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Media Protection procedures related to the controls in this policy.

2. Media Access (Authority - DIR CC: MP-2)

LSCO must restrict access to college-defined types of digital and non-digital media to college-defined personnel or roles.

3. Media Sanitization & Review, Approve, Track, Document, and Verify (Authority - Texas Government Code (TGC) 441.185; DIR CC: MP-6, MP-6(1))

1. 1. LSCO must:
      • Sanitize college-defined system media prior to disposal, release out of institutional control, or release for reuse using college-defined sanitization techniques and procedures; and
      • Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
   2. LSCO must review, approve, track, document, and verify media sanitization and disposal actions.
   3. LSCO must keep a record documenting the removal and completion of sanitization of media that stored confidential information with the following information:
      • Date;
      • Description of the item(s) and serial number(s);
      • Inventory number(s);
      • The process and sanitization tools used to remove the data or method of destruction; and
      • The name and address of the organization to which the media were transferred.
   4. Media Use (Authority - DIR CC: MP-7)
   5. LSCO must document and enforce a Standard defining at minimum:
      • The types of system media within scope of the Standard;
      • Whether and under what conditions, including on what information systems or information system components, the use of each type of system media is authorized, restricted, or prohibited; and
      • Controls required to use authorized types of system media.
   6. Each component college must prohibit the use of portable storage devices in college systems when such devices have no identifiable owner.

13.  Physical and Environmental Protection

1. Procedures (Authority - DIR CC: PE-1)
   • LSCO must:
     1. Develop procedures to facilitate the implementation of the Physical and Environmental Protection policy and associated controls;
     2. Review and update Physical and Environmental Protection procedures at a college-defined frequency; and
     3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Physical and Environmental Protection procedures related to the controls in this policy.
2. Physical Access Authorizations (Authority - DIR CC: PE-2)
   • LSCO must:
     1. Develop, approve, and maintain a list of individuals with authorized access to facilities in which one or more college information systems reside;
     2. Issue authorization credentials for facility access;
     3. Review the access list detailing authorized facility access by individuals at a college-defined frequency; and
     4. Remove individuals from the facility access list when access is no longer required.
3. Physical Access Control (Authority - DIR CC: PE-3)
   • LSCO must:
     1. Enforce physical access authorizations at college-defined entry and exit points to facilities in which one or more college information systems reside by:
     2. Verifying individual access authorizations before granting access to each facility; and
     3. Controlling ingress and egress to each facility using college-defined physical access control systems, which may include systems, devices, and/or guards;
     4. Maintain physical access audit logs for college-defined entry and exit points;
     5. Control access to areas within each facility designated as publicly accessible using college-defined controls;
     6. Escort visitors and monitor visitor activity based on college-defined requirements;
     7. Secure keys, combinations, and other physical access devices;
     8. Inventory college-defined physical access devices at a college-defined frequency; and
     9. Change combinations and keys:
     10. At a college-defined frequency; and/or
     11. When keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
4. Monitoring Physical Access (Authority - DIR CC: PE-6)
   • LSCO must:
     1. Monitor physical access to facilities in which one or more college information systems reside to detect and respond to physical security incidents;
     2. Review physical access logs at a college-defined frequency and upon occurrence of college-defined events or potential indications of events; and
     3. Coordinate results of reviews and investigations with the college incident response capability.
5. Visitor Access Records (Authority - DIR CC: PE-8)
   • LSCO must:
     1. Maintain visitor access records to facilities in which one or more college information systems reside for a college-defined period;
     2. Review visitor access records at a college-defined frequency; and
     3. Report anomalies in visitor access records to college-defined personnel.
6. Emergency Lighting (Authority - DIR CC: PE-12)
   • LSCO must employ and maintain automatic emergency lighting that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within facilities in which one or more college information systems reside.
7. Fire Protection (Authority - DIR CC: PE-13)
   • LSCO must employ and maintain fire suppression and detection devices or systems for facilities in which one or more college information systems reside that are supported by an independent energy source.
8. Environmental Controls (Authority - DIR CC: PE-14)
   • LSCO must:
     1. Maintain temperature and humidity levels within facilities in which one or more college information systems reside at college-defined acceptable levels; and
     2. Monitor environmental control levels at a college-defined frequency.
9. Water Damage Protection (Authority - DIR CC: PE-15)
   • LSCO must protect facilities in which one or more college information systems reside from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
10. Delivery and Removal (Authority - DIR CC: PE-16)
    • LSCO must:
      1. Authorize and control college-defined types of information system components entering and exiting facilities in which one or more college information systems reside; and
      2. Maintain records of college-defined information system components.
11. Alternate Work Site (Authority - DIR CC: PE-17)
    • LSCO must:
      1. Determine and document college-defined alternate work sites allowed for use by employees;
      2. Employ college-defined controls at alternate work sites;
      3. Assess the effectiveness of controls at alternate work sites; and
      4. Provide a means for employees to communicate with information security personnel in case of incidents.

14.  Security Planning

1. Procedures (Authority - DIR CC: PL-1, TAC 202.73)
   • LSCO must:

1. 1. 1. Develop procedures to facilitate the implementation of the Security Planning policy and associated controls;
      2. Review and update Security Planning procedures at a college-defined frequency; and
      3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Security Planning procedures related to the controls in this policy.

1. 1. 1. Each component college’s information security officer must report annually on the college’s information security program to their respective college head in compliance with 1 Texas Administrative Code §202.73(a).
2. System Security and Privacy Plans (Authority - DIR CC: PL-2)
   • LSCO must ensure that each information system under the college’s custodianship has a corresponding System Security Plan that:

1. 1. 1. Is consistent with the college's enterprise architecture;
      2. Explicitly defines the constituent information system component(s);
      3. Describes the function and security posture of the information system, including in terms of mission and business processes;
      4. Provides the security categorization of the information system and highest classification of information it stores, processes, and/or transmits, including supporting rationale;
      5. Describes any specific threats to the information system that are of concern to the college;
      6. Describes the operational environment for the information system and relationships with or connections to other information systems;
      7. Provides an overview of the security requirements for the information system that identifies the security controls in place;
      8. Identifies any relevant security control baselines and, if applicable, college-defined overlays;
      9. Describes the controls in place or planned for meeting the security requirements, including a rationale for any tailoring decisions;
      10. Includes risk determinations for security architecture and design decisions;
      11. Includes in a plan of action and milestones security-related activities affecting the information system that require planning and coordination with college-defined individuals or groups; and
      12. Is reviewed and approved by the information owner prior to plan implementation.
      13. Copies of the System Security Plan and subsequent changes to the plan must be distributed to relevant stakeholders.
      14. LSCO must review and update System Security Plans on a recurring basis. This review must occur at a college-defined frequency or when changes to the information system or System Security Plan require it.
      15. System Security Plans must be protected from unauthorized disclosure and modification.

1. Rules of Behavior & Social Media and External Site/Application Usage Restrictions (Authority - DIR CC: PL-4, PL-4(1))

1. • LSCO must:

1. 1. 1. Establish and provide to users (including, but not limited to, state agency personnel, temporary employees, and employees of independent contractors) an acceptable use policy for college information resources that describes the users’ responsibilities and expected behavior for the usage and security of information and Information Resources;
      2. Periodically review and update the college acceptable use policy;
      3. Require college users to acknowledge the acceptable use policy and indicate that the users have read, understand, and agree to abide by the acceptable use policy before authorizing access to the information and Information Resources; and
      4. Require individuals who have acknowledged a previous version of the acceptable use policy to read and re-acknowledge when rules are revised or updated or at least annually as part of mandatory cybersecurity training.

1. • LSCO must include in the rules of behavior restrictions on:

1. 1. 1. Use of social media, social networking sites, and external sites/applications;
      2. Posting college information on public websites; and
      3. Use of college-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
2. Baseline Selection (Authority - DIR CC: PL-10)
   • LSCO must:
     1. Select a control baseline for information systems; and
     2. Use the controls contained in the DIR Security Controls Standards Catalog as the default baseline for information systems.
3. Baseline Tailoring (Authority - DIR CC: PL-11)
   • LSCO must tailor the selected control baseline by applying college-defined tailoring actions.
4. Data Classification, Security, and Retention Requirements for Information Resources Technology Projects (Authority – §TGC 2054.161)
   • On initiation of an information resources technology project, including an application development project and any information resources projects described in subchapter G of Texas Government Code §2054, the college shall classify the data produced from or used in the project and determine appropriate data security and applicable retention requirements under Texas Government Code §441.185 for each classification.
5. Content of Rules of Behavior (Authority – TSUS Board of Regents)

1. 1. LSCO’s rules of behavior must address, at minimum, the rules established in this section.

1. 1. • College vs. Individual Purpose

1. 1. 1. 1. Users accessing college information resources are responsible for ensuring that their use of these resources is primarily for college purposes and college-related activities.
         2. Access to information resources carries with it the responsibility for maintaining the security of the college’s information resources.
         3. Rules for incidental use of college information resources.
         4. Individuals with authorized access to information resources must ensure that their access permissions are not accessible to or usable by any other individuals.
   2. Personal vs. Official Representation

1. 1. 1. Students, faculty, and staff using information resources to reflect the ideas, comments, and opinions of individual members of the college community must be distinguished from those that represent the official positions, programs, and activities of the college.
      2. Students, faculty, and staff using information resources for purposes of exchanging, publishing, or circulating official college documents must follow college requirements concerning appropriate content and style.
      3. The college is not responsible for the personal ideas, comments, and opinions of individual members of the college community expressed through the use of college information resources.
   2. Limitations on the Availability of Information Resources
      1. The college’s information resources are finite by nature. All members of the college community must recognize that certain uses of college information resources may be limited or regulated as required to fulfill the college’s primary teaching and public service missions. Examples of these limitations include those related to capacity management, performance optimization, or security of the college’s other information resources.

1. 1. Privacy and Confidentiality of Electronic Documents
   2. No information system can absolutely guarantee the privacy or confidentiality of electronic documents.
   3. Information resources provided by the TSUS and LSCO are essentially owned, respective of established copyright and intellectual law and TSUS and college policy, by the State of Texas and subject to state oversight. Consequently, persons have no right to privacy in their use of college information resources even when using a personal or third-party device to access such resources.
   4. LSCO should take reasonable precautions to protect the privacy and confidentiality of electronic documents and to assure persons using college information resources that the college will not seek access to their electronic messages or documents without their prior consent except where necessary to:

1. 1. 1. Satisfy the requirements of the Texas Public Information Act, or other statutes, laws, or regulations;
      2. Allow college officials to fulfill their responsibilities when acting in their assigned capacity;
      3. Protect the integrity of the college’s information resources, and the rights and other property of the college;
      4. Allow system administrators to perform routine maintenance and operations, security reviews, and respond to emergency situations; or
      5. Protect the rights of individuals working in collaborative situations where information and files are shared.
   2. LSCO should establish procedures for appropriately preserving the privacy of information resources and for determining the methodology by which non-consensual access to information resources will be pursued by the college.
   3. Failure to Comply with Information Technology Policies
   4. Failure to adhere to the provisions of TSUS IT policies or the IT policies of LSCO may result in:

1. 1. 1. Suspension or loss of access to college information resources;
      2. Removal of elevated privileges to college information resources;
      3. Appropriate disciplinary action under existing procedures applicable to college users; and
      4. Civil or criminal prosecution.
   2. To preserve and protect the integrity of information resources, there may be circumstances where the college must immediately suspend or deny access to the resources. Should an individual’s access be suspended under these circumstances, the college shall strive to inform the individual in a timely manner and afford the individual an opportunity to respond. The college shall then determine what disciplinary action is warranted and shall follow the procedures established for such cases.

15.  Program Management

1. Information Security Program Plan (Authority - DIR CC: PM-1)
   • LSCO must:
     1. Develop and disseminate a college-wide information security program plan that:
        1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
        2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among college entities, and compliance;
        3. Reflects the coordination among college entities responsible for information security; and
        4. Is approved by a senior official with responsibility and accountability for the risk being incurred to college operations (including missions, functions, image, and reputation), college assets, and individuals;
     2. Review the college-wide information security program plan at a college-defined frequency;
     3. Update the information security program plan to address institutional changes and problems identified during plan implementation or control assessments; and
     4. Protect the information security program plan from unauthorized disclosure and modification.
2. Information Security Program Leadership Role (Authority - DIR CC: PM-2, Texas Administrative Code (TAC) 202.71, TAC 202.74)
   • LSCO must:
     1. Appoint a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain a college-wide information security program approved by the college’s President or delegate.
     2. LSCO’s senior information security officer is charged with the responsibilities enumerated at Texas Government Code §2054.136 and 1 Texas Administrative Code §202.71.
3. Information Security Resources (Authority - DIR CC: PM-3)
   • LSCO must:
     1. Include the resources needed to implement the information security program in capital planning and investment requests and document all exceptions to this requirement;
     2. Prepare documentation required for addressing the information security program in capital planning and investment requests in accordance with applicable laws, regulations, policies and standards; and
     3. Make available for expenditure, the planned information security resources.
4. Plan of Action and Milestones Process (Authority - DIR CC: PM-4)
   • LSCO must:
     1. Implement a process to ensure that plans of action and milestones for the information security program and associated college information systems:
        1. Are developed and maintained;
        2. Document the remedial information security actions to adequately respond to risk to college operations and assets, individuals, and other organizations; and
        3. Are reported in accordance with college-defined reporting requirements.
     2. Review plans of action and milestones for consistency with the college risk management strategy and college-wide priorities for risk response actions.
5. Information System Inventory (Authority - DIR CC: PM-5)
   • LSCO must develop and update, on a college-defined frequency, an inventory of college information systems.
6. Information Security Measures of Performance (Authority - DIR CC: PM-6)
   • LSCO must develop, monitor, and report to college-defined individuals on the results of information security measures of performance.
7. Enterprise Architecture (Authority - DIR CC: PM-7)
   • LSCO must develop an enterprise architecture with consideration for information security and the resulting risk to college operations, college assets, individuals, and other organizations.
8. Risk Management Strategy (Authority - DIR CC: PM-9)
   • LSCO must:
     1. Develop a comprehensive strategy to manage:
     2. Security risk to college operations and assets, individuals, and other college information systems; and
     3. Privacy risk to individuals resulting from the authorized processing of personally identifiable information.
     4. Implement the risk management strategy consistently across the college; and
     5. Review and update the risk management strategy on a college-defined frequency or as required to address college changes.
9. Authorization Process (Authority - DIR CC: PM-10)
   • LSCO must:
     1. Manage the security of college information systems and the environments in which those systems operate through authorization processes;
     2. Designate individuals to fulfill specific roles and responsibilities within the college risk management process; and
     3. Integrate the authorization process into a college-wide risk management program.
10. Testing, Training, and Monitoring (Authority - DIR CC: PM-14)
    • LSCO must:
      1. Implement a process for ensuring that college plans for conducting security testing, training, and monitoring activities associated with college information systems:
         1. Are developed and maintained; and
         2. Continue to be executed; and
      2. Review testing, training, and monitoring plans for consistency with the college risk management strategy and college-wide priorities for risk response actions.
11. Security Groups and Associations (Authority - DIR CC: PM-15)
    • LSCO must establish and institutionalize contact with selected groups and associations within the information security community:
      1. To facilitate ongoing information security education and training for college information security personnel;
      2. To maintain currency with recommended information security practices, techniques, and technologies; and
      3. To share current information security information, including threats, vulnerabilities, and incidents.
12. Threat Awareness Program (Authority - DIR CC: PM-16)
    • LSCO must implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
13. Information Systems Governance and Management (Authority – TSUS ISO Council; TAC 202)
    • LSCO must define a management framework which clearly delineates the roles and responsibilities for the management of college information systems.
      1. At minimum, each LSCO information system management framework must:
         1. Delineate distinct roles for the information owner and information custodian of each information system;
         2. Establish the responsibilities of information owners to include:
         3. Duties ascribed by TAC 202.72; and
         4. Assurance of compliance with state and college standards.
         5. Establish the responsibilities of information custodians to include:
         6. Duties ascribed by TAC 202.72; and
         7. Assurance of compliance with state and college standards.
      2. Establish the responsibilities of all information system users to, at minimum, require users to:
         1. Use the information system or other information resource only for the purpose specified by the college or information owner;
         2. Comply with information security controls and college policies, including those designed to prevent unauthorized or accidental disclosure, modification, or destruction of information and information resources; and
         3. Formally acknowledge that they will comply with the security policies and procedures in a method determined by the college President or their designated representative.
         4. Incorporate threat and incident response procedures as specified in the TSUS Incident Response Policy.
         5. Incorporate oversight measures including, but not limited to, obligations outlined in the TSUS “System and Services Acquisition” and “Risk Assessment” policies.
14. Network Governance and Management (Authority - TSUS ISO Council; TAC 202)
    • LSCO must define a management framework which clearly delineates the roles and responsibilities for the management of college information networks.
      1. At minimum, LSCO’s network management framework must:
         1. Delineate distinct roles for the ownership and custodianship of the college’s network;
         2. Assign administration of the college network by the Information Resources Manager (IRM) or their designee;
         3. Ensure owners, custodians, and users of the college network and the devices and information systems connected to the college network understand their accountability for such use, including, but not limited to, the Rules of Behavior as specified in the “Planning” TSUS IT Policy.
         4. Incorporate design and architectural planning and coordination measures to, at minimum, include the following:
            1. Appropriate logical and/or physical segmentation of elements of the college network to promote sufficient separation of traffic based on security principles and performance purposes as authorized by each component institution’s ISO.
            2. Fault tolerance in critical components of the network and upstream service providers to mitigate risks to network availability;
            3. College-defined procedures for the management of network-based security devices;
            4. Procedures for the management of public IP addresses assigned to the component institution by the American Registry for Internet Numbers (ARIN) and/or other external entities, including, at minimum, maintenance of up-to-date points of contact;
            5. College-defined procedures to ensure network devices or addresses that pose an immediate threat to network operations, performance, or other network-connected devices are disconnected or quarantined to minimize risk until the threat is permanently removed;
            6. College-defined procedures to ensure incident response actions comply with established, policy-defined controls and best practices regarding the preservation and treatment of forensic data;
            7. Adherence to the requirements set forth in the “Configuration Management” TSUS IT Policy;
            8. Implementation of safeguards as required by the “System and Communication Protection” TSUS IT Policy; and
            9. Procedures to regularly conduct security and risk assessments in alignment with relevant policies and laws, including the “Risk Assessment” TSUS IT Policy.

16.  Personnel Security Policy

1. Procedures (Authority - DIR CC: PS-1)
   • LSCO must:
     1. Develop procedures to facilitate the implementation of the Personnel Security policy and associated controls;
     2. Review and update Personnel Security procedures at a college-defined frequency; and
     3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Contingency Planning procedures related to the controls in this policy.
2. Position Risk Designation (Authority - DIR CC: PS-2)
   • LSCO must:
     1. Assign a risk designation to all college positions;
     2. Establish screening criteria for individuals filling those positions; and
     3. Review and update position risk designations at a college-defined frequency.
3. Personnel Screening (Authority - DIR CC: PS-3)
   • LSCO must:
     1. Screen individuals prior to authorizing access to information systems; and
     2. Rescreen individuals when college-defined conditions require rescreening and where rescreening is indicated, the frequency of rescreening.
4. Personnel Termination (Authority - DIR CC: PS-4)
   • LSCO, upon termination of an individual’s employment or employment-like affiliation (e.g., volunteers, contractors, guest lecturers, temporary workers, interns), must:
     1. Disable information system access and terminate/revoke any authenticators and credentials associated with the individual within a college-defined time period;
     2. Conduct exit interviews that include a discussion of college-defined information security topics that include review of any signed non-disclosure agreements and secure disposition of university data from personal devices in a manner stipulated by the college;
     3. Retrieve all security-related, college information system-related property;
     4. Retain access to college information and information systems formerly controlled by the terminated individual; and
     5. Notify college-defined personnel within a college-defined time period.
   • LSCO must establish procedures to sufficiently accommodate reasonably expected scenarios in which the controls in Section 16(d)(1) above cannot be fully executed upon the termination of an individual’s employment (e.g., the termination of an employee who is also an actively enrolled student). At minimum, procedures must ensure that access and privileges associated with the terminated individual’s employment or employment-like affiliation are removed even if the individual must retain access to information resources for other purposes.   
5. Personnel Transfer (Authority - DIR CC: PS-5)
   • LSCO must:
     1. Review and confirm ongoing operational need for current logical and physical access authorizations to information systems and facilities when individuals are reassigned or transferred to other positions within the college;
     2. Initiate transfer or reassignment actions within a college-defined time period following the formal transfer action;
     3. Modify access authorizations as needed to correspond with any changes in operational need because of reassignment or transfer; and
     4. Notify college-defined personnel or roles within a college-defined time period.
6. Access Agreements (Authority - DIR CC: PS-6)
   • LSCO must:
     1. Develop and document access agreements for college information systems;
     2. Review and update the access agreements at a college-defined frequency; and
     3. Verify that individuals requiring access to college information and information systems:
     4. Sign appropriate access agreements prior to being granted access; and
     5. Re-sign access agreements to maintain access to college information systems when access agreements have been updated or at a college-defined frequency.
7. External Personnel Security (Authority - DIR CC: PS-7)
   • LSCO must:
     1. Establish personnel security requirements including security roles and responsibilities for external providers;
     2. Require external providers to comply with personnel security policies and procedures established by the college;
     3. Document personnel security requirements;
     4. Require external providers to notify college-defined personnel or roles of any personnel transfers or terminations of external personnel who possess college credentials and/or badges, or who have information system privileges within a college-defined time period; and
     5. Monitor provider compliance with personnel security requirements.
8. Personnel Sanctions (Authority - DIR CC: PS-8)
   • LSCO must:
     1. Employ a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
     2. Notify college-defined personnel or roles within college-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
9. Position Descriptions (Authority - DIR CC: PS-9)
   • LSCO must incorporate security roles and responsibilities into college position descriptions.

17.  Risk Assessment

1. Procedures (Authority - DIR CC: RA-1)
   • LSCO must:
     1. Develop procedures to facilitate the implementation of the Risk Assessment policy and associated controls;
     2. Review and update Risk Assessment procedures at a college-defined frequency; and
     3. Designate an individual as responsible for managing, developing, documenting, and disseminating college Risk Assessment procedures related to the controls in this policy.
2. Security Categorization (Authority - DIR CC: RA-2, TAC 202.75, TAC 202.1)
   • The college’s ISO must establish requirements for security categorization of information systems.
     1. LSCO must:
        1. Categorize information systems, at a minimum of “high,” “moderate,” or “low,” and in accordance with applicable laws, regulations and policies;
        2. Identify and define college-appropriate information classification categories including, at minimum, the definition of “Confidential Information” as specified by 1 Texas Administrative Code Chapter 202, Subchapter A;
        3. Document the security categorization results, including supporting rationale, in the system security plan for each information system; and
        4. Verify that security categorization decisions are reviewed and approved by the authorizing official or the authorizing official’s designated representative.
3. Risk Assessment & Supply Chain Risk Assessment (Authority - DIR CC: RA-3, RA-3(1); TAC 202.75, TAC 202.77; TGC 2054.0593)
   • LSCO must:
     1. Conduct an assessment of risk, including:
        1. The likelihood and magnitude of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction of each information system and the information processed, stored, and/or transmitted, and any related information;
        2. The likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; and
        3. The identification of threats to and vulnerabilities in each information system;
     2. Integrate risk assessment results and risk management decisions from the college and mission or business process perspectives with information system-level risk assessments;
     3. Review and document risk assessment results in a report on a recurring, college-defined frequency;
     4. Disseminate risk assessment results to college-defined personnel or roles;
     5. Update the risk assessment at a college-defined frequency or when there are significant changes to information systems, environments of operation, or other conditions that may impact the security state of information systems; and
     6. Ensure risk assessments are performed by information owners and supported by information custodians:
        1. At least biennially for systems containing confidential data;
        2. Periodically, at a frequency determined by the college, for systems containing non-confidential data; and
        3. When significant changes to the information system or environment of operation, or other conditions that may impact the security state of the system occur.
   • LSCO must:
     1. Assess supply chain risks associated with college-defined systems, system components, and system services; and
     2. Update the supply chain risk assessment at a college-defined frequency when there are significant changes to the relevant supply chain, or when changes to the system, environment of operation, or other conditions may necessitate a change in the supply chain.
     3. Authorization of security risk acceptance, transference, or mitigation decisions shall be the responsibility of:
        1. The college’s ISO or their designee(s), in coordination with the information owner, for systems identified with low or moderate residual risk; or
        2. The component college’s President for all systems identified with a high residual risk.
4. Vulnerability Monitoring and Scanning & Update Vulnerabilities to be Scanned (Authority - DIR CC: RA-5, RA-5(2))
   • LSCO must:
     1. Monitor and scan for vulnerabilities in each information system and its hosted applications on a recurring frequency, at least annually, in accordance with the college’s established process and when new vulnerabilities potentially affecting systems or applications are identified and reported;
     2. Employ vulnerability monitoring and scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using college-defined standards for:
        1. Enumerating platforms, software flaws, and improper configurations;
        2. Formatting checklists and test procedures; and
        3. Measuring vulnerability impact;
     3. Analyze vulnerability scan reports from vulnerability monitoring activities and results from security assessments;
     4. Remediate legitimate vulnerabilities in a college-defined response time in accordance with a college assessment of risk;
     5. Share information obtained from the vulnerability scanning and monitoring processes and security assessments with appropriate information system custodians in accordance with the college’s internal dissemination procedures; and
     6. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
   • LSCO must update the information system vulnerabilities to be scanned when at least one of the following conditions are met:
     1. At a college-defined frequency;
     2. Prior to a new scan; and/or
     3. When new vulnerabilities are identified and reported.
5. Public Disclosure Program (Authority - DIR CC: RA-5(11))
   • LSCO must establish a public reporting channel for receiving reports of vulnerabilities in college information systems and information system components.
6. Risk Response (Authority - DIR CC: RA-7)
   • LSCO must respond to findings from security assessments, monitoring, and audits in accordance with college risk tolerance.

18.  System and Services Acquisition

1. Procedures (Authority - DIR CC: SI-1)
   • LSCO must:
     1. Develop procedures to facilitate the implementation of the Systems and Services Acquisition policy and associated controls;
     2. Review and update System and Information Integrity procedures at a college-defined frequency; and
     3. Designate an individual as responsible for managing, developing, documenting, and disseminating college System and Services Acquisition procedures related to the controls in this policy.
2. Allocation of Resources (Authority - DIR CC: SA-2)
   • LSCO must:
     1. Determine high-level information security requirements for each information system or information system service in mission and business process planning;
     2. Determine, document, and allocate the resources required to protect each information system or information system service as part of its capital planning and investment control process; and
     3. Establish a discrete line item for information security in college programming and budgeting documentation.
3. System Development Life Cycle (Authority - DIR CC: SA-3)
   • LSCO must:
     1. Acquire, develop, and manage information systems using a college-defined system development life cycle that incorporates information security considerations;
     2. Define and document information security roles and responsibilities throughout the system development life cycle;
     3. Identify individuals having information security roles and responsibilities; and
     4. Integrate the college information security risk management process into system development life cycle activities.
   • LSCO must include information security, security testing, and audit controls in all phases of the system development lifecycle or acquisition process.
4. Acquisition Process (Authority - DIR CC: SA-4, TGC §2054.138)
   • LSCO must include the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for each information system, information system component, or information system service in accordance with applicable federal/state laws, Executive Orders, directives, policies, regulations, standards, guidelines, and college mission/business needs:
     1. Security functional requirements;
     2. Strength of mechanism requirements;
     3. Security assurance requirements;
     4. Controls needed to satisfy the security requirements;
     5. Security-related documentation requirements;
     6. Requirements for protecting security-related documentation;
     7. Description of the information system development environment and environment in which the system is intended to operate;
     8. Allocation of responsibility or identification of parties responsible for information security and supply chain risk management; and
     9. Acceptance criteria.
   • Each component college entering into or renewing a contract with a vendor authorized to access, transmit, use, or store data for the component college shall include, within or as an addendum to the contract, the “Information Security and Accessibility Standards” Exhibit from the TSUS Contract Management Handbook or, if superseded, the appropriate addendum replacing the exhibit.
5. System Documentation (Authority - DIR CC: SA-5)
   • LSCO must:
     1. Obtain administrator documentation for each information system, information system component, or information system service that describes:
        1. Secure configuration, installation, and operation of the system, component, or service;
        2. Effective use and maintenance of security functions/mechanisms; and
        3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
     2. Obtain user documentation for each information system, information system component, or information system service that describes:
     3. User-accessible security functions and mechanisms and how to effectively use those security functions/mechanisms;
     4. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and
     5. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
     6. Document attempts to obtain information system, information system component, or information system service documentation when such documentation is either unavailable or non-existent and take college-defined actions in response;
     7. Protect documentation as required, in accordance with the college risk management strategy; and
     8. Distribute documentation to college-defined personnel or roles.
6. Security Engineering Principles (Authority - DIR CC: SA-8)
   • LSCO must:
     1. Define and establish college security engineering principles; and
     2. Apply the security engineering principles in the specification, design, development, implementation, and modification of the information system and information system components.
7. External System Services (Authority - DIR CC: SA-9)
   • LSCO must:
     1. Require that providers of external information system services comply with college information security requirements and employ college-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
     2. Define and document college oversight and user roles and responsibilities with regard to external information system services; and
     3. Employ college-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.
8. Developer Configuration Management (Authority - DIR CC: SA-10)
   • LSCO must require the developer of each information system, information system component, or information system service to:
     1. Perform configuration management during at least one of the following life cycle stages: design, development, implementation, operation, or disposal;
     2. Document, manage, and control the integrity of changes to college-defined configuration items under configuration management;
     3. Implement only college-approved changes to the information system, information system component, or information system service;
     4. Document approved changes to the information system, information component, or information system service and the potential security impacts of such changes; and
     5. Track security flaws and flaw resolution within the information system, information system component, or information system service and report findings to college-defined personnel.
   • LSCO must require that:
     1. The information owner approve all security-related information resources changes for their respective information system(s) through a change control process; and
     2. The approval of such changes to occur prior to the implementation of the security-related information resources changes by the college or independent contractors.
9. Developer Testing and Evaluation (Authority - DIR CC: SA-11)
   • LSCO must require the developer of the information system, information system component, or information system service, at all post-design stages of the system development life cycle, to:
     1. Develop and implement a plan for ongoing security assessments;
     2. Perform the appropriate level and frequency of testing and evaluation based on the classification of data and the security categorization of the information system;
     3. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
     4. Implement a verifiable flaw remediation process; and
     5. Correct flaws identified during testing and evaluation.
10. Unsupported System Components (Authority - DIR CC: SA-22)
    • LSCO must:
      1. Replace information system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
      2. Provide alternative sources for continued support for unsupported components (e.g., support from external providers, in-house support if technically feasible).

19.  System and Communications Protection

1. Procedures (Authority - DIR CC: SC-1)
   • LSCO must:
     1. Develop procedures to facilitate the implementation of the System and Communications Protection policy and associated controls;
     2. Review and update System and Communications Protection procedures at a college-defined frequency; and
     3. Designate an individual as responsible for managing, developing, documenting, and disseminating college System and Communications Protection procedures related to the controls in this policy.
2. Denial of Service Protection (Authority - DIR CC: SC-5)
   • LSCO must protect information systems against, or limit the effects of, college-defined types of denial-of-service attacks by employing college-defined safeguards.
3. Boundary Protection (Authority - DIR CC: SC-7)
   • LSCO must:
     1. Monitor and control communications at the external interfaces of each information system and at key internal interfaces within each information system;
     2. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal college networks; and
     3. Connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with a college security architecture.
     4. The college President (or their designated representative) and the college’s information security officer must establish a security strategy that includes perimeter protection. Perimeter security controls incorporated in the perimeter protection strategy may include and/or affect some or all of the following components:
        1. Demilitarized Zone(s) (DMZ);
        2. Firewall(s);
        3. Intrusion detection system(s);
        4. Intrusion prevention system(s); and
        5. Router(s).
4. Transmission Confidentiality and Integrity (Authority - DIR CC: SC-8)
   1. LSCO must ensure that each information system protects the confidentiality and/or integrity of transmitted information.
   2. LSCO must:
      1. Document in a Standard, based on college risk-management decisions, encryption requirements for data transmissions of confidential and non-confidential information and encryption key standards and management; and
      2. Encrypt confidential information with, at minimum, a 128-bit encryption algorithm when the confidential information is transmitted over a public network (e.g., the Internet).
5. Cryptographic Key Establishment and Management (Authority - DIR CC: SC-12)
   • LSCO must establish and manage cryptographic keys for required cryptography employed within each information system in accordance with college-defined requirements for key generation, distribution, storage, access, and destruction.
6. Cryptographic Protection (Authority - DIR CC: SC-13)
   • LSCO must:
     1. Determine college-defined cryptographic uses; and
     2. Implement college-defined types of cryptography required for each specified cryptographic use.
7. Collaborative Computing Devices and Applications (Authority - DIR CC: SC-15)
   • LSCO must:
     1. Prohibit remote activation of collaborative computing devices and applications except for college-defined devices and applications; and
     2. Provide an explicit indication of use to users physically present at the devices.
8. Secure Name / Address Resolution Service (Authoritative Source) (Authority - DIR CC: SC-20)
   • LSCO must ensure that each information system that provides name resolution services:
     1. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the information system returns in response to external name/address resolution queries; and
     2. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
9. Secure Name / Address Resolution Service (Recursive or Caching Resolver) (Authority - DIR CC: SC-21)
   • LSCO must ensure that each information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the information system receives from authoritative sources.
10. Architecture and Provisioning for Name / Address Resolution Service (Authority - DIR CC: SC-22)
    • LSCO must ensure that information systems that collectively provide name/address resolution service for a component college are fault-tolerant and implement internal and external role separation.
11. Protection of Information at Rest (Authority - TSUS ISO Council: SC-28)
12. LSCO must protect the confidentiality and/or integrity of college-defined types of information at rest.
    • LSCO must:
      1. Document in a Standard, based on college risk-management decisions, encryption requirements for information storage devices, as well as specific requirements for portable devices, removable media, and encryption key standards and management;
      2. Confidential information stored in a public location that is directly accessible without compensating controls in place (e.g., a webserver or fileserver accessible without authentication or other access controls) must be encrypted;
      3. Discourage the use of portable devices to store confidential information; and
      4. Require that confidential information be encrypted if copied to or stored on:
      5. Endpoint computing devices not owned by a state agency;
      6. Portable computing devices (regardless of ownership); or
      7. Removable media (regardless of ownership).
13. Process Isolation (Authority - DIR CC: SC-39)
    • LSCO must ensure that each information system maintains a separate execution domain for each executing process.

20.  System and Information Integrity

1. Procedures (Authority - DIR CC: SI-1)
   • LSCO must:
     1. Develop procedures to facilitate the implementation of the System and Information Integrity policy and associated controls;
     2. Review and update System and Information Integrity procedures at a college-defined frequency; and
     3. Designate an individual as responsible for managing, developing, documenting, and disseminating college System and Information Integrity procedures related to the controls in this policy
2. Flaw Remediation (Authority - DIR CC: SI-2)
   • LSCO must:
     1. Identify, report to college personnel or roles with information security responsibilities, and correct information system flaws;
     2. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
     3. Install security-relevant software and firmware updates within a college-defined time period of the release of the updates; and
     4. Incorporate flaw remediation into the college configuration management process.
3. Malicious Code Protection (Authority - DIR CC: SI-3)
   • LSCO must:
     1. Implement, signature-based and/or non-signature based malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
     2. Automatically update malicious code protection mechanisms as new releases are available in accordance with college configuration management policy and procedures;
     3. Configure malicious code protection mechanisms to:
     4. Perform periodic scans of information systems at a college-defined frequency and real-time scans of files from external sources at endpoints and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with college security policy; and
     5. Perform one or more of the following in response to malicious code detection: block malicious code; quarantine malicious code; send an alert to college-defined personnel or roles; and/or perform another college-defined action.
     6. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of information systems.
4. Information System Monitoring (Authority - DIR CC: SI-4)
   • LSCO must:
     1. Monitor each information system to detect:
     2. Attacks and indicators of potential attacks in accordance with college-defined monitoring objectives; and
     3. Unauthorized local, network, and remote connections;
     4. Identify unauthorized use of information systems through college-defined techniques and methods;
     5. Deploy monitoring devices and/or invoke internal monitoring capabilities:
     6. Strategically within information systems to collect college-defined essential information; and
     7. At ad hoc locations within information systems to track specific types of transactions of interest to the college;
     8. Analyze detected events and anomalies;
     9. Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
     10. Adjust the level of information system monitoring activity whenever there is a change in risk to college operations and assets, individuals, or other organizations;
     11. Obtain legal opinion regarding information system monitoring activities; and
     12. Provide college-defined information system monitoring information to college-defined personnel or roles as needed and/or at a college-defined frequency.
5. Security Alerts, Advisories, and Directives (Authority - DIR CC: SI-5)
   • LSCO must:
     1. Receive information system security alerts, advisories, and directives from college-defined external organizations on an ongoing basis;
     2. Generate internal security alerts, advisories, and directives as deemed necessary;
     3. Disseminate security alerts, advisories, and directives to college-defined personnel or roles, college-defined elements within the college, and/or college-defined external organizations; and
     4. To the extent required by law or other regulations, implement security directives in accordance with established time frames or notify the issuing organization of the degree of noncompliance.
6. Information Input Validation (Authority - DIR CC: SI-10)
   • LSCO must ensure that each information system checks the validity of college-defined information inputs.
7. Information Management and Retention (Authority - DIR CC: SI-12)
   • LSCO must manage and retain information within each information system and information output from each information system in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and operational requirements.

21.  Supply Chain Risk Management

1. Procedures (Authority - DIR CC: SR-1)
   • LSCO must:
     1. Develop procedures to facilitate the implementation of the Supply Chain Risk Management policy and associated controls;
     2. Review and update Supply Chain Risk Management procedures at a college-defined frequency; and
     3. Designate a college-defined individual as responsible for managing, developing, documenting, and disseminating college Supply Chain Risk Management procedures related to the controls in this policy.
2. Supply Chain Risk Management Plan (Authority - DIR CC: SR-2)
   • LSCO must:
     1. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, and disposal of college-defined information systems, system components or system services;
     2. Implement the supply chain risk management plan consistently across the college; and
     3. Review and update the supply chain risk management plan at a college-defined frequency or as required, to address threat, organizational or environmental changes.
3. Supply Chain Controls and Processes (Authority - DIR CC: SR-3)
   • LSCO must:
     1. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of college-defined information systems or information system components in coordination with college-defined personnel or roles;
     2. Employ college-defined supply chain controls to protect against supply chain risks to information systems, information system components, or information system services and to limit the harm or consequences from supply chain-related events; and
     3. Document the selected and implemented supply chain processes and controls in security plans, supply chain risk management plan(s), and/or college-defined documents.
4. Acquisition Strategies, Tools, and Methods (Authority - DIR CC: SR-5)
   • LSCO must employ college-defined acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.
5. Notification Agreements (Authority - DIR CC: SR-8)
   • LSCO must establish agreements and procedures with entities involved in the supply chain for information systems, information system components, or information system services for the one or more of the following:
     • Notification of supply chain compromises;
     • Results of assessments or audits; and/or
     • College-defined information and controls.
6. Component Disposal (Authority - DIR CC: SR-12)
   • LSCO must dispose of college-defined data, documentation, tools, and/or information system components using college-defined techniques and methods

22.  Exceptions

1. Pursuant to TAC 202.71(c), the Lamar State College Orange Information Security Officer, with the approval of the college President, may issue exceptions to information security requirements or controls in this policy. Any such exceptions shall be justified, documented, and communicated.

23.  Related Policies, Regulations, Standards, and Guidelines

• Texas DIR Security Control Standards Catalog
• 1 Tex. Admin. Code §202.76
• LSCO Information Resources Policy 7.1 Information Resources Management
• LSCO Information Resources Policy 7.2 Appropriate Use of Information Resources
• LSCO Information Resources Policy 7.4 Information Security Program
• LSCO Information Resources Policy 7.6 Use of Cloud Services

---

7.6 Use of Cloud Services

Scope: Faculty and Staff

1. Policy Statement

This policy establishes a framework for the use of Cloud Services to ensure that LSCO data is appropriately stored, processed, shared, and managed on those services.

2. Definitions

1. A listing of initialisms used in this and other information resources policies can be found in Appendix A.
2. A glossary with definitions of terms used in this and other information resources policies can be found in Appendix B.

3. Applicability

1. This policy applies to LSCO faculty, staff, contractors, vendors, and anyone else doing business with the college who has access to college data.
2. This policy applies to all types of Cloud Services that are utilized to store, process, share, transmit, or manage college data.
3. Information that is used solely for classroom instruction purposes (e.g., lecture notes or PowerPoint slides for teaching) and is not classified as Confidential or Sensitive (see Policy 7.5 Information Security Program, Section 5) is exempt from this policy.

4. General Information

1. 1. The use of Cloud Services must comply with applicable TSUS Rules and Regulations, College Policies, and federal and state laws and regulations. Any decision to use Cloud Services should consider the risks and liabilities related to security, privacy, retention, access, and compliance.
   2. Storage, processing, sharing, transmitting, and managing of Confidential, Sensitive or Mission Critical data is only allowed on approved and contracted Cloud Services.
   3. Cloud Services must not be engaged without:
      • developing an exit strategy for disengaging from the vendor or service;
      • integrating the service into business continuity and disaster recovery plans; and
      • determining how data would be recovered.
   4. Cloud Services are covered by the same acceptable use and information security policies that govern all other computing resources.
   5. College data stored using a Cloud Service are college records and appropriate records retention requirements must be followed.

5. Cloud Computing Service Providers Eligibility / Approval

1. Cloud Service Providers must be approved by the IRM and ISO. Providers shall be selected based on data classification and risk.
2. The IRM shall maintain a list of approved Cloud Service Providers.
3. Use of Cloud Services involves delegating custody and aspects of data security to the Cloud Service Provider. Cloud Service Providers that will be used to store, process, share, transmit, or manage college data classified as Confidential, Sensitive, or Mission Critical must be contractually obligated with LSCO to assume the appropriate delegated responsibilities.
4. LSCO provides employees with cloud-based services such as Office 365, OneDrive, and Microsoft Teams, which can be accessed from both on campus and off campus computing devices. Faculty and staff are expected to consider College-provided Cloud Services before procuring alternative Cloud Services.

6. Personal Cloud Computing Services

Personal Cloud Services (services for which the agreement is with an individual and not LSCO) may not be used to store, process, share, transmit, or manage college data classified as Confidential, Sensitive, or Mission Critical. This includes educational records subject to FERPA.

7. Exceptions

Exceptions to this policy may be granted under certain circumstances. Requests for exceptions should be sent to the IRM.