1. THURSDAY, MARCH 27, 2014|AUSTIN, TEXAS Texas Administrative Code Ch. 202

2. SISAC Policy Sub-committee Membership MemberOrganizationRepresents Ken PalmquistDIRArticle 1 (General Government) Ed TjarksTexas Comptroller of Public AccountsArticle 1 (General Government) Khatija SyedaHealth and HumanArticle 2 (Health & Human Services) Fred LawsonHealth and HumanArticle 2 (Health & Human Services) Darrell BatemanTexas Tech UniversityArticle 3 (Education) Jeff McCabeTexas A&MArticle 3 (Education) Danny MillerTexas A&MArticle 3 (Education) John SkaarupTexas Education AgencyArticle 3 (Education) Jana ChvatalUniversity of HoustonArticle 3 (Education) Miguel SoldiUniversity of Texas SystemArticle 3 (Education) Richard MorseOffice of Court AdministrationArticle 4 (Judiciary) Alan FerrettiTexas Department of Public SafetyArticle 5 (Public Safety & Criminal Justice) Miguel ScottTexas Department of Public SafetyArticle 5 (Public Safety & Criminal Justice) Angela GowerTexas Department of AgricultureArticle 6 (Natural Resources) Joshua KuntzDepartment of Motor VehiclesArticle 7 (Business and Economic Development) Clarence CampbellTexas Department of Licensing and RegulationArticle 8 (Regulatory) Chad LerschDIRGeneral Council Lon BernquistDIRPolicy Christian ByrnesGartnerPrivate Sector Mike WyattDeloittePrivate Sector 3.27.2014

3. STATEWIDE INFORMATION SECURITY PROGRAM TAC 202 Timeline Milestones July: Draft rule and Control Catalog submitted to ITCHE for review and comment October: Draft rule and Control Catalog submitted to the DIR board February 2015: Earliest possible adoption of new rule Oct-2014 Draft Rule submitted to DIR Board for Approval Jul-2013 RFO published Strawman Rule to SISAC Policy Subcommittee Feb-2014 Draft Rule Submitted to ITCHE Jul-2014 Board Approves Rule Review Aug-2013 Sep-2013 Control Catalog/ Crosswalk from Vendor Mar-2014 Draft Control Catalog/ Crosswalk to SISAC Policy Subcommittee Approved Rule Published in Texas Register Nov-2014 Feb-2015 Draft rule submitted to DIR Board for Adoption 3.27.2014

4. Controls integrated into the rule itself Rule subject to review every 4 years Minor update in 2012 Change in encryption bit strength No substantial updates since 2004 Legacy TAC 3.27.2014

5. Issues with current TAC 202 Doesn’t address newer technologies Puts “business” functions within IT Business continuity planning Risk acceptance Doesn’t address managerial controls well Vague in areas 3.27.2014

6. Pros of current TAC 202 Sets a standard for all the state Establishes a baseline of “minimum” security Easy to read 3.27.2014

7. Focused on roles and responsibilities Controls are incorporated through NIST SP 800-53 Enables controls to be more nimble Four updates since 2005 FISMA Information Security Purposes Definitions Authority and functions of the Director Federal agency responsibilities Federal information security incident center National security systems Authorization of appropriations Effect on existing law NIST SP800-53 FISMA 3.27.2014

8. Moving TAC toward FISMA 3.27.2014

9. FISMA Passed in 2002 Amended in 2014 SP 800-53 Rev 1: Feb 2005 Rev 2: Dec 2007 Rev 3: Aug 2009 Rev 4: Apr 2013 3.27.2014 Revisions to Federal rules

10. Comprehensive Crosswalk Texas Cybersecurity Framework TAC202 NIST 800-53 Rev. 4 NIST Cybersecurity Framework (EO 13636) COBIT SANS 'Twenty Critical' Controls IRS Publication 1075 CJIS Security Policy HIPAA Security FERPA Privacy Act of 1974 Computer Fraud and Abuse Act of 1986 Gramm-Leach-Bliley Act of 1999 (GLBA) Computer Security Act of 1987 PCI DSS v2.0 The Children’s Internet Protection Act of 2000 (CIPA) The Children’s Online Privacy Protection Rule of 2000 (COPPA) TX Business and Commerce Code, Ch. 503 TX Business and Commerce Code, Ch. 521 Texas Government Code, Chapter 2054 (Information Resources) Texas Health and Safety Code, Chapter 181 (Medical Records Privacy) Texas Health and Safety Code, Chapter 611 (Mental Health Records) Texas Government Code Chapter 552 (Public Information) Texas Occupations Code, Chapter 159 (Physician- Patient Communication) Texas Penal Code, Title 7, Chapter 33 (Computer Crimes) 3.27.2014

11. Uses NIST SP800-53 nomenclature Provides control information Developed to provide for a state, agency, and departmental implementation Control Catalog 3.27.2014

12. Current TAC 202 controls move into the control calalog as “Phase 1” controls ~ 29 Other NIST controls will be prioritized for implementation 1 year or 2 years out ~ 173 P2/P3 Phased approach 3.27.2014

13. NIST SP800-53 control  Group IDAC Group TitleAccess Control Control IDAC-3 Control TitleAccess Enforcement Risk StatementMisconfigured access controls provide unauthorized access to information held in application systems. PhaseP1 Control DescriptionThe organization enforces approved authorizations for logical access to the system in accordance with applicable policy. ImplementationStateThe following are policies of the State of Texas that apply to all state agencies. Each state agency should apply the Security Standards Policy based on documented risk management decisions: (1)The integrity of data, its source, its destination, and processes applied to it shall be assured. (2)Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources. (3)State agencies shall ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or other unauthorized activity Agency[to be determined] Compartment[to be determined] Example(s)- Implementing role-based access control to determine how users may have access strictly to those functions that are described in job responsibilities. - Use of encryption to protect confidential and sensitive data from being altered while in transit or at rest. Control Catalog Example 3.27.2014 Current TAC 202 control  Agency specific adjustment 

14. Control Catalog Updates Governance for Control Catalog items still under development Will be similar to rule review, but streamlined 3.27.2014