Enterprise Security Policy, Standards and Guidelines
NOT SELECTED
P1
Yes
May 20, 2016
The chief information security officer develops an information security program plan that satisfies the requirements of Texas Administrative Code Chapter 202, Texas A&M University System information security standards, and other applicable laws and regulatory requirements. The plan is revised annually and informed by ongoing risk assessments and changes to the information security landscape and Agency priorities.
Lack of a comprehensive security program may result in the compromise of sensitive information due to loss of integrity or confidentiality.
The organization:
a. Develops and disseminates an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
3. Reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical); and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
b. Reviews the organization-wide information security program plan [Assignment: organization-defined frequency];
c. Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
d. Protects the information security program plan from unauthorized disclosure and modification.
a. The organization maintains an information security program accepted by the state organization head that includes appropriate protections, based on risk, for certain information resources owned, leased, or under the custodianship, including outsourced resources, department, operating unit, or employee of the organization.
b. The organization reviews and updates the information security program plan at least annually taking into account changes in business, technology, threats, incidents, organizational missions etc.
All state organizations are required to have an information resources security program consistent with these standards, and the state organization’s head is responsible for the protection of information resources.
Obtain information security program policy; procedures addressing information security program plan development and implementation; procedures addressing information security program plan reviews and updates; information security program plan; program management controls documentation; common controls documentation; records of information security program plan reviews and updates; other relevant documents or records and ascertain if :
(i) the organization develops an information security program plan for the organization that:
-provides an overview of the requirements for the security program;
-provides a description of the security program management controls and common
-controls in place or planned for meeting security program requirements;
-provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended;
includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
-is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations and the Nation;
(ii) the organization defines the frequency of information security program plan reviews;
(iii) the organization reviews the organization-wide information security program plan in accordance with the organization-defined frequency;
(iv) the organization revises the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
(v) the organization disseminates the most recent information security program plan to appropriate entities in the organization.