PM-02-727 Senior Information Security Officer

Senior Information Security Officer

Control ID

PM-02-727

Control Name

Senior Information Security Officer

Control Category

Program Management

Functional Areas

Identify

Sub-Areas

Enterprise Security Policy, Standards and Guidelines

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

February 13, 2018

Agency Implementation

The Agency chief information security officer is the designated senior information security officer and is reponsible for all requirements outlined in Texas Administrative Code Section 202.71. The chief information security officer may issue exceptions to information security requirements or controls outlined in Texas Administrative Code Chapter 202.

Risk Statement

Responsibility for the security program has not been defined.

Control Description

The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

Control Example

The organization has a designated security official who: a. is responsible for the development and implementation of the organizational information security program; b. is responsible for the development of information security policies and procedures; c. is responsible for and has authority for monitoring of compliance to the organization’s information security policy and procedures; and d. has appropriate level of accessibility and visibility from executive leadership of the organization to be effective.

State Implementation

Each state organization head or his or her designated representative(s) shall designate an information security officer to administer the state organization information security program.

Testing Procedures

Obtain Information security program policy; information security program plan; documentation addressing roles and responsibilities of the senior information security officer position; information security program mission statement; other relevant documents or records and ascertain if: (I) organization appoints a senior information security officer to coordinate, develop, implement, and maintain an organization-wide information security program; and (ii) the organization empowers the senior information security officer with the mission and resources required to coordinate, develop, implement, and maintain an organization-wide information security program.