Texas Administrative Code Ch. 202
Texas Administrative Code Ch. 202WEDNESDAY, JULY 23, 2014 AUSTIN, TEXAS
TAC 202 Historical PerspectivePrevious to TAC 202, TAC 201.13 defined state security standardsTAC 202 was originally proposed, drafted and published between2002 and 2003Amended to include Higher Education Subchapter in November2004Amended to address wireless technology in April 2006Amended to address firewalls, encryption and incidentmanagement in September 2009Amended to address encryption standards in June 2012Subject to review every 4 years with no substantial changes since2004
Technology in the New Millennium2001 – Wikipedia and the iPod were launched2003 – Apple’s iTunes debut2003 – SQL Slammer Worm affected over 75K hosts within 10 min.2004 – Google IPO and the first 1 gigabyte SD Card was released2004 – T-Mobile had a Christmas launch of 3G mobile data service2004 – Broadband Internet access outpaced dial-up for the first time2004 – Facebook is launched2005 – USB flash drives replaced floppy disks2005 – YouTube is launched2006 – Twitter is launched
Pros of current TAC 202PROSSets a standard for the entire stateEstablishes a baseline of minimum securityOrganized to address differences between Higher Education andState AgenciesAs a rule, it is stronger than a policy
Cons of current TAC 202CONSEasy to read structure makes defining technical requirementsdifficultAs a rule as opposed to policy it is more cumbersome to modifySections make consistency difficult when defining controls –creates interpretation gapsStructure blends people, process and technology roles that cancreate confusion and complexityMinimum security baseline has been eclipsed by increased riskand threats, as well as external requirements
Drivers for ChangeDoesn’t address newer technologiesAddresses some organizational controls, But places business functions within IT (Business Continuity Planning, RiskAcceptance)Lacks many managerial controls (Process)Overly vague in many technical controls(Technology)Technical controls do not consider evolvedtechnology Cloud, Mobile, Social MediaInformation SecurityProgram
TAC 202 TimelineBoardApprovesRule ReviewAug-2013Jul-2013RFOpublishedSep-2013Control Catalog/Crosswalkfrom VendorStrawman Ruleto SISAC PolicySubcommitteeFeb-2014Mar-2014Draft Security ControlStandards/Crosswalk to SISACPolicy SubcommitteeDraft RuleSubmittedto ITCHEJul-2014Approved RulePublished inTexas RegisterNov-2014Oct-2014Draft Rulesubmitted to DIRBoard for ApprovalFeb-2015Draft rulesubmitted to DIRBoard for AdoptionMilestones July: Draft rule and Security Control Standards submitted to ITCHE for reviewand comment October: Draft rule and Security Control Standards submitted to the DIR board February 2015: Earliest possible adoption of new rule
SISAC Policy Sub-committee MembershipMemberOrganizationRepresentsKen PalmquistDIRArticle 1 (General Government)Ed TjarksTexas Comptroller of Public AccountsArticle 1 (General Government)Khatija SyedaHealth and HumanArticle 2 (Health & Human Services)Fred LawsonHealth and HumanArticle 2 (Health & Human Services)Darrell BatemanTexas Tech UniversityArticle 3 (Education)Jeff McCabeTexas A&MArticle 3 (Education)Danny MillerTexas A&MArticle 3 (Education)John SkaarupTexas Education AgencyArticle 3 (Education)Jana ChvatalUniversity of HoustonArticle 3 (Education)Miguel SoldiUniversity of Texas SystemArticle 3 (Education)Richard MorseOffice of Court AdministrationArticle 4 (Judiciary)Alan FerrettiTexas Department of Public SafetyArticle 5 (Public Safety & Criminal Justice)Miguel ScottTexas Department of Public SafetyArticle 5 (Public Safety & Criminal Justice)Angela GowerTexas Department of AgricultureArticle 6 (Natural Resources)Joshua KuntzDepartment of Motor VehiclesArticle 7 (Business and Economic Development)Clarence CampbellTexas Department of Licensing and Regulation Article 8 (Regulatory)Chad LerschDIRGeneral CounselLon BernquistDIRPolicyChristian ByrnesGartnerPrivate SectorMike WyattDeloittePrivate Sector
SISAC Policy Subcommittee ProcessMonthly meeting moved to bi-monthlyFacilitated discussion, review and revision processSpirited debates with consensus resultsBroad representation provided critical insightsMany thanks to the contributions and efforts of the groupProvides a great forum for the ongoing review and revisionsneeded to continue to approach touch issues
Legacy TACLegacy TAC 202Applicable Terms andTechnologies forInformation SecurityInstitution of HigherEducationState AgencyManagement and StaffResponsibilitiesSecurity IncidentsSecurity Standards PolicyManaging Security RisksManaging Physical SecurityBusiness ContinuityPlanningInformation ResourcesSecurity SafeguardsUser Security PracticesRemoval of Data from DataProcessing EquipmentControls integrated into therule itselfRoles and responsibilitiesare intermingled withtechnical detailsRequirements are definedbut not clearly specified
FISMAFISMAFocused on roles andresponsibilitiesControls areincorporated throughNIST SP 800-53Enables controls tobe more nimbleInformation SecurityPurposesDefinitionsAuthority and functions ofthe DirectorFederal agencyresponsibilitiesFederal informationsecurity incident centerNational security systemsAuthorization ofappropriationsEffect on existing lawFour updates since2005NIST SP 800-53
Revisions to Federal rulesFISMASP 800-53 Passed in 2002 Rev 1: Feb 2005 Amended in 2014 Rev 2: Dec 2007 Rev 3: Aug 2009 Rev 4: Apr 2013
Moving TAC toward FISMALegacy TAC 202Revised TAC 202FISMAApplicable Terms andTechnologies forInformation SecurityDefinitionsInformation SecurityInstitution of HigherEducationInstitution of HigherEducationPurposesState AgencyState AgencyDefinitionsManagement and StaffResponsibilitiesResponsibilities of the StateCISOAuthority and functions ofthe DirectorSecurity IncidentsResponsibilities of theAgency HeadFederal agencyresponsibilitiesSecurity Standards PolicyResponsibilities of theAgency ISOFederal informationsecurity incident centerManaging Security RisksStaff ResponsibilitiesNational security systemsManaging Physical SecuritySecurity ReportingAuthorization ofappropriationsBusiness ContinuityPlanningAgency Security PolicyEffect on existing lawControl CatalogNIST SP800-53Information ResourcesSecurity SafeguardsUser Security PracticesRemoval of Data from DataProcessing Equipment
Texas Administrative Code § 202DefinitionsInstitution of Higher EducationState AgencyResponsibilities of the State’s Chief Information Security OfficerResponsibilities of the Agency HeadResponsibilities of the Information Security OfficerStaff ResponsibilitiesSecurity ReportingAgency Information Security ProgramManaging Security RisksSecurity Control Standards
Security Control StandardsGroup IDUses NIST SP80053 nomenclatureProvides controlinformationDeveloped toprovide for a state,agency, anddepartmentalimplementationGroup TitleControl IDControl TitleRisk StatementPriority /BaselineRequired DateControlDescriptionImplementation[NIST Domain Name abbreviation, e.g. ‘AC’ for Access Control, ‘AT’ forAwareness and Training, etc ][Unabbreviated NIST control family description, e.g. ‘Access Control’][NIST 800-53 Rev. 4 Control (MOD) control number in sequence asapplicable, e.g. ‘AC-1’][NIST 800-53 Rev. 4 Control (MOD) control name, e.g. ‘Access Control Policyand Procedures’][A high level statement of the potential risk present by not addressing thecontrol activity]P1MOD – YesHIGH – Yes[Date which requirement will become effective. Note: Only “Low” baselinecontrols are mandatory for all systems. Other controls may be applicablebased on the state organization risk assessment][Detailed NIST 800-53 Rev. 4 Control (MOD) control leLOW – No[The State level requirements for the implementation ofinformation security controls][To be determined for each state organization; To includeorganization specific components as applicable, e.g. if anorganization has a specific mapping requirement under theHealth Insurance Portability and Accountability Act (HIPAA;or other applicable regulatory driver) this relative controlcould be included here][To be determined for each state organization; To includeorganization specific compartment or divisional levelcomponents as applicable, e.g. if an organization’sdepartment has a specific requirement under HIPAA, as anexample, this relative control could be included here][This section includes example only considerations of how the controlidentified above may be applicable in a state organization securityenvironment]
Comprehensive CrosswalkTexas Cybersecurity Framework(CIPA)TAC202The Children’s Online Privacy Protection Ruleof 2000 (COPPA)NIST 800-53 Rev. 4NIST Cybersecurity Framework (EO 13636)COBITSANS 'Twenty Critical' ControlsIRS Publication 1075CJIS Security PolicyHIPAA SecurityFERPAPrivacy Act of 1974Computer Fraud and Abuse Act of 1986Gramm-Leach-Bliley Act of 1999 (GLBA)Computer Security Act of 1987PCI DSS v2.0The Children’s Internet Protection Act of 2000TX Business and Commerce Code, Ch. 503TX Business and Commerce Code, Ch. 521Texas Government Code, Chapter 2054(Information Resources)Texas Health and Safety Code, Chapter 181(Medical Records Privacy)Texas Health and Safety Code, Chapter 611(Mental Health Records)Texas Government Code Chapter 552(Public Information)Texas Occupations Code, Chapter 159(Physician-Patient Communication)Texas Penal Code, Title 7, Chapter 33(Computer Crimes)
Security Control StandardsGroup IDUses NIST SP80053 nomenclatureProvides controlinformationDeveloped toprovide for a state,agency, anddepartmentalimplementationGroup TitleControl IDControl TitleRisk StatementPriority /BaselineRequired DateControlDescriptionImplementation[NIST Domain Name abbreviation, e.g. ‘AC’ for Access Control, ‘AT’ forAwareness and Training, etc ][Unabbreviated NIST control family description, e.g. ‘Access Control’][NIST 800-53 Rev. 4 Control (MOD) control number in sequence asapplicable, e.g. ‘AC-1’][NIST 800-53 Rev. 4 Control (MOD) control name, e.g. ‘Access Control Policyand Procedures’][A high level statement of the potential risk present by not addressing thecontrol activity]P1MOD – YesHIGH – Yes[Date which requirement will become effective. Note: Only “Low” baselinecontrols are mandatory for all systems. Other controls may be applicablebased on the state organization risk assessment][Detailed NIST 800-53 Rev. 4 Control (MOD) control leLOW – No[The State level requirements for the implementation ofinformation security controls][To be determined for each state organization; To includeorganization specific components as applicable, e.g. if anorganization has a specific mapping requirement under theHealth Insurance Portability and Accountability Act (HIPAA;or other applicable regulatory driver) this relative controlcould be included here][To be determined for each state organization; To includeorganization specific compartment or divisional levelcomponents as applicable, e.g. if an organization’sdepartment has a specific requirement under HIPAA, as anexample, this relative control could be included here][This section includes example only considerations of how the controlidentified above may be applicable in a state organization securityenvironment]
Baselines v. PrioritiesBaselines are used to select which controls toimplement Relate to the Impact of a system Three Impact levels: Low, Moderate, HighPriorities are useful for sequencing controlimplementation Ensures that more fundamental controls are implemented first Four Priorities: P1, P2, P3, P0
Security Control Standards ExampleNIST SP800-53 control Group IDACGroup TitleAccess ControlControl IDAC-3Control TitleAccess EnforcementRisk StatementMisconfigured access controls provide unauthorized access to informationheld in application systems.Priority /BaselineP1Required DateFebruary 2015ControlDescriptionThe organization enforces approved authorizations for logical access to thesystem in accordance with applicable policy.ImplementationStateCurrent TAC 202 control LOW – Yes1.2.Agency specific adjustment Example(s)MOD – YesHIGH – YesAccess to state information resources shall beappropriately managed.Each user of information resources shall beassigned a unique identifier except for situationswhere risk analysis demonstrates no need forindividual accountability of users. User identificationshall be authenticated before the informationresources system may grant that user access.StateOrganization[to be determined]Compartment[to be determined]- The organization has Implemented role-based access control to determinehow users may have access strictly to those functions that are described injob responsibilities.
Security Control Standards ExampleLeast Privilege is notrequired at “LOW”Many organizationswill have requirementsoutside TAC 202Group IDGroup TitleControl IDControl TitleACAccess ControlAC-6Least PrivilegeRiskStatementInformation in applications is accessed by users and otherpersonnel outside of defined business requirements.Priority /BaselineP1LOW – NoMOD – YesHIGH – YesNot RequiredControlDescriptionThe organization employs the principle of least privilege, allowingonly authorized accesses for users (or processes acting on behalfof users) which are necessary to accomplish assigned tasks inaccordance with organizational missions and business functions.Implementatio StatenStateorganizationCompartmentExampleNo Statewide control[to be determined][to be determined]- Only authorized users have authorized accounts to establishsystem accounts, configure access authorizations, filter firewallrules, manage cryptographic keys and access control lists.
Phased approachCurrent TAC 202 controls move into the SecurityControl Standards as “Phase 1” controlsOther NIST controls will be prioritized forimplementation 1 year or 2 years out Phase 2 Low/P1 controls NOT in current TAC Phase 3 Low/P2&P3 controls NOT in current TACFebruary 2015Controls inLegacy TACFebruary 2016Low / P1Controls not inLegacy TACFebruary 2017Low / P2 & P3Controls not inLegacy TAC
Security Control Standards UpdatesGovernance for Security Control Standards proposed in the TAC202 Rule Will be similar to rule review, but streamlined Refer to 202.76 (d)Anticipate updates as NIST 800-53 revisions occur But will include as part of the TAC 202 review cycle
TAC 202 Future TimelineUpdates to theControl Catalog canbe based onJun Legislation Identified Need Changes inTechnologyITCHE &DIR BoardReviewOddNumberedYearsJunChanges published intime to be included inStrategic Plan andLAR decisionsDec JanEvenNumberedYears
What’s Next?BoardApprovesRule ReviewAug-2013Jul-2013RFOpublishedSep-2013Control Catalog/Crosswalkfrom VendorStrawman Ruleto SISAC PolicySubcommitteeFeb-2014Mar-2014Draft Security ControlStandards/Crosswalk to SISACPolicy SubcommitteeDraft RuleSubmittedto ITCHEJul-2014YouAreHereApproved RulePublished inTexas RegisterNov-2014Oct-2014Draft Rulesubmitted to DIRBoard for ApprovalWe’ve reached a significant and critical milestoneThese TAC 202 changes are important to the stateWe thank you for the time todayFeb-2015Draft rulesubmitted to DIRBoard for Adoption
Questions?dirsecurity@dir.texas.gov
TAC 202 Historical Perspective Previous to TAC 202, TAC 201.13 defined state security standards TAC 202 was originally proposed, drafted and published between 2002 and 2003 Amended to include Higher Education Subchapter in November 2004 Amended to address wireless technology in April 2
BYU Combined Team Statistics (as of Dec 28, 2020) All games Date Opponent Score Att. Sep 07, 202 at Navy W 55-3 0 Sep 26, 202 TROY W 48-7 0 Oct 02, 202 LOUISIANA TECH W 45-14 0 Oct 10, 202 UTSA W 27-20 0 Oct 16, 202 at Houston W 43-26 10092 Oct 24, 202 TEXAS ST. W 52-14 6570 Oct 31, 202 WESTERN KENTUCKY W 41-10 6843 Nov 6, 2020at #21 Boise .
03.2000 Page 5 of 6 TH 202 / TH 202-Ex Field mounted temperature transmitter, HART programmable 10/11-8.64 EN Ordering information Catalog No DM LZ/deliv. TH 202 / TH 202-Ex V11523-3 WTH 202 (without ex
Vibration Mil-STD-202, Method 204, Condition B Immersion Mil-STD-202, Method 104, Condition B Salt Spray Mil-STD-202, Method 101, Condition B Solderability Mil-STD-202, Method 208 Terminal Strength Mil-STD-202, Method 211 Temperature Cycling Mil-STD-202, Method 102, Condition C Barometric Pressure Mil-STD-202, Method 105, Condition B
This report discusses the various subchapters of the Texas Property Code, the Texas Local Govern-ment Code, the Texas Health and Safety Code, the Texas Human Resources Code, the Texas Govern-ment Code, the Texas Civil Practices and Remedies Code and also Articles 6701g-2 and 6573(a) o
Senior International Economist Dr. Kalamogo (Couli) Coulibaly 1913 202-647-7860 Economic Officer Miguel Rodrigues Telework 202-304-2731 Research Economist Eric Fein 1913 202-647-2788 Jefferson Fellow Erick Jones 1913 202-647-6053 AAAS Fellow Vacant 1913 202-647-6053 Principal Assistant Brian Warnes 1913 202-736-7570
E3 Pasara Thai 1219 Connecticut Avenue 202.223.3777www.pasarathai.com D5 RiceBar 1020 19th Street 202.429.1701www.ricebardc.com D6 Sichuan Express 1825 I Street 202.466.2038 D6 Sichuan Pavilion 1814 K Street 202.466.7790 f3 Suki Asia 1730 Rhode Island Avenue 202.223.1337 C6 Sushi Express 1990 K Street 202.659.1955 G7 Teaism 800 Connecticut Avenue
Assistant Director, Readiness, Response & Recovery Directorate (202) 646-3692 (202) 646-4060 Katchka, Elizabeth H. (Lisa) Acting Associate General Counsel, Program Law Division (202) 646-4093 (202) 646-4536 Kernan, Edward W. Director, Management Division, ITS Directorate (202) 646-2986 (202) 646-3074 Lawless, Margaret
Texas Math Course 1 (Grade 6) Texas Math Course 2 (Grade 7) Texas Math Course 3 (Grade 8) Texas Grade 6 iScience Texas Grade 7 iScience Texas Grade 8 iScience Texas Biology Texas Chemistry Texas Integrated Physics and Chemistry Texas Physics MHEtexas.com MK14M03416
