Texas State Information Security Program
Pursuant to Texas State Law, the College is required to adopt the state’s Information Security Program that establishes formal cybersecurity governance, testing, controls, enforcement, and regular assessment and reporting to Texas DIR.
Program Governance
Described below are the roles and responsibilities as defined by Information Security Program.
Chancellor. The Chancellor is responsible for the security measures that protect the College’s Information Resources.
Designee. The Designee is the executive that oversees the implementation and adoption of the Information Security Program. The Designee appointed by the Chancellor is the College’s Chief Technology Information Officer (CTIO).
Information Resource Manager (IRM). The IRM is the executive responsible for Information Resources across the whole of the institution in accordance with Texas Government Code 2054 Subchapter D. The IRM appointed by the Chancellor is the College’s Chief Technology Information Officer (CTIO).
Information Security Officer (CISO). The CISO is the College’s Chief Information Security Officer who reports to the Designee and is the executive authorized to administer the information security requirements in accordance with Texas Government Code 2054.136 and as designated by the Chancellor. The ISO coordinates with Texas DIR, the College’s Data Management Officer (DMO), and with the College’s leadership, employees, students, Vendors, and other third parties.
Data Management Officer (DMO). The DMO reports to the Designee and is responsible for implementing data management governance, processes, and controls in accordance with Texas Government Code 2054.137. The DMO coordinates with the College’s ISO, the College’s Records Management Officer (RMO), the Texas State Chief Data Officer, the State Library and Archives Commission, and with the College’s leadership, employees, students, Vendors, and other third parties.
Strategic Policy Governance. The Strategic Leadership Team (SLT) is responsible for the strategic oversight and governance of the College’s security policies and issues. The SLT recommends to the Board of Trustees the annual priorities and funding to be allocated towards addressing security policy initiatives and issues. The SLT garners support throughout the College for the successful implementation and acceptance of such IT and security initiatives.
Regular Testing of Online and Mobile Applications
The College shall adopt processes addressing the privacy and security of the College’s internet-facing technology resources, websites, and mobile applications. The Information Resource Custodian shall subject the website or application to a vulnerability and/or penetration test and address any vulnerability identified in the test before deployment and mitigate according to the College’s risk management procedures. Ongoing vulnerability tests will be conducted on a regular basis. Penetration testing will be conducted at a minimum annually.
Program Controls
The ISO shall design and develop processes and controls to ensure that the Information Security Program is adopted at the College. The Information Security Program shall establish appropriate security controls to protect the confidentiality, integrity, and availability of College’s Information Resources. These controls shall be based upon the NIST Cyber Security Framework (CSF), and in accordance with respective laws, regulation, and compliance requirements.
Mandatory Controls
Texas Administrative Code 202 mandatory security controls shall be defined by Texas DIR in a Control Standards document published on Texas DIR’s website. The controls shall include minimum information security requirements for all state information and information systems and standards to be used by all institutions of higher education to provide levels of information security according to risk levels.
Data Governance
The DMO shall establish data governance and controls at the College. The DMO shall design and develop classifications of data produced by the College’s Technology Resources and determine appropriate data security and applicable retention requirements for each classification in accordance with Texas Government Code 441.185.
Optional Controls
The Chancellor or Designee may employ standards for the cost-effective information security of information and information resources within or under the supervision of the College that are more stringent than the standards Texas DIR prescribes if the more stringent standards:
a. Contain at least the applicable standards issued by Texas DIR; and
b. Are consistent with applicable Federal Law, policies, and guidelines issued under Texas state rule, industry standards, best practices, or are deemed necessary to adequately protect the information held by the institution of higher education.
Regular Program Reviews
The College’s Information Security Program is expected to be continually updated given the evolving maturity level of the program’s adoption at the College and the ever-changing cybersecurity threat landscape. As such, the College is required to perform regular reviews of its program.
Texas State Cloud Computing State Risk and Authorization Management Program
The College shall require each Vendor contracting with the agency to provide cloud computing services for the agency to comply with the requirements of the state risk and authorization management program. A state agency shall require a vendor contracting with the agency to provide cloud computing services for the agency that are subject to the state risk and authorization management program to maintain program compliance and certification throughout the term of the contract.
Reporting
Federal and Texas State Laws require the College to submit regular and ad-hoc reports to Texas DIR and other Federal Departments and Agencies. These reports are outlined below:
Information Security Plan. No later than June 1 of each even-numbered year the ISO shall submit an Information Security Plan on behalf of the College to Texas DIR in accordance with Texas Government Code 2054.133
Information Security Assessment and Report. No later than December 1 of each even-numbered year the DMO and ISO shall submit an Information Security Assessment and Report on behalf of the College to Texas DIR, and on request, the governor, the lieutenant governor, and the speaker of the house of representatives Texas Government Code 2054.515.
Data Security Plan for Online and Mobile Applications. No later than October 15 of each even-numbered year the ISO shall submit a Data Security Plan for Online and Mobile Applications on behalf of the College to Texas DIR to establish a planned beta testing for the website or applications that processes any sensitive personal or personally identifiable information or confidential information in accordance with Texas Government Code 2054.516
Cybersecurity Training. No later than June 1 of each year, the Chancellor shall verify completion of a cybersecurity training program by the College’s Board of Trustees, employees and Contractors in a manner specified by DIR and in accordance with Texas Government Code 2054.5191.
Urgent Incident Report. The ISO shall assess the significance of a security incident and, if applicable, report urgent incidents to the CTIO, Federal Departments or Agencies, Texas DIR in accordance with Texas Government Code 2054.1125, and law enforcement as required by Federal, Texas State, and Local Laws. Furthermore, The College shall include within any Vendor or third-party contract the requirement that the Vendor or third-party report information security incidents to the College in accordance with the College’s Policies and Procedures and as required by Federal and Texas State Laws.
Security Breach Notification. Upon discovering or receiving notification of a breach of system security, the ISO shall assess the significance of the breach and report the breach to the CTIO. Depending on the severity of the breach, the College shall disclose the breach to affected persons or entities in accordance with the time frames established by Federal, State and Local Laws. The College shall give notice by using one or more of the following methods:
Written notice.
Electronic mail if the College has electronic mail addresses for the affected persons.
Conspicuous posting on the College District’s website.
Publication through broadcast media.
Monthly Incident Report. No later than nine (9) calendars days after the end of each month, the ISO shall submit a summary report of security incidents to Texas DIR in accordance with the deadlines, form, and manner specified by Texas Law and Texas DIR.
Expected User Responsibilities
It is the shared responsibility of all Users to comply with designated security controls, programs, guidelines, and practices to ensure the confidentiality, integrity, and availability of College Information Resources. Information Resource Owners, Information Resource Custodians, and other Users of Information Resources shall, in consultation with the College’s CTIO, CISO, and DMO be identified, and their responsibilities defined and documented by the College. The distinctions below among Information Resource Owners, Information Resource Custodians, and other Users should guide determination of these roles.
Information Resource Owner (IRO). In accordance with Texas Administrative Code (TAC) 202.72 to Users who are College leaders and designated employees either responsible for the business function that is supported by the Information Resource or whom responsibility rests for carrying out the program that uses the resources. Furthermore, the Owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared. The owner or his or her designated representative(s) are responsible for:
Classifying information under their authority, with the concurrence of the Chancellor or designee(s), in accordance with the College District’s established information classification categories.
Approving access to information resources and periodically reviewing access lists based on documented risk management decisions.
Formally assigning custody of information or an information resource.
Coordinating data security control requirements with the ISO.
Conveying data security control requirements to custodians.
Providing authority to custodians to implement security controls and processes.
Justifying, documenting, and being accountable for exceptions to security controls. The information owner shall coordinate and obtain approval for exceptions to security controls with the institution of higher education information security officer.
Participating in risk assessments as provided under Texas Administrative Code 202.75.
The IRO coordinates with the College’s ISO, DMO or their delegates to ensure that processes are documented and implemented as required by Texas State Laws.
Information Resource Custodian (IRC) is a User who is an employee, department, other institution, third party agent acting on behalf of the College, or Vendor responsible for supporting and implementing Information Resource controls as defined by the IRO. Custodians include information security administrators, institutional Information Technology Services/Systems departments, faculty or staff, vendors, and any third-party acting as an agent of or otherwise on behalf of the College. Custodians of information resources, including third-party entities providing outsourced information resources services to the College District, shall:
Implement controls required to protect information and information resources required by this chapter based on the classification and risks specified by the information owner(s) or as specified by the Policies, Procedures, and standards defined by the College District’s security program.
Provide owners with information to evaluate the cost-effectiveness of controls and monitoring.
Adhere to monitoring techniques and processes, approved by the ISO, for detecting, reporting, and investigating incidents.
Provide information necessary to provide appropriate information security training to employees; and
Ensure information is recoverable in accordance with risk management decisions.
Information Resource User is a User of Information Resources and has the responsibility to:
Use the resource only for the purpose specified by the institution or Information-Owner
Comply with information security controls and institutional policies to prevent unauthorized or accidental disclosure, modification, or destruction
Formally acknowledge that they will comply with the College Information Resource Policy and Procedures in a method determined by the institution head or his or her designated representative.
College Information Resources designated for use by the public shall be configured to enforce the College’s Information Resource Policy and Procedures without requiring user participation or intervention. Information Resources must require the acceptance of a banner or notice prior to use.
Definitions
Definitions provide a list of words or terms of art with definitions to clarify their specific use and intent within the context of the Procedure.
a. The College: means San Jacinto College District.
b. Availability: means ensuring timely and reliable access to and use of information.
c. Confidentiality: means reserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
d. Integrity: means the accuracy and completeness of information and assets, and the authenticity of transactions. information.
e. Risk: means a function of the likelihood that a threat will exploit a vulnerability and the resulting impact to the College’s missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.
f. College Business: means activities that include teaching, learning, administration, safety, maintenance, business development, support, and project services.
g. Technology Resources: means identity access systems, devices, software, hardware, systems, and services that are provided by the College to the User to conduct College Business. Includes but not limited to authenticated systems access; computing devices; access to internal and external networks and Internet; business services, database and reporting systems; student Information Systems; learning management systems; access to digital resources and services made available via the Intranet and internal servers and any third-party platforms used to conduct College business such as social media accounts; communications systems such as email, instant messaging, collaborations tools, telephone systems, broadcasting systems, and other information technology tools, systems, and infrastructure. This associate term used in Texas legislation in “Information Resources Technologies”.
h. Data: means elemental units, regardless of form or media, includes both digital and physical, that are combined to create information used to conduct College business. Data may include but are not limited to physical media, digital, video, and audio records, photographs, and negatives.
i. Protected Data: means Data that includes elemental units that include Personal Identifying Information (PII), financial, educational, and/or health-related information protected by Law and regulations. Subject to applicable Laws, the College also considers College email addresses as Protected Data insofar as they can be used in combination with IP address discovery, other external discovery information, or through fraudulent methods such as phishing to obtain passwords to gain unauthorized access to the College’s Technology Resources which process and stores other Protected Data.
j. Digital Content: means Data that is digital that includes information, data files, image files, video files, templates, project files, software code, and other digital products stored and made available through Technology Resources, along with any related materials, modifications, and updates, if any, provided by Licensor to the User and or the College.
k. Information Resources: means the collective of the College’s Technology Resources, Protected Data, and Digital Content. This is the term used in Texas Law.
l. Information Systems: means an interconnected set of Information Resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, Network Infrastructure, information, data, applications, communications, and people.
m. Federal Law(s): means federal privacy, information, and other data protection laws including, but not limited to:
i. Family Educational Rights and Privacy Act (FERPA)
ii. Gram-Leach-Bliley Act (GLBA)
iii. Personal Credit Information (PCI)
iv. Health Insurance Portability and Accountability Act (HIPAA), and
v. Children’s Online Privacy Protection Act (COPPA).
n. Texas State Law(s): means Texas state privacy, information, and other data protection laws including, but not limited to, Texas Senate Bill 64, House Bill 3834, Texas Senate Bill 475, and Texas Identity Theft and Protection Act (TITEPA).
o. Local Law(s): means other local laws that may affect the implementation of regulatory controls as required by Federal Law(s) and State Law(s).
p. Regulation(s): means standards and rules adopted by administrative agencies that govern how laws are enforced.
q. Personal Identifying Information (PII): means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information:
• that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or
• by which the College intends to identify specific individuals in conjunction with other data elements, such as indirect identification. These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors. Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
PII includes the first name or first initial and last name in combination with and linked to any one or more of the following data elements about an individual:
• Social security number
• Driver’s license number or state identification card number issued in lieu of a driver’s license number
• Passport number
• Financial account numbers, and/or credit card or debit card number
• Academic records
• Financial records
• Medical Records
• Disciplinary records
• Placement office records
• Personal names
• Address
• Telephone and fax numbers
• Electronic mail addresses
• Dates directly related to an individual, including birth date, admission date, discharge date, date of death
• Medical record numbers
• Health plan beneficiary numbers
• Full face photographic images and any comparable images
PII can also be reidentified in such a manner as to contain PII. The Federal Trade Commission also considers information that can reasonably be used to contact or distinguish a person as PII. This includes electronic identification such as IP addresses.
Texas Senate Bill 475 specifically prohibits the College from using, retaining, or disseminating data from global positioning system technology, individual contact tracing, or technology designed to obtain biometric identifiers to acquire information that alone or in conjunction with other information identifies an individual or the individual's location without the individual's written or electronic consent. Exceptions to this restriction include if such use, retention, and dissemination is required or permitted by a federal statute or by a Texas State statute other than Chapter 552; or made by or to a law enforcement agency for a law enforcement purpose.
r. User(s): means an individual, automated application, or process that is authorized by the College to access an Information Resource. Includes, but is not limited to, all College students, faculty, staff, contractors, guests, departments, and any individual, application, or process that accesses and or uses the College’s Information Resources.
s. Vendor(s): means any third-party that contracts with San Jacinto Community College District to provide goods and/or services to San Jacinto Community College District.
t. Personal Device(s): means devices, operating systems, software, hardware, systems, and services that are owned by the User. Includes but not limited to personal computing devices such as smartphones, tablets, and laptops; personal Internet Service Providers (ISP); mobile applications and software; storage devices such as USB drives; access to digital resources and services made available by any third-party platforms such as Google Drive and Dropbox; personal communications systems such as phone, email, text, instant messaging, and other collaboration tools.
u. Technical Support: means ITS Technical Support can be contacted by email at TechSupport@sjcd.edu or by phone at (281) 998-6137.
Click the button to learn more about the College’s IT Policies & Procedures
Need More Help?
Contact TechSupport@sjcd.edu (281) 998-6137 to report immediately any incident of phishing, computer & information theft, or online fraud.