{"id":1641,"date":"2024-08-05T17:05:40","date_gmt":"2024-08-05T17:05:40","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1641"},"modified":"2024-10-04T14:57:46","modified_gmt":"2024-10-04T14:57:46","slug":"pm-1-information-security-program-plan","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/program-management-pm\/pm-1-information-security-program-plan\/","title":{"rendered":"PM-1: Information Security Program Plan"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">PM-1: Information Security Program Plan<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: &nbsp;<\/strong>07\/31\/2024<\/h2>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Purpose &#8211;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>The Information Security Program Plan is a formal document that provides an overview of the security requirements for the Tarleton State University (Tarleton) information security program. This family of controls describes requirements related to the Information Security Program Plan.&nbsp;&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Scope and Roles &#8211;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>This policy applies to information resources owned or managed by Tarleton. The intended audience includes the Tarleton Chief Information Officer (CIO), Chief Information Security Officer (CISO), and information resource owners and custodians.&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Compliance &#8211;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>The Information Security Program Plan and associated controls are implemented to ensure compliance with Title 1 Texas Administrative Code (TAC) <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=70\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.70<\/a>, <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=71\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.71<\/a>, <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=72\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.72<\/a>, <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=73\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.73<\/a>, <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=74\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.74<\/a>, Texas Government Code (Tex Gov\u2019t Code) <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#2054.0591:~:text=Sec.%202054.133.%20%20INFORMATION%20SECURITY%20PLAN.\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a72054.133<\/a>, the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by TAC <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=76\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.76<\/a>, and Texas A&amp;M University System (TAMUS) <a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 29.01.03, Information Security.<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">I<strong>mplementation &#8211;<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Tarleton Security Program and Plans&nbsp;\n<ul class=\"wp-block-list\">\n<li>The Tarleton CISO or their designee is responsible for:&nbsp;&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Documenting and disseminating procedures that address the Information Security Program Plan family of controls;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Developing an Information Security Program Plan that satisfies the requirements of TAC 202, as required by TAC <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=71\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.71<\/a>, Tex Gov\u2019t Code <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#2054.0591:~:text=Sec.%202054.133.%20%20INFORMATION%20SECURITY%20PLAN.\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a72054.133<\/a> and TAMUS <a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 29.01.03, Information Security<\/a>;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Annually reviewing and updating the Information Security Program Plan informed by ongoing risk assessments and considering changes in business, technology, threats, incidents, and Tarleton priorities;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Delivering the Tarleton Information Security Program Plan to the DIR before June 1st of every even-numbered year as required by TAC <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=73\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.73<\/a> and Tex Gov\u2019t Code <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#2054.0591:~:text=Sec.%202054.133.%20%20INFORMATION%20SECURITY%20PLAN.\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a72054.133<\/a>; and&nbsp;&nbsp;<\/li>\n\n\n\n<li>Ensuring that the Information Security Program Plan is independently reviewed every two years at a minimum as required by TAC <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=70\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.70<\/a>, <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=71\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.71<\/a>, and <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=76\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.76<\/a>. &nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The Tarleton Information Security Program Plan must be approved by the Tarleton CEO\/President as required by TAC <a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=73\" target=\"_blank\" rel=\"noreferrer noopener\">\u00a7202.73<\/a>, and TAMUS <a href=\"https:\/\/policies.tamus.edu\/29-01-03.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Regulation 29.01.03, Information Security<\/a>.\u00a0\u00a0<\/li>\n\n\n\n<li>The Information Security Program Plan must be protected from unauthorized disclosure and modification.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Information Security Responsibility and Accountability&nbsp;\n<ul class=\"wp-block-list\">\n<li><strong>The Tarleton CISO&nbsp;&nbsp;<\/strong>&#8211;<br>The Tarleton CEO\/President&nbsp;is responsible for designating a Chief Information Security Officer (CISO) who has the explicit authority and duty to administer the information security requirements of TAC \u00a7202 across the institution. The CISO shall fulfill the detailed responsibilities established by TAC \u00a7202, including providing required reports to the CEO\/President and\/or DIR.&nbsp;<\/li>\n\n\n\n<li><strong>Information Resource Owners\u00a0\u00a0<\/strong>&#8211;<br>Tarleton information resource owners shall fulfill the detailed responsibilities established by TAC 202, and the CISO; The CISO will help ensure that information owners have appropriate training, standards, guidance, and assistance to comply with these responsibilities. Significant information owner responsibilities include, but are not limited to:\u00a0\n<ul class=\"wp-block-list\">\n<li>Inventory and classify information under their authority according to <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/risk-assessment-ra\/ra-2-security-categorization\/\" data-type=\"page\" data-id=\"1757\">Control RA-2, Security Categorization<\/a>; and&nbsp;<\/li>\n\n\n\n<li>Perform the risk assessments provided in <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/risk-assessment-ra\/ra-3-risk-assessment\/\">Control RA-3, Risk Assessment,<\/a> including identify, recommend, and document acceptable risk levels for information resources under their authority.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Information Resource Custodians<\/strong>&nbsp;&#8211;<br>Tarleton information resource custodians shall fulfill the detailed responsibilities established by TAC \u00a7202 and the CISO. Information resource owners will help ensure that information custodians have appropriate training, standards, guidance and assistance to comply with these responsibilities.&nbsp; Information resource custodian responsibilities include, but are not limited to:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Implement approved controls and access to information resources under their care; and&nbsp;<\/li>\n\n\n\n<li>Adhere to information security policies and procedures to manage risk levels for information resources.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Users of Information Resources&nbsp;<\/strong>&#8211;<br>Users of university information resources shall fulfill the detailed responsibilities established by TAC \u00a7202, including but not limited to:&nbsp;\n<ul class=\"wp-block-list\">\n<li>Use the information resources only for the purpose(s) specified by the university or information owner;&nbsp;<\/li>\n\n\n\n<li>Comply with information security controls, system standards, and applicable university guidelines or standards to prevent unauthorized or accidental disclosure, modification, or destruction;&nbsp;<\/li>\n\n\n\n<li>Formally acknowledge that they will comply with university information security requirements in a method determined by the President; and&nbsp;<\/li>\n\n\n\n<li>Users of system or member information resources who fail to comply with these university information security requirements are subject to disciplinary action, up to and including termination of employment.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Annual Risk Assessment&nbsp;\n<ul class=\"wp-block-list\">\n<li>Tarleton shall annually conduct and document a university-wide information security risk assessment as required by TAC \u00a7202. The assessment shall be presented to the President or designee, in accordance with <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/risk-assessment-ra\/ra-3-risk-assessment\/\">Control RA-3, Risk Assessment<\/a>. The purpose of the annual risk assessment is to identify, evaluate, and document the level of impact on the university\u2019s mission, functions, image, reputation, assets, or individuals that may result from the operation of the university\u2019s information systems.\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Security Awareness Education and Training&nbsp;\n<ul class=\"wp-block-list\">\n<li>All users of Tarleton information resources shall complete information security awareness training (See <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/awareness-and-training-at\/at-2-literacy-training-awareness\/\" data-type=\"page\" data-id=\"805\">Control AT-2, Literacy Training and Awareness<\/a>).&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=24\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.24<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/texreg.sos.state.tx.us\/public\/readtac$ext.TacPage?sl=R&amp;app=9&amp;p_dir=&amp;p_rloc=&amp;p_tloc=&amp;p_ploc=&amp;pg=1&amp;p_tac=&amp;ti=1&amp;pt=10&amp;ch=202&amp;rl=74\" target=\"_blank\" rel=\"noreferrer noopener\">1 TAC \u00a7 202.74<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#2054.0591:~:text=Sec.%202054.133.%20%20INFORMATION%20SECURITY%20PLAN.\" target=\"_blank\" rel=\"noreferrer noopener\">Section 2054.133, Government Code<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>PM-1: Information Security Program Plan DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: &nbsp;07\/31\/2024 Purpose &#8211;&nbsp; The Information Security Program Plan is a formal document that provides an overview of the security &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1520,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1641","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on August 5, 2024","modified":"Updated on October 4, 2024"},"absolute_dates_time":{"created":"Posted on August 5, 2024 5:05 pm","modified":"Updated on October 4, 2024 2:57 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1641"}],"version-history":[{"count":0,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1641\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1520"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}