Tarleton OITS Security of Electronic Resources Standard

Tarleton Office of Innovative Technology Solutions (OITS)
Security of Electronic Resources Standard

Effective: February 11, 2020

Revised: May 29, 2026

Procedure Summary

Tarleton State University (Tarleton or university), as a state university, is required to comply with the Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards. TAC assigns responsibility for protection of informational resources to the president of the public university or agency. For the purposes of this standard, the authority and responsibility regarding the university’s compliance with TAC 202 has been delegated by the President to the Associate Vice President and Chief Information Officer (CIO) of the Office of Innovative Technology Solutions (OITS).

Please see the Tarleton Security Controls Catalog for additional information and requirements.

Procedures and Responsibilities

The Information Security Officer (ISO) or Chief information Security Officer (CISO) has been designated as the individual responsible for administering the provisions of this standard and TAC 202 in coordination with the CIO.
The head or director of a department shall be responsible for ensuring that their department incorporates appropriate security program requirements and that compliance with TAC 202, this standard, and the Tarleton Security Controls Catalog is maintained for information systems owned and operated/used by their department.
The head or director of a department which provides operational support (custodian) for information systems owned by another Tarleton department shall have the responsibility for ensuring that the department incorporates appropriate security program requirements and that compliance with TAC 202, this standard, and the Tarleton Security Controls Catalog is maintained for information systems owned and operated/used by the department.
Operational responsibility for compliance with TAC 202 may be delegated by the department head or director to the appropriate information system support personnel (e.g. system administrators) within the department.
Mission Critical or Confidential Information maintained on information resources such as servers, individual workstations, and portable devices must be afforded the appropriate safeguards stated in the TAC 202, the Tarleton Security Controls Catalog, and other applicable university rules and administrative standards. It is the responsibility of the information resource owner or designee to ensure that adequate security measures are in place.
The information owner, or their designee, is responsible for ensuring that the risk mitigation measures described in applicable university rules and standards are implemented. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer.

Definitions

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Custodian of an Information Resource: A person responsible for implementing owner defined controls and access to an information resource. Custodians may include state employees, vendors, and any third party acting as an agent of, or otherwise on behalf of the state entity.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university.

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.

User of an Information Resource: An individual or automated application authorized to access an information resource in accordance with the information resource owner’s defined controls and access rules for the purpose specified by the owner; complying with controls established by the owner; and preventing disclosure of confidential or sensitive information.