DIR provides an assortment of materials that can serve as a framework, reference or baseline for agency reporting requirements. These tools include the Data Classification Template, Data Use Agreement, Security Plan Template, and the Control Standard Catalog.
Data Classification Template
Data classification is the basis for identifying an initial baseline set of security controls for information and information systems, which provides numerous benefits. First and foremost, data classification makes making security decisions more efficient for employees, data owners, and IT staff, because it instantly identifies and communicates the level of protection required for any piece of data as well as the audience that may view it.
View the Data Classification Template – Xls (77 KB)
View the Data Classification Guide – Docx (849 KB)
Data Use Agreement
The 84th Legislative Session passed Senate Bill 1877 which requires "Each state agency [to] develop a data use agreement for use by the agency that meets the particular needs of the agency and is consistent with rules adopted by the department [of information resources] that relate to information security standards for state agencies."
The Texas Department of Information Resources, as the primary author of Texas Administrative Code, Chapter 202 and home of the state's Chief Information Security Officer, provides a sample data use agreement that can be used by agencies to comply with SB 1877. Clearly, though, the legislature understood that there would be "particular needs" of each agency. Thus the document presented is merely a starting point. This document is intended to provide background and suggestions how agencies may use the template.
View the Data Use Agreement – Docx (30 KB)
View Data Use Agreement FAQ – PDF (104 KB)
The Control Standards Catalog was initiated by DIR to help state agencies and higher education institutions implement security controls. It specifies the minimum information security requirements that state organizations must employ to provide the appropriate level of security relevant to level of risk.
View the Control Standards Catalog – PDF (1.78 MB)
The Control Crosswalk maps Revised TAC §202 to industry standards, regulatory requirements, and compliance mandates. It is meant to relate the controls specified in Revised TAC §202 to other requirements that agencies and higher education institutions may have for protecting information and information systems.
View the Control Crosswalk – PDF (285 KB)
Acceptable Use of the Internet
The Acceptable Use of the Internet Guidelines are intended to assist state agencies and institutions of higher education compliance with
the provisions of the Texas Administrative Code (TAC), Chapter 202 Information Security Standards and
Executive Order (RP58) Relating to peer-to-peer file-sharing software. State agencies and institutions of
higher education need to assess the associated risks and publish policies to ensure the appropriate use
of state systems and networks that provide access to the Internet and technologies used for electronic
mail, instant messaging (IM), and peer-to-peer (P2P)file-sharing.
View the Acceptable Use of the Internet – PDF (765 KB)
Vendor Alignment Tool
DIR also created a tool that enables vendors of security products and services to align their offerings to the Cybersecurity Framework:
View the Vendor Alignment Template – Xls (102 KB)
Agency Security Plan Template
The Agency Security Plan template gives agencies:
- A method for reporting on the types of controls they have in place
- An evaluation of their ability to operate the control environment at their required level
- A standardized approach for preparing the agency’s ongoing security plan
The Agency Security Plan is now available in the SPECTRIM Portal.
Incident Response Template
The Incident Response is intended to be a framework for organizations in creating their own Redbook, and should be completed and modified to meet the business needs of the organization.
The Incident Response Template is now available in the SPECTRIM Portal.