DIR provides an assortment of materials that can serve as a framework, reference or baseline for agency reporting requirements. These tools include the Data Classification Template, Data Use Agreement, Security Plan Template, and the Control Standard Catalog.
Cybersecurity Terms and Definitions
View the cybersecurity terminology reference document -- .docx (35KB)
Vulnerability Report Template
Sec. 2054.077, Government Code, requires agencies to submit a biennial report of vulnerabilities to DIR. To assist agencies with meeting this requirement, DIR has developed an optional template that may be submitted along with the Agency Security Plan. Within the Security Plan Template module in SPECTIRM there is a section to upload the required Vulnerability Report. This template is not intended to be prescriptive. Alternative Vulnerability Report formats will be accepted as a submission provided they meet the intention of the statute.
Information Resources Employees Continuing Education Guidelines for Cybersecurity
The nature of cybersecurity requires continuous learning to successfully combat the ever-changing landscape of threats. Information resources employees are a particularly significant targets for attackers due to their elevated or administrative privileges. HB 8, 85(R) required DIR to develop continuing education guidelines for information resources employees regarding cybersecurity. The following guidelines were developed to assist agencies and institutions of higher education with ensuring their IR staff have the education and awareness to help protect their organizations.
View the Information Resources Employees Continuing Education Guidelines for Cybersecurity -- PDF (385 KB)
Data Classification Guide & Template
Data classification is the basis for identifying an initial baseline set of security controls for information and information systems, which provides numerous benefits. First and foremost, data classification makes making security decisions more efficient for employees, data owners, and IT staff, because it instantly identifies and communicates the level of protection required for any piece of data as well as the audience that may view it.
View the Data Classification Guide -- .docx (67 KB)
View the Data Classification Template – .xlsx (77 KB)
Data Use Agreement
The 84th Legislative Session passed Senate Bill 1877 which requires "Each state agency [to] develop a data use agreement for use by the agency that meets the particular needs of the agency and is consistent with rules adopted by the department [of information resources] that relate to information security standards for state agencies."
The Texas Department of Information Resources, as the primary author of Texas Administrative Code, Chapter 202 and home of the state's Chief Information Security Officer, provides a sample data use agreement that can be used by agencies to comply with SB 1877. Clearly, though, the legislature understood that there would be "particular needs" of each agency. Thus the document presented is merely a starting point. This document is intended to provide background and suggestions how agencies may use the template.
View the Data Use Agreement – .docx (30 KB)
View Data Use Agreement FAQ – PDF (104 KB)
The Control Standards Catalog was initiated by DIR to help state agencies and higher education institutions implement security controls. It specifies the minimum information security requirements that state organizations must employ to provide the appropriate level of security relevant to level of risk.
View the Control Standards Catalog – PDF (1.78 MB)
The Control Crosswalk maps Revised TAC §202 to industry standards, regulatory requirements, and compliance mandates. It is meant to relate the controls specified in Revised TAC §202 to other requirements that agencies and higher education institutions may have for protecting information and information systems.
View the Control Crosswalk – PDF (285 KB)
Acceptable Use of the Internet
The Acceptable Use of the Internet Guidelines are intended to assist state agencies and institutions of higher education compliance with the provisions of the Texas Administrative Code (TAC), Chapter 202 Information Security Standards and Executive Order (RP58) Relating to peer-to-peer file-sharing software. State agencies and institutions of higher education need to assess the associated risks and publish policies to ensure the appropriate use of state systems and networks that provide access to the Internet and technologies used for electronic mail, instant messaging (IM), and peer-to-peer (P2P)file-sharing.
View the Acceptable Use of the Internet – PDF (765 KB)
Vendor Alignment Tool
DIR also created a tool that enables vendors of security products and services to align their offerings to the Cybersecurity Framework:
View the Vendor Alignment Template – .xlsx (102 KB)
Agency Security Plan Template
The Agency Security Plan template gives agencies:
- A method for reporting on the types of controls they have in place
- An evaluation of their ability to operate the control environment at their required level
- A standardized approach for preparing the agency’s ongoing security plan
The Agency Security Plan is now available in the SPECTRIM Portal.
Incident Response Template
The Incident Response is intended to be a framework for organizations in creating their own Redbook, and should be completed and modified to meet the business needs of the organization.
View The Incident Response Template - PDF (1.4 MB)
Sale or Transfer of Computers and Software Guide
This guideline is intended to supplement existing policies and procedures on the sale and transfer of surplus and salvaged equipment.
View the Sale of Transfer of Computers and Software Guide - PDF (127 KB)
Information Security Site Navigation
Information about file formats