ISO Designation Form |
ISO Authority, Role and Responsibilities |
Helpful Information for New ISOs |
ISO Designation Form
The ISO Designation form should be completed and sent by the agency’s/university’s executive management – to whom the ISO should report.
ISO Authority, Role and Responsibilities
In accordance with Texas Administrative Code, Title 1, Part 10, Rule Section 202 B & C, the head of each state agency or his/her designated representative(s) shall designate an Information Security Officer who has the explicit authority and the duty to administer the information security requirements of this chapter agency wide.
The ISO designee should:
- report to executive level management
- have authority for information security for the entire agency
- possess training and experience required to administer the functions described under this chapter
- whenever possible, have information security duties as that official's primary duty
Per the Texas Administrative Code, Chapter 202, the ISO is responsible for:
- developing and maintaining an agency-wide information security plan as required by §2054.133, Texas Government Code
- developing and maintaining information security policies and procedures that address the requirements of this chapter and the agency's information security risks
- working with the business and technical resources to ensure that controls are utilized to address all applicable requirements of this chapter and the agency's information security risks
- providing for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities
- providing guidance and assistance to senior agency officials, information-owners, information custodians, and end users concerning their responsibilities under this chapter
- ensuring that annual information security risk assessments are performed and documented by information-owners
- reviewing the agency's inventory of information systems and related ownership and responsibilities
- developing and recommending policies and establishing procedures and practices, in cooperation with the agency Information Resources Manager, information-owners and custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure
- coordinating the review of data security requirements, specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data
- verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or share confidential data
- reporting, at least annually, to the state agency head the status and effectiveness of security controls
- informing the parties in the event of noncompliance with this chapter and/or with the agency's information security policies
Helpful Information for New ISOs
As ISO, you will serve as the main security contact to DIR for your agency. DIR's Office of the Chief Information Security Officer (OCISO) will be your main contact group.
Below are a few items of importance and areas of DIR involvement:
1) Security-Officer Mail List
This is an email discussion list administered by DIR. All designated ISOs are automatically members. It is used for official communications from DIR, networking among the ISOs, and announcements. To post a message, simply send an email to
email@example.com. There are a few other mailing lists available for collaboration and information dissemination:
firstname.lastname@example.org - Seek advice from other state government IT staff regarding security issues, receive updates on current security alerts, discuss technical issues, request referrals or opinions about IT security products and services and share resources and expertise.
email@example.com - A discussion list to seek advice from other government IT staff regarding technology problems, post training opportunities, discuss technical issues, request referrals or opinions about IT products and services and share resources and expertise.
firstname.lastname@example.org - Advice and referrals from other government staff regarding training issues. Subscribers post training opportunities or needs, discuss issues involving training, education, e-learning, request referrals or opinions about products and services, share resources and expertise and announce meetings and events.
2) Reporting Requirements
ISOs have mandatory reporting obligations, per Texas Administrative Code Chapter 202 (TAC 202). There are two types of incident reporting:
Emergency Reporting - Timely reporting is required (preferably within 24 hours) for incidents that may:
- Propagate to other state systems (emergency reporting)
- Result in criminal violations that shall be reported to law enforcement
- Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information
IMPORTANT: For emergency reporting of security incidents meeting the above criteria, you can call DIR's Incident Reporting Assistance Line at 877-DIR CISO (877-347-2476) or enter the information into the SPECTRIM portal. The phone is answered 24 hours a day, 7 days a week. In any event, the incident must be reported through the SPECTRIM portal.
Monthly Incident Reporting – This report is due NO LATER THAN nine (9) calendar days after the end of the month. This report is submitted through the SPECTRIM portal.
3) Security Plan
Bi-Annual security plans must be submitted by October 15 each even-numbered year. These security plans must be completed in the SPECTRIM portal.
4) SPECTRIM Portal
DIR implemented a statewide governance, risk and compliance tool available to all state agencies and institutions of higher education. The SPECTRIM portal provides incident management and analysis, risk assessment analysis and agency security plan template preparation.
GRC@dir.texas.gov is being copied on this email, and will be creating an account for you.
5) IT Purchasing
DIR negotiates contracts with IT hardware, software, and service providers based on the combined buying power of state. See "Co-operative Contracts" section of the DIR website for more information. State agencies are required to use these contracts or else ask for an exemption. Institutions of Higher Education are eligible/voluntary users of these services.
6) DIR OCISO Services Available
DIR offers several services and resources to ISOs of eligible entities. Those services include:
- Controlled Penetration Testing, Web Application Vulnerability Testing, and Vulnerability Assessments
- Security Assessments that measure the overall 'health' of your security program and compares that to the Texas Cybersecurity Framework
- InfoSec Academy offers free certification preparation training, along with general IT, Information Security, and Business Skills courses
- SANS Securing the Human security awareness training license seats are available on a first come, first served basis for your organization's general user population
- Information Security Forum is an annual conference that focuses on current information security topics
7) General DIR Information
For information specific to Information Security, view in the
Information Security section of the DIR website.
DIR welcomes any feedback or suggestions to this template. Please forward any questions to email@example.com.