Information Security Plan

2020 Information Security Plan Resources

In developing Information Security Plans, agencies should: 

  • consider any vulnerability report prepared under Section 2054.077, Texas Government Code; 
  • incorporate NSOC network services provided to the agency; 
  • identify and define responsibilities of agency staff relating to information custodianship; 
  • identify risk management activities and other measures taken to protect agency information from unauthorized access, disclosure, modification, or destruction
  • include information security best practices or a written explanation of why best practices are not sufficient, if applicable.

Agencies should take care to omit information that could expose vulnerabilities in the agency's network or information systems from any written copies of the plan . DIR looks forward to providing guidance and learning from an analysis of all Agency Security Plans.

NOTE: Local governments and K-12 organizations are not required to submit security plans to DIR.  Local entities that wish to complete a security plan can use the optional excel template above.  

State agencies, institutions of higher education, and community colleges are required to submit their plans in SPECTRIM.  State organizations should not use the excel template to complete their security plans.

Information Security Plan Overview

The Information Security Plan template developed by DIR was created through collaboration between government and the private sector. It uses a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on agencies.

The template is divided into five concurrent and continuous functions, which are the same as the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover.

chart displaying the five areas of an agency security plan 

Within these five areas, DIR has established 42-46 distinct security objectives:

​Functional Area

​Security Objective

  • ​Privacy and Confidentiality
  • Data Classification
  • Critical Information Asset Inventory
  • Enterprise Security Policy, Standards and Guidelines
  • Control Oversight and Safeguard Assurance
  • Information Security Risk Management
  • Security Oversight and Governance
  • Security Compliance and Regulatory Requirements Management
  • Cloud Usage and Security
  • Security Assessment and Authorization / Technology Risk Assessments
  • External Vendors and Third Party Providers
  • Secure Application Development (if applicable)
  • Beta Testing (if applicable)
  • Penetration Testing (if applicable)
  • Vulnerability Testing (if applicable)
  • Enterprise Architecture, Roadmap & Emerging Technology
  • Secure System Services, Acquisition and Development
  • Security Awareness and Training
  • Privacy Awareness and Training
  • Cryptography
  • Secure Configuration Management
  • Change Management
  • Contingency Planning
  • Media
  • Physical Environmental Protection
  • Personnel Security
  • Third-Party Personnel Security
  • System Configuration Hardening & Patch Management
  • Access Control
  • Account Management
  • Security Systems Management
  • Network Access and Perimeter Controls
  • Internet Content Filtering
  • Data Loss Prevention
  • Identification & Authentication
  • Spam Filtering
  • Portable & Remote Computing
  • System Communications Protection
  • Information Systems Currency
  • ​Malware Protection
  • Vulnerability Assessment
  • Security Monitoring and Event Analysis
  • Audit Logging & Accountability
  • ​Cyber-Security Incident Response
  • Privacy Incident Response
  • ​Disaster Recovery Procedures

Each agency and institution of higher education then uses their Agency Security Plan to demonstrate how they will achieve these objectives.

Information Security Plan Template

The Information Security Plan template gives agencies:

  • A method for reporting on the types of controls they have in place
  • An evaluation of their ability to operate the control environment at their required level
  • A standardized approach for preparing the agency’s ongoing security plan
  • The Information Security Plan is available in the SPECTRIM Portal. 

Information about file formats