Agency Security Plan

2018 Agency Security Plan Resources

Vulnerability Report Template

Sec. 2054.077, Government Code, requires agencies to submit a biennial report of vulnerabilities to DIR.  To assist agencies with meeting this requirement, DIR has developed an optional template that may be submitted along with the Agency Security Plan.  Within the Security Plan Template module in SPECTIRM there is a section to upload the required Vulnerability Report.  This template is not intended to be prescriptive.  Alternative Vulnerability Report formats will be accepted as a submission provided they meet the intention of the statute. 

In developing Agency Security Plans, agencies should: 

  • consider any vulnerability report prepared under Section 2054.077, Texas Government Code; 
  • incorporate NSOC network services provided to the agency; 
  • identify and define responsibilities of agency staff relating to information custodianship; 
  • identify risk management activities and other measures taken to protect agency information from unauthorized access, disclosure, modification, or destruction
  • include information security best practices or a written explanation of why best practices are not sufficient, if applicable.

Agencies should take care to omit information that could expose vulnerabilities in the agency's network or information systems from any written copies of the plan . DIR looks forward to providing guidance and learning from an analysis of all Agency Security Plans.

Agency Security Plan Overview

The Agency Security Plan template developed by DIR was created through collaboration between government and the private sector. It uses a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on agencies.

The template is divided into five concurrent and continuous functions, which are the same as the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover.

chart displaying the five areas of an agency security plan 

Within these five areas, DIR has established 40 distinct security objectives:

​Functional area

​Security objective

​Identify
  • ​Privacy and Confidentiality
  • Data Classification
  • Critical Information Asset Inventory
  • Enterprise Security Policy, Standards and Guidelines
  • Control Oversight and Safeguard Assurance
  • Information Security Risk Management
  • Security Oversight and Governance
  • Security Compliance and Regulatory Requirements Management
  • Cloud Usage and Security
  • Security Assessment and Authorization / Technology Risk Assessments
  • External Vendors and Third Party Providers
​Protect
  • Enterprise Architecture, Roadmap & Emerging Technology
  • Secure System Services, Acquisition and Development
  • Security Awareness and Training
  • Privacy Awareness and Training
  • Cryptography
  • Secure Configuration Management
  • Change Management
  • Contingency Planning
  • Media
  • Physical Environmental Protection
  • Personnel Security
  • Third-Party Personnel Security
  • System Configuration Hardening & Patch Management
  • Access Control
  • Account Management
  • Security Systems Management
  • Network Access and Perimeter Controls
  • Internet Content Filtering
  • Data Loss Prevention
  • Identification & Authentication
  • Spam Filtering
  • Portable & Remote Computing
  • System Communications Protection
​Detect
  • ​Malware Protection
  • Vulnerability Assessment
  • Security Monitoring and Event Analysis
​Respond
  • ​Cyber-Security Incident Response
  • Privacy Incident Response
​Recover
  • ​Disaster Recovery Procedures

Each agency and institution of higher education then uses their Agency Security Plan to demonstrate how they will achieve these objectives.

Agency Security Plan Template

The Agency Security Plan template gives agencies:

  • A method for reporting on the types of controls they have in place
  • An evaluation of their ability to operate the control environment at their required level
  • A standardized approach for preparing the agency’s ongoing security plan
  • The Agency Security Plan is now available in the SPECTRIM Portal. 

Information Security Site Navigation

About OCISO
Agency Security Plan
Communications
Cyber Awareness Month
​Cybersecurity Strategic Plan
Designate an ISO
Education & Awareness
Information Security Forum
InfoSec Academy
Security Services
​SISAC
SPECTRIM Portal
TAC §202
Templates & Guides
Texas Cybersecurity Council
DIR Home

Information about file formats