Information Security Officers (ISOs)

An Information Security Officer (ISO) is the person inside every state agency who has the explicit authority and duty to administer information security requirements. Each state agency is required to designate an ISO by the Texas Administrative Code.  

Authorities and Responsibilities of an ISO 

An agency’s ISO has authority to handle information security over their entire agency.  

Designated ISOs have several responsibilities – all of which are listed in Texas Administrative Code (TAC) §202.21. A few of these responsibilities include: 

  • Defining and maintaining policies and documentation for your security program, 

  • Working with your business owners and technical staff to address risks in your organization, 

  • Conducting risk assessments regularly with data owners, and 

  • Reporting the effectiveness of your security controls to the agency head. 

Be sure to read TAC §202.21 for the full, detailed list of an ISO’s specific responsibilities.  

Who should become your agency’s ISO? 

Ideally, your agency’s Information Security Officer will: 

  • Possess the training and experience necessary to perform all the responsibilities listed above and in TAC §202. 

  • Have their role as ISO as their primary job duty.  

  • Be able to regularly and comfortably communicate and report to executive level managers.  

ISO Resources

Designate Your Agency's ISO
Learn more about the ISO role and access the ISO designation form
Designate Your Agency's ISO
DIR OCISO Security Services Guide
A single source of all DIR’s security-related services
DIR OCISO Security Services Guide
The SPECTRIM portal provides security incident management and analysis, risk assessment analysis and a security plan template
ISO Resources
Find tips and tools to help you perform your role as ISO effectively
ISO Resources

Additional Resources for ISOs

As an Information Security Officer, you will be DIR’s main contact for cybersecurity-related issues at your agency. And at DIR, you should reach out to the Office of the Chief Information Security Officer (OCISO) for questions or concerns.  

Here are some tips and tools to help you perform your role as ISO effectively:

Security Officer Mailing Lists 

This is the official email discussion list for ISO. You’re automatically a member. DIR uses this mailing list to make official communications, but you can use it to network with your fellow ISOs.  

To post a message to this list, simply send an email to: [email protected].  

Other Mailing Lists 

  • [email protected] – A mailing list dedicated to security-related issues. Seek advice from other state government IT staff. Receive updates on current security alerts. Discuss technical issues. Request referrals or opinions about IT security products and services. Share resources and expertise. 

  • [email protected] – A list dedicated to general technology conversations. Seek advice from other government IT staff. Post training opportunities. Discuss technical issues. Request referrals or opinions about IT products and services. Share resources and expertise. 

  • [email protected] – A list for questions about training. Seek advice and referrals from other government staff. Post training opportunities or needs. Discuss issues involving training, education, e-learning, etc. Request referrals or opinions about products and services. Share resources and expertise. Announce meetings and events. 

Emergencies: How to Report 

You must immediately report any incident that may:   

  • Propagate to other state systems  

  • Result in criminal violations that shall be reported to law enforcement  

  • Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information 

Report an Emergency 

Call DIR's Incident Reporting Assistance Line. The phone is answered 24/7. You may also enter the emergency info into the SPECTRIM portal. In any event, the incident must be reported through the SPECTRIM portal. 

DIR Incident Reporting Assistance  

(877) DIR CISO  


Monthly Incident Reporting 

Effective November 16, 2023, monthly summary security incident reports are no longer required to be provided to DIR. TAC §202.23 (agencies) and TAC §202.73 (higher education) have been updated to exclude this requirement. Please disregard automated reminder notifications you may receive during this phase-out period.

Security Plan (Every Two Years) 

Biennial security plans must be submitted by June 1 each even-numbered year—e.g., 2022, 2024, etc. These security plans must be completed in the SPECTRIM portal.  


The SPECTRIM portal provides security incident management and analysis, risk assessment analysis and a security plan template. You can visit the SPECTRIM portal here:

IT Purchasing 

DIR negotiates contracts with providers and vendors, using the purchasing power of the State of Texas. Visit the Cooperative Contracts page to learn more about the process and how you can use it at your agency. (State agencies are required to use this service unless they seek and receive an exemption.)  

Office of the Chief Information Security Officer (OCISO)  

The OCISO is standing by to help you fulfill your responsibilities as your agency’s ISO. Among our services and resources are: 

  • Testing and assessments of your information security systems  

  • InfoSec Academy offers free certification preparation training, along with general technology and business skills classes 

  • “Information Security Forum” is an annual conference that focuses on current information security topics 

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.