Designate an ISO

On this page:

What is an ISO?

Authorities and Responsibilities of an ISO

Who Should Be Your Agency’s ISO?

Designate an ISO

What is an ISO? 

An ISO—or Information Security Officer—is the person inside every state agency who has the explicit authority and duty to administer information security requirements. Each state agency is required to designate an ISO by the Texas Administrative Code.  

Authorities and Responsibilities of an ISO 

An agency’s ISO has authority to handle information security over their entire agency.  

Designated ISOs have several responsibilities – all of which are listed in Texas Administrative Code (TAC) §202.21. A few of these responsibilities include: 

  • Defining and maintaining policies and documentation for your security program, 

  • Working with your business owners and technical staff to address risks in your organization, 

  • Conducting risk assessments regularly with data owners, and 

  • Reporting the effectiveness of your security controls to the agency head. 

Be sure to read TAC §202.21 for the full, detailed list of an ISO’s specific responsibilities.  

Who should become your agency’s ISO? 

Ideally, your agency’s Information Security Officer will: 

  • Possess the training and experience necessary to perform all the responsibilities listed above and in TAC §202. 

  • Have their role as ISO as their primary job duty.  

  • Be able to regularly and comfortably communicate and report to executive level managers.  

Resources for ISOs  

As an Information Security Officer, you will be DIR’s main contact at your agency. And at DIR, you should reach out to the Office of the Chief Information Security Officer (OCISO) for questions or concerns.  

Here are some tips and tools to help you perform your role as ISO effectively. 

This is the official email discussion list for ISO. You’re automatically a member. DIR uses this mailing list to make official communications, but you can use it to network with your fellow ISOs.  

To post a message to this list, simply send an email to: [email protected].  

  • TX-ISAO mailing lists – The Texas Information Sharing and Analysis Organization (TX-ISAO) sends out threat and intelligence information, security news, training opportunities, and OCISO news that is pertinent to your organization.

  • [email protected] – A list dedicated to general technology conversations. Seek advice from other government IT staff. Post training opportunities. Discuss technical issues. Request referrals or opinions about IT products and services. Share resources and expertise. 

  • [email protected] – A list for questions about training. Seek advice and referrals from other government staff. Post training opportunities or needs. Discuss issues involving training, education, e-learning, etc. Request referrals or opinions about products and services. Share resources and expertise. Announce meetings and events. 

You must immediately report any incident that may:   

  • Propagate to other state systems  

  • Result in criminal violations that shall be reported to law enforcement  

  • Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information 

Call DIR's Incident Reporting Assistance Line (877) DIR-CISO (877-347-2476). The phone is answered 24/7. You may also enter the emergency info into the SPECTRIM portal. In any event, the incident must be reported through the SPECTRIM portal. 

This report is due no later than nine (9) calendar days after the end of the month. This report is submitted through the SPECTRIM portal. 

Biennial security plans must be submitted by June 1 each even-numbered year—e.g., 2022, 2024, etc. These security plans must be completed in the SPECTRIM portal.  

The SPECTRIM portal provides security incident management and analysis, risk assessment analysis and a security plan template. You can visit the SPECTRIM portal here

DIR negotiates contracts with providers and vendors, using the purchasing power of the State of Texas. Visit the Cooperative Contracts page to learn more about the process and how you can use it at your agency. (State agencies are required to use this service unless they seek and receive an exemption.)  

The OCISO is standing by to help you fulfill your responsibilities as your agency’s ISO. Among our services and resources are: 

  • Testing and assessments of your information security systems  

  • InfoSec Academy offers free certification preparation training, along with general technology and business skills classes 

  • “Information Security Forum” is an annual conference that focuses on current information security topics 

Visit the OCISO website to learn more.  

Designate Your Agency’s ISO

If you’re ready to designate an ISO for your agency (or change your current designation), use this form. 

Information Security Officers (ISOs)

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.