01. POLICY STATEMENTS

01.01 Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as
TAC 202, requires the chief executive of each Texas state agency and public
institution of higher education to protect their institution’s information
resources by establishing an Information Security Program consistent with the
TAC 202 standards. In compliance with TAC 202, this policy statement reflects
the policies, procedures, standards and guidelines comprising the Information
Security Program of Lamar Institute of Technology (LIT). The terms and phrases
in this policy statement shall have the meanings ascribed to them in TAC 202.1
unless otherwise provided herein.
The LIT Information Security Program is positioned and administered by the
Chief Information Officer and the Information Security Officer and is within the
Office of the Director of Computer Services also to be recognized as the CIO/ISO.
The Information Security Program is implemented by the CIO/ISO in
collaboration with all institutional constituents that use and support the
institution’s information resources.
[TAC 202.70(2), TAC 202.71(d)]

01.02 Information resources residing at LIT is a strategic and vital asset belonging to
the people of Texas. These assets must be available when needed and protected
commensurate with their value. All members of the LIT community, regardless
of position or role, share responsibility for protecting institutional information
resources. The LIT community shall take appropriate measures to protect the
institution’s information resources against accidental or unauthorized disclosure,
contamination, modification, or destruction, and to assure the confidentiality,
authenticity, utility, integrity, and availability of LIT information.
[TAC 202.70(1)]

01.03 All individuals are accountable for their use of LIT information resources.
Individuals shall comply with applicable laws, Texas State University System
(TSUS) Regents Rules, and all institutional policies in their use of these resources.
[TAC 202.70(3)]

01.04 Information that is Sensitive or Confidential must be protected from
unauthorized access or modification. Data that is essential to critical LIT
functions must be protected from loss, contamination, or destruction.
[TAC 202.75]

01.05 Risks to information resources must be managed. The expense of security
safeguards must be appropriate to the value of the assets being protected,
considering value of the asset to LIT, regulatory agencies, the public, potential
intruders, and any other person or organization with an interest in the assets.
[TAC 202.70(4)]

01.06 The integrity of data, its source, its destination, and processes applied to it are
critical to its value. Changes to data must be made only in authorized and
acceptable ways.
[TAC 202.70(5)]

01.07 Information resources must be available when needed. Continuity of
information systems supporting critical LIT functions must be ensured in the
event of a disaster or disruption in normal operations.
[TAC 202.70(6)]

01.08 Security requirements shall be identified, documented, and addressed in all
phases of development or acquisition of information resources.
[TAC 202.70(7) and TAC 202.75(6)]

01.09 Security awareness of employees must be continually emphasized and
reinforced at all levels of management. All individuals must be accountable for
their actions relating to information resources.
[TAC 202.77(d) and (e)]

01.10 The information security program must be responsive and adaptable to changing
vulnerabilities and technologies affecting information resources. Its components
shall be reviewed and modified in a timely fashion to meet emerging and
evolving threats.
[TAC 202.71(e)]

01.11 LIT must ensure adequate controls and separation of duties for tasks that are
susceptible to fraudulent or other unauthorized activity.
[TAC 202.70(8)]

02. INFORMATION SECURITY ORGANIZATION

02.01 The Director of Computer Services is the LIT Information Resources Manager
(IRM) as defined in the Information Resources Management Act (IRMA)
(TEX.GOV'T CODE § 2054). The Information Resources Manager oversees the
acquisition and use of information technology within a state agency or
institution.
The IRMA and the Texas Administrative Code (TAC, Tile 1, Part 10, Ch 201§201.3)
establish rules and responsibilities for the designated IRM that include executive
level oversight for security and risk management of LIT information resources.
Consequently, the Office of the Director of Computer Services directs the LIT
Information Technology Security function.

02.02 The Information Security Officer (ISO) is the designated administrator of the LIT
Information Security Program. As such, the ISO is responsible for all aspects of
the institutional information security program.
The ISO is specifically charged with the following responsibilities:

a. Develop, recommend, and establish policies, procedures, and practices as
necessary to protect LIT information resources against unauthorized or
accidental modification, destruction, or disclosure;

b. Identify and implement proactive and reactive technical measures to detect
vulnerabilities and to defend against external and internal security threats;

c. Provide consulting and technical support services to owners, custodians, and
users in defining and deploying cost effective security controls and
protections;

d. Establish, maintain, and institutionalize security incident response
procedures to ensure that security events are thoroughly investigated,
documented, and reported, that damage is minimized, that risks are
mitigated, and that remedial actions are taken to prevent recurrence;

e. Establish and publicize a security awareness program to achieve and
maintain a security conscious user community;

f. Document, maintain, and obtain ongoing support for all aspects of the
Information Security Program;

g. Monitor the effectiveness of strategies, activities, measures, and controls
designed to protect LIT information resources;

h. Assure executive management awareness of legal and regulatory changes
that might impact LIT information security and privacy policies and practices;

i. Serve as the LIT internal and external point of contact for information
security matters; and

j. Report frequently (at least annually) on the status and effectiveness of the
Information Security Program.
[TAC 202.71(e)]

02.03 All members of the LIT community share responsibility for protecting LIT
information resources and as such, are essential components of the institutional
information security organization. Nonetheless, individual responsibilities can
vary significantly according to an individual’s relationship with any given
information resource. In recognition of those variances, LIT has defined and
assigns three generic roles with respect to the security of information resources:
1) the Owner role, 2) the Custodian role, and 3) the User role. Each individual
assumes one or more of these roles with respect to each information resource
they use, and as a result are accountable for the responsibilities attendant to
their role(s).

03. RISK ASSESSMENT

03.01 Risk assessment is a vehicle for systematically identifying and evaluating the
vulnerabilities of an information system and its data to the threats facing it in its
environment. It is an essential component of any security and risk management
program. Absolute security that assures protection against all threats is
unachievable. Risk assessment provides a framework for weighing losses that
might occur in the absence of an effective security control against the costs of
implementing the control. Risk management is intended to ensure that
reasonable measures are employed to protect against the most probable and
impactful threats.

03.02 Owners and their designated custodians shall annually complete or commission
a comprehensive risk assessment of their assigned information resources,
including departmentally‐administered computing resources that store, process
and access information. The assessment must include a classification of their
information according to its need for security protection, i.e., its need for
confidentiality, integrity, and availability.
The assessment should also identify reasonable, foreseeable, internal, and
external risks to the security, confidentiality, integrity, and availability of those
resources. Owners and custodians should assess the sufficiency of safeguards in
place to control these risks and document their level of risk acceptance (i.e., the
exposure remaining after implementing appropriate protective measures, if
any). Additional mitigation measures should be taken as necessary to protect
the resources from risks considered unacceptable. The risk assessment should
include consideration of employee training and management, information
systems architecture and processes, business continuity planning, and
prevention, detection and response to intrusion and attack.
[TAC 202.72 and TAC 202.74]

03.03 The ISO shall periodically (at least annually) complete or commission a risk
assessment of the information resources considered essential to LIT critical
mission and functions, and shall recommend, to the owners and custodians of
these resources, appropriate risk mitigation measures, technical controls, and
procedural safeguards. The assessment may incorporate self‐assessment
questionnaires, vulnerability scans, scans for Sensitive and Confidential
information, and penetration testing. Findings and recommendations shall be
provided to the owners and custodians of the information assets and shall also
be presented to the CIO/ISO for sharing with the President as appropriate.
[TAC 202.72(c)]

04. INFORMATION ASSET MANAGEMENT

04.01 LIT information resources are strategic and vital assets that must be available
when needed and protected commensurate with their value. In this policy, the
institution has identified specific actions required to achieve these objectives.
LIT has also articulated the Owner, Custodian, and User roles to clearly
distinguish the parties responsible and accountable for taking those actions.
04.02 The Owner role. LIT (and consequently the state of Texas) is the legal owner of
all the institutional information assets. As a practical matter, LIT delegates
specific ownership responsibilities to those with day‐to‐day oversight of the
information asset. For example, departmental file shares hosted on Technology
Services servers in the data center, i.e., the shared directories and their contents
are owned by the department(s) and the host computer(s) and related disk
storage is owned by Technology Services.
Owners have been designated for data assets based upon the general subject
matter of the data. For example, Human Resources and Faculty Records are the
designated owners of staff and faculty employee information, respectively.
Ownership responsibility for network, hardware, and software assets is assigned
to the party accountable for the assets, as documented in LIT inventory,
procurement, and licensing records.
Owners are specifically responsible for:

a. Keeping abreast of laws and policies related to the information assets
they own and classifying these assets according to their need for security
protection (see Section 4.08, Data Classification).

b. Determining the value of, authorizing user access to, and establishing
procedures for authorized disclosure of, their information assets;

c. Specifying data control requirements for their information assets and
conveying those requirements to co‐owners, custodians, and users;

d. Specifying appropriate controls, based on risk assessment, to protect
their information assets from unauthorized use, modification, deletion,
or disclosure;

e. Selecting and assigning custody of information assets, in consultation
with appropriate IT division staff, to custodians capable of implementing
the necessary security controls and procedures;

f. Contractually binding non‐institutional custodians to implement and
comply with their specified security controls and procedures;

g. Confirming the implementation of and compliance with the specified
controls by the custodians; and

h. Reviewing and maintaining access authorization lists based on
documented security risk management decisions.
[TAC 202.71(c)(1)]

04.03 The Custodian role. Custodians provide information asset services to both
owners and users. A custodian may be a person (such as a departmental system
support specialist), a team or department (such as Technology Services), or a
third party provider of information resource management services (such as a
web site or application hosting firm). Regardless of how the role is filled,
custodians are expected to:

a. Assist the owner(s) in identifying cost‐effective controls, along with
monitoring techniques and procedures for detecting and reporting
control failures or violations;

b. Implement the controls and monitoring techniques and procedures
specified by the owner(s); and

c. Provide and monitor the viability of physical and procedural safeguards
for the information resources.
[TAC 202.71(c)(2)]

04.04 The User role. The user role is the default role possessed by all users of LIT
information resources. Users of information resources shall use those resources
for defined purposes that are consistent with their institutional responsibilities
and always in compliance with established controls. Users are expected to
comply with LIT published security policies and procedures, as well as with
security bulletins and alerts that may be issued by Technology Services in
response to specific risks or threats. The use of LIT information resources implies
that the user has knowledge of and agrees to comply with LIT policies governing
such use.
[TAC 202.71(c)(3) and TAC 202.77(a)]
Employee users are responsible for ensuring the privacy and security of the
information they access in the normal course of their work. Employees are also
responsible for the security of any terminal, workstation, printer or similar
electronic device utilized in the normal course of their work. Employees are
authorized to use only those resources and materials that are appropriate and
consistent with their job functions and must not violate or compromise the
privacy or security of any data or systems accessible via the LIT computer
network.
Users may not attempt to violate the security or privacy of other computer users
on any system accessible via the LIT computer network. The attempted violation
of information security or privacy is grounds for revocation of computer access
privileges, suspension or discharge of employees, suspension or expulsion of
students, and prosecution to the full extent of the law.
Users are responsible for the security of any computer account (e.g., ID or
username) issued to them and are accountable for any activity that takes place
in their account. Users who discover or suspect that the security of their account
has been compromised must immediately change their password and report the
incident to the Technology Services Help Desk (TSHD) for initial investigation.
Any suspected or attempted violation of system security should be reported
immediately to TSHD (409) 839‐2041 or helpdesk@lit.edu
04.05 Privileged roles. By virtue of their job duties, designated employees may require
and may be entrusted with elevated access privileges to specified information
assets. These employees normally function in custodial or security‐related roles
with respect to the specified information assets.
Users entrusted with elevated access privileges shall:

a. use those privileges solely for the purpose intended by the asset owner; and

b. access, disclose, and discuss the information only to the extent required to
perform the job duty for which the privileges were granted.

04.06 Review and Monitoring. LIT’s information resources are subject to monitoring,
review, and disclosure in accordance with:

a. the Texas Public Information Act and other pertinent laws and policies;

b. other legal requirements, such as subpoenas and court orders;

c. efforts to protect and sustain their operational integrity;

d. security reviews or audits; and

e. other purposes, as determined by the CIO/ISO in consultation with the Chief
Financial Officer (CFO) and President, required to protect and support the
LIT’s legitimate interests and the legitimate interests of other users.
Users of LIT’s information resources expressly consent to monitoring by LIT for
these purposes and are advised that if such monitoring reveals possible evidence
of criminal activity, LIT administration may provide that evidence to law
enforcement officials. Further, all users should understand that while LIT takes
reasonable precautions, as evidenced by its information security program, it is
unable to guarantee the protection of electronic files, data, or e‐mails from
unauthorized or inappropriate access or disclosure.
In consideration of the above provisions, users should not expect privacy in their
use of LIT’s information resources except as otherwise provided by applicable
privacy laws.
[TAC 202.75(7)(O) and TAC 202.75(9)(D)]

04.07 Interagency operations. When Sensitive or Confidential information from
another institution or state agency is received by LIT in connection with the
transaction of official business, LIT shall maintain the confidentiality or sensitivity
of the information in accordance with the conditions imposed by the providing
agency or institution.
[TAC 202.75(2)(B)]

04.08 Data Classification. Prior to releasing, publishing, or disclosing any LIT
information, the designated owner of the information shall classify the
information as Public, Sensitive, or Confidential, according to its need for
confidentiality. Moreover, the information’s owner should ensure that disclosure
controls and procedures are implemented and followed to afford the degree of
protection required by the assigned classification.
Information shall be assigned one of the following 3 classifications:

a. Public (Level 1) Information is by its very nature designed to be shared
broadly, without restriction, at the complete discretion of the owner. It may
or may not have been explicitly designated as public. Public information may
be freely disseminated without potential harm to LIT, individuals, or
affiliates. From the perspective of confidentiality, public information may be
disclosed or published by any person at any time.
Examples of Public Information include: advertising and marketing literature,
degree program descriptions, course offerings and schedules, campus maps,
job postings, press releases, descriptions of LIT products and services, and
certain types of unrestricted directory information.

b. Sensitive (Level 2) Information can be difficult to classify as it often presents
attributes of both Public and Confidential information. Sensitive information
may be deemed “public” in the sense that, under certain circumstances,
disclosure may be required under provisions of the Texas Public Information
Act. However, the disclosure of Sensitive information also requires
assurances that its release is both controlled and lawful. Sensitive
information is often intended for use within a specific workgroup,
department or group of individuals with a legitimate need‐to‐know. Likewise,
access to Sensitive information may be controlled by identity authentication
and authorization measures (e.g., ID and password). Unauthorized disclosure
of Sensitive information could adversely impact LIT, individuals, or affiliates.
Examples of Sensitive Information include: some employee records (such as
performance appraisals, dates of birth, and e‐mail addresses), departmental
policies and procedures that might reveal otherwise protected information,
the contents of e‐mail, voicemail, instant messages and memos, unpublished
research, information covered by non‐disclosure agreements, and donor
information.
Generally speaking, Sensitive information should not be published or
disclosed to the public except by the designated owner of the information in
accordance with the owner’s established practices, or after consultation with
the CFO or President.

c. Confidential (Level 3) Information is defined by TAC 202 to be “information
that is exempt from disclosure requirements under the provisions of
applicable state or federal law” such as the Texas Public Information Act
(TPIA) and the Family Education Rights and Privacy Act (FERPA).
Confidential information is generally intended for a very specific purpose and
shall not be disclosed to anyone without a demonstrated need‐to‐know,
even within a workgroup or department. Disclosure of Confidential
information is generally regulated by specific legal statutes (e.g., TPIA, FERPA,
HIPAA), published opinions by the Office of the Attorney General of Texas,
Texas State University System Regents Rules, or contractual agreements.
Unauthorized disclosure of this information could have a serious adverse
impact on the institution, individuals, or affiliates, and presents the most
serious risk of harm if improperly disclosed.
Examples of Confidential (Level 3) Information include: student education
records as defined under FERPA, credit card and financial account
information, social security numbers, driver license numbers, personally
identifiable medical records, passport information, crime victim information,
library transactions (e.g., circulation records), court sealed records, and
access control credentials (e.g., PINs and passwords).
Confidential information must not be disclosed to the public under any
circumstances other than those specifically authorized by law. Any such
disclosure should be immediately reported to TSHD for damage mitigation
and investigation. Requests for such information received from persons with
a questionable need to know should be directed to the CFO or President.

04.09 Standards for Handling Sensitive and Confidential Information.
Because of the harm that can result from improper disclosure, Sensitive and
Confidential LIT information shall be afforded the following special protections
by Owners, Custodians, and Users:

a. A person’s social security number, driver license number, or other widelyused
government issued identification number shall not be captured, stored,
or used as a person identifier unless such use is required by an external,
governmental, or regulatory system that is authorized for use at LIT. The LIT
ID number should be used in lieu of such prohibited identifiers in situations
where personal names or other identifiers do not assure uniqueness. Where
use of such numbers is required and authorized, owners, custodians, and
users shall store these numbers in encrypted form or behind other
compensating controls with the advice and consent of Technology Services.

b. Payment cardholder data (i.e., the primary account number or the magnetic
stripe contents together with any one of: cardholder name, expiration date,
or the 3‐digit service code) shall not be stored on any device connected to
the LIT data network for longer than is necessary to authorize a transaction
using that information.

c. Sensitive or Confidential information must not be transmitted electronically
in unencrypted form. Either the information itself must be encrypted prior
to transmission or an encrypted connection must be established and
maintained for the duration of the transmission. Authorized encrypted
connection examples include LIT’s implementations of: VPN ‐ Virtual Private
Network, SSL – Secure Socket Layer, and SSH – Secure SHell. Note that most
electronic mail systems do not establish and maintain encrypted connections
and thus are not appropriate for use in transmitting unencrypted Sensitive or
Restricted/Confidential information.
[TAC 202.75(4)]

d. Sensitive or Confidential information should not be stored on portable
devices or media such as notebook or tablet computers, PDAs, smart phones,
USB drives, CDs, DVDs, tape cartridges, etc. If such storage is required, the
Sensitive or Confidential information must be protected by encryption or by
other compensating controls with the advice and consent of IT Security.

e. Sensitive or Confidential information must not be accessed from remote
locations in an unauthorized manner. Examples of authorized remote access
solutions include the LIT’s implementations of: VPN ‐ Virtual Private
Network, SSL – Secure Socket Layer, and SSH – Secure SHell. Third party
remote access solutions like PCAnywhere® and GoToMyPC® are not
authorized.

f. Sensitive or Confidential information should not be stored on personallyowned
devices or media. If such storage is required, the Sensitive or
Confidential information must be protected by encryption or by other
compensating controls with the advice and consent of IT Security.

g. Sensitive or Confidential information shall not be stored on any devices
external to the campus network except as provided under contract with an
authorized information resource management service that is contractually
bound to properly protect the information.

h. Where encryption is required for protection of Sensitive or Confidential
information, the encryption must:

1) employ non‐proprietary, industry standard mechanisms;

2) be implemented through widely used and tested libraries;

3) utilize at least 128 bits of complexity for symmetric encryption;

4) utilize at least 1024 bits for asymmetric key‐based encryption.
Compliant encryption solutions are available through TSHD.

i. Sensitive or Confidential information shall not be shared, exposed or
transmitted via any peer‐to‐peer (P2P) file sharing.

04.10 Transfer, Disposal, or Destruction of Information Assets. The sale, transfer, or
disposal of old, obsolete, damaged, nonfunctional, or otherwise unneeded
electronic devices and media pose information risks for LIT. These risks are
related primarily to the media contents that might be exposed, which can be
Sensitive or Confidential information, licensed and non‐transferable software,
copyrighted intellectual property, or other protected information. Even
supposedly deleted data can be retrieved through contemporary data recovery
techniques.
Under Texas Government Code § 2054.130, state agencies and institutions of
higher education are required to permanently remove data from data processing
equipment before disposing of or otherwise transferring the equipment to an
entity that is not a state agency or other agent of the state. DIR recommends
that “unless the agency can absolutely verify that no personal or confidential
information, intellectual property, or licensed software is stored on the hard
drive/storage media, the hard drive/storage media should be sanitized or be
removed and destroyed.”
[TAC 202.78]
Owners, custodians, and users shall contact TSHD for media sanitization
assistance prior to transferring ownership or otherwise disposing of any
magnetic media (e.g., hard disk drives, USB drives, backup tape cartridges, DVDs,
CDs, etc.) or any devices containing such media (e.g., computers, PDAs and smart
phones, printers, copiers, etc.). TSHD will securely sanitize or destroy the
media, at its sole discretion, and maintain appropriate records of the action
taken.
Owners, custodians, and users shall not repurpose or reassign any electronic
device or electronic media contained within a device without first fully sanitizing
the media using a tool sanctioned by TSHD.

05. HUMAN RESOURCES SECURITY

05.01 In any organization, people represent both the greatest information security
assets as well as the greatest information security threats. Consequently,
employee awareness and motivation are integral parts of any comprehensive
information security program.

05.02 To emphasize security awareness and the importance of individual responsibility
with respect to information security, all LIT employees shall explicitly affirm their
agreement to abide by LIT information security, copyright, and appropriate use
policies.
[TAC 202.77(a)]

05.03 Technology Services shall provide training and literature at all new employee
orientation sessions, as well as periodic seminars, workshops, and other
educational events for existing employees. All such training and events will
provide references to relevant LIT policy and procedure documents and promote
information security policies, procedures, guidelines, and best practices.
Department supervisors shall continually reinforce the value of security
consciousness in all employees whose duties entail access to Sensitive or
Confidential information resources.
[TAC 202.77(d) and (e)]

05.04 Department supervisors are responsible for implementing the measures
necessary to ensure that department members maintain the confidentiality of
information used in departmental operations. Examples of such information
include personnel and payroll records, transcript and grade records, financial aid
information, and other Sensitive or Confidential information. Such information
shall not be used for unauthorized purposes or accessed by unauthorized
individuals.
[TAC 202.77(c) and TAC202.70(1)]

05.05 Department supervisors are responsible for ensuring that access privileges are
revoked or modified as appropriate for any employee in their charge who is
terminating, transferring, or changing duties. Department supervisors should
provide written notification to the appropriate security administrator whenever
an employee's access privileges should be revoked or changed as a result of the
employee's change in status.
[TAC 202.75(3)(B)]

05.06 Technology Services shall obtain and retain signed non‐disclosure agreements
from all temporary employees, consultants, contractors, and other external
parties prior to their obtaining access to Texas State information resources. The
agreements shall affirm their compliance with LIT security policies and
procedures.
[TAC 202.77(c)]

06. PHYSICAL AND ENVIRONMENTAL SECURITY

06.01 Physical access to mission critical information resources facilities shall be
managed and documented by the facility’s custodian. The facilities must be
protected by physical and environmental controls appropriate for the size and
complexity of the operations and the criticality or sensitivity of the systems
operated within those facilities.
[TAC 202.73(a)]

06.02 Reviews of physical security measures shall be conducted annually by the
custodian in conjunction with each facility’s risk assessment, as well as whenever
facilities or security procedures are significantly modified.
[TAC 202.73(b)]

06.03 Terminals, computers, workstations, mobile devices (e.g., PDA’s, portable
storage devices, smart phones, etc.), communication switches, network
components, and other devices outside the LIT primary data centers shall receive
the level of protection necessary to ensure the integrity and confidentiality of
the LIT information accessible through them. The required protection may be
achieved by physical or logical controls, or a combination thereof.
No authenticated work session (i.e., a session in which the user’s identity has
been authenticated and authorization has been granted) shall be left unattended
on one of these devices unless appropriate measures have been taken to
prevent unauthorized use. Examples of appropriate measures include:

a. activation of password‐protected keyboard or device locking;

b. automatic activation of a password‐protected screensaver after a brief
inactivity period (15 minutes or less, based upon risk assessment); and

c. location or placement of the device in a locked enclosure preventing access
to the device by unauthorized parties.
The creator of the work session is responsible for any activity that occurs during
a work session logged‐in under his or her account.

07. COMMUNICATIONS AND OPERATIONS MANAGEMENT

07.01 Network resources used to exchange Sensitive or Confidential information shall
protect the confidentiality of the information for the duration of the session.
Controls shall be implemented commensurate with the highest risk.
Transmission encryption technologies (e.g., VPN, SSL, https, SSH, IPSEC, etc.)
shall be employed to accomplish this objective.
[TAC 202.75(4)]

07.02 Sensitive or Confidential LIT information must not be transmitted in unencrypted
form. Either the information itself must be encrypted prior to transmission or an
encrypted connection must be established and maintained for the duration of
the transmission. Authorized encrypted connection examples include the LIT
implementations of VPN (Virtual Private Network), SSL (Secure Socket Layer),
and SSH (Secure Shell), as well as any wireless network connection utilizing the
Wi‐Fi Protected Access 2 (WPA2) Advanced Encryption Standard (AES). These
restrictions apply regardless of the user’s location and include transmissions over
any private or public network accessible to the user, including in‐home
networks.

07.03 To facilitate security of the campus network, owners, custodians, and users of
information resources shall adhere to the provisions of the LIT Network Use
Policy.

07.04 Owners of distributed information resources within the campus network shall
prescribe sufficient controls to ensure that access to those resources is restricted
to authorized users and uses only. Examples of such resources include network
equipment rooms, data closets, and the equipment contained within them.
Controls shall restrict access to the resources based upon user identification and
authentication (e.g., password, smartcard/token), physical access controls, or a
combination thereof.
[TAC 202.70(1) and TAC 202.75 (3)]

07.05 Owners of applications containing or with access to Sensitive or Confidential
information, or applications involving automated transmission of such
information to other applications, shall require authentication of user identity
prior to granting access to the applications.
[TAC 202.70(1) and TAC 202.75(3)]

08. ACCESS CONTROL

08.01 Prior to obtaining access to the LIT network, any device connected to that
network, any service provided via that network, or any application hosted on
that network, individuals shall be required to authenticate themselves as
authorized users of the network, service, device, or application.
An LIT‐assigned network identifier (e.g., ID or Banner ID number) and its
corresponding “secret” (e.g., a Password/PIN) shall be used to accomplish the
authentication. The network identifier shall be unique to an individual in all cases
except for authorized “administrator” accounts that must be accessible to a
team of custodians charged with supporting a breadth of resources.
[TAC 202.75(3)(A) and (C)]
Based upon security risk assessment, and excepting administrator accounts as
described in the preceding paragraph, owners and custodians shall implement
and maintain audit trails and transaction logs as necessary to provide individual
accountability for changes to mission critical information, hardware, software,
and automated security or access rules.
[TAC 202.75(5)]

08.02 Self‐service systems must incorporate security procedures and controls to
ensure the data integrity and protection of Sensitive or Confidential information.
Self‐service systems must authenticate the identity of individuals that utilize the
systems to retrieve, create, or modify Sensitive or Confidential information
about them.
[TAC 202.75(3)(C)]

08.03 To the extent practicable, all initial login and authentication screens should
clearly and prominently display the appropriate user advisory informing all users
to use the LIT network they must comply with all appropriate policies. In
addition, the notification shall inform the user where to obtain all identified
policies.
[TAC 202.75(9) and TAC 202.77(a)]

08.04 A user's ID shall be deactivated whenever the user’s then current affiliation with
LIT no longer qualifies the user to possess an active ID.
[TAC 202.75(3)(B)]

08.05 Sensitive and Confidential information shall be accessible only to personnel with
authorization from the information owner on a strict "need to know" basis in the
performance of their assigned duties. Such information shall be disclosed only by
the information owner(s).
[TAC 202.75(2)]

08.06 Passwords. LIT systems that employ passwords for authenticating user identities
should comply with the following minimum password acceptability standards:

a. Passwords must be case‐sensitive;

b. Passwords must be between 8 and 31 characters in length;

c. Passwords may include only the characters a‐z, A‐Z, 0‐9, $ (dollar sign), ‐
(hyphen), and _ (underscore), with no embedded spaces and;

d. Passwords cannot have been used previously for the designated ID.
Password repositories must utilize one‐way encryption and, once assigned, the
password must not be retrievable by anyone. Thus, when a password is lost or
forgotten, the existing password will not be retrieved but rather, a new
password will be assigned.
Passwords shall be distributed from the password source to the owner in a
confidential manner. Newly‐assigned accounts must require a password change
by the ID owner upon initial login and at least once per year thereafter. System
owners and custodians may require more frequent password changes based
upon risk assessment results. Passwords shall be changeable by their owners at
will.
[TAC 202.75(3)(D)]

09. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE

09.01 Test functions shall be kept either physically or logically separate from
production functions. Copies of production data shall not be used for testing
unless all personnel involved in testing are authorized access to the production
data or all confidential information has been removed from the test copy.
[TAC 202.75(6)(A)]

09.02 Appropriate information security and audit controls shall be incorporated into
new systems. Each phase of systems acquisition or development shall
incorporate corresponding development or assurances of security controls. The
movement of system components through various lifecycle phases shall be
tracked and more specifically, the movement of any software component into
production shall be logged.
[TAC 202.75(6)(B)]

09.03 After a new system has been placed into production, all program changes shall
be authorized and accepted by the system owner (or the owner’s designee) prior
to implementation.
[TAC 202.75(6)(C)]

09.04 To the extent practicable, the principle of separation of duties shall be applied to
the system development and acquisition lifecycle. The developer/maintainer of
a component should not also have the ability to place the component into
production.

09.05 Modifications to production data by custodians or developers shall be authorized
in advance by the data owner. If advance authorization is not possible in a real
or perceived emergency, the owner shall be notified as soon as possible after the
fact and the notification logged. The notification log entry shall contain the
notification date and time, a description of the data modified the justification for
the modification, and the identities of the owner and the custodian.

10. INFORMATION SECURITY INCIDENT MANAGEMENT

10.01 The ISO is charged with establishing and maintaining an effective security
incident response program to ensure that:

a. security events are thoroughly investigated and documented;

b. immediate damage is minimized, latent risks are identified, and subsequent
exposures are mitigated;

c. incident reporting and notification are timely and legally compliant; and

d. remedial actions are taken to prevent recurrence.
[TAC 202.76]

10.03 Owners, custodians and users must immediately report suspected information
resources security incidents to TSHD at (409) 839‐2074 or helpdesk@lit.edu.

10.04 If criminal activity is suspected, the ISO shall immediately contact the
appropriate law enforcement and investigative authorities.
[TAC 202.76(b)]

10.05 Information security incident response will be managed by the ISO (or the ISO’s
designee) and will involve, at a minimum, Technology Services staff and the
owner(s) and custodian(s) of the compromised information resource(s). The ISO
shall fully document the incident, the investigation itself, and the results of the
investigation. A draft incident report will be prepared and shared with the
CIO/ISO, the owner(s) and custodian(s) of the compromised resource(s), their
respective vice president(s), the president, and the Director of Audit and
Compliance.
The draft report’s completeness and accuracy will be reviewed in a meeting of
the report recipients and modifications noted in that meeting. The final report
will be released to all recipients subsequent to the review meeting. If required,
the results will be included in the ISO’s report to the DIR (see below).
10.06 The ISO shall report any incident to the Texas Department of Information
Resources (DIR) within twenty‐four hours, and to other entities as may be
appropriate to the incident, if the initial incident investigation reveals a critical
threat that might propagate beyond the confines of the campus network and
threaten other networks.
[TAC 202.76(a)]

10.07 The ISO shall also provide recurring summary reports to the DIR as directed by
the DIR.
[TAC 202.76(c)(d)(e)]

11. BUSINESS CONTINUITY MANAGEMENT

11.01 Administrative supervisors responsible for delivering mission critical LIT services
should maintain written Business Continuity Plans (BCP) that provide for
continuation or restoration of such services following a disruption in critical
information systems, communication systems, utility systems, or similar required
support systems.
The BCP should incorporate:

a. A Business Impact Analysis that addresses the maximum possible downtime
for critical service delivery components and resources including: key
personnel, facilities, components of electronic information and
communication systems (e.g., voice and data network, hardware, and
software), and vital electronic and hard copy records and materials;

b. To the extent practicable, alternate methods and procedures for
accomplishing its program objectives in the absence of one or more of the
critical service delivery components;

c. A Security Risk Assessment to weigh the cost of implementing preventive
measures against the risk of loss from not taking preventive action;

d. A Recovery Strategy Assessment that documents realistic recovery
alternatives and their estimated costs; and

e. Reference to a Disaster Recovery Plan that provides for the continuation or
restoration of electronic information and communication systems as
described later in this section.
Key aspects of the BCP should be tested or exercised at least annually and
updated as necessary to assure the plan’s continued viability.
[TAC 202.74]

11.02 Technology Services shall prepare and maintain a written and cost‐effective
Disaster Recovery Plan that addresses key infrastructure components in its
custody. The plan should provide for the prompt and effective continuation or
restoration of critical LIT information systems and processes if a disaster were to
occur that might otherwise severely disrupt these systems and processes. The
plan should provide for the scheduled backup of mission critical information and
for the off‐site storage of that backup in a secure, environmentally safe, and
locked facility accessible only to authorized Technology Services staff. The
plan should also identify other key continuation and recovery strategies,
required resources, alternate sources of required resources, as well as measures
employed to minimize harmful impacts. Technology Services shall exercise or
test key aspects of the Disaster Recovery Plan and make periodic updates as
necessary to assure its viability.
[TAC 202.74(a)(5)]

12. COMPLIANCE

12.01 An internal audit of the Information Security Program shall be performed
biennially, based on risk assessment, as directed by the TSUS System, the
President, or the CIO/ISO.
[TAC 202.71(e)]

12.02 Key aspects of the LIT Information Security Program shall be a prominent
component of any LIT program designed to encourage or enhance legal and
policy compliance by LIT constituents.