Policy 7.11 Information Security
SCOPE: FACULTY AND STAFF
1. POLICY STATEMENTS
1.1. Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the chief executive of each Texas state agency and public institution of higher education to protect their institution‘s information resources by establishing an Information Security Program consistent with the TAC 202 standards. In compliance with TAC 202, this policy statement reflects the policies, procedures, standards and guidelines comprising the Information Security Program of Lamar Institute of Technology (LIT). The terms and phrases in this policy statement shall have the meanings ascribed to them in TAC 202.1 unless otherwise provided herein.
2. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE
2.1. Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless all personnel involved in testing are authorized access to the production data or all confidential information has been removed from the test copy.[TAC 202.75(6)(A)]
2.2. Appropriate information security and audit controls shall be incorporated into new systems. Each phase of systems acquisition or development shall incorporate corresponding development or assurances of security controls. The movement of system components through various lifecycle phases shall be tracked and more specifically, the movement of any software component into production shall be logged. [TAC 202.75(6)(B)]
2.3. After a new system has been placed into production, all program changes shall be authorized and accepted by the system owner (or the owner‘s designee) prior to implementation.[TAC 202.75(6)(C)]
2.4. To the extent practicable, the principle of separation of duties shall be applied to the system development and acquisition lifecycle. The developer/maintainer of a component should not also have the ability to place the component into production.
2.5. Modifications to production data by custodians or developers shall be authorized in advance by the data owner. If advance authorization is not possible in a real or perceived emergency, the owner shall be notified as soon as possible after the fact and the notification logged. The notification log entry shall contain the notification date and time, a description of the data modified the justification for the modification, and the identities of the owner and the custodian.
3. BUSINESS CONTINUITY MANAGEMENT
3.1. Administrative supervisors responsible for delivering mission critical LIT services should maintain written Business Continuity Plans (BCP) that provide for continuation or restoration of such services following a disruption in critical information systems, communication systems, utility systems, or similar required support systems.
3.2. The BCP should incorporate:
3.2.1. A Business Impact Analysis that addresses the maximum possible downtime for components of electronic information and communication systems (e.g., voice and data network, hardware, and software), and vital electronic and hard copy records and materials;
3.2.2. To the extent practicable, alternate methods and procedures for accomplishing its program objectives in the absence of one or more of the critical service delivery components;
3.2.3. A Security Risk Assessment to weigh the cost of implementing preventive measures against the risk of loss from not taking preventive action;
3.2.4. A Recovery Strategy Assessment that documents realistic recovery alternatives and their estimated costs; and
3.2.5. Reference to a Disaster Recovery Plan that provides for the continuation or restoration of electronic information and communication systems as described later in this section.
3.2.6. Key aspects of the BCP should be tested or exercised at least annually and updated as necessary to assure the plan‘s continued viability. [TAC 202.74]
3.3. LIT Information Technology shall prepare and maintain a written and costeffective Disaster Recovery Plan that addresses key infrastructure components in its custody. The plan should provide for the prompt and effective continuation or restoration of critical LIT information systems and processes if a disaster were to occur that might otherwise severely disrupt these systems and processes. The plan should provide for the scheduled backup of mission critical information and for the off-site storage of that backup in a secure, environmentally safe, and locked facility accessible only to authorized LIT Information Technology staff. The plan should also identify other key continuation and recovery strategies, required resources, alternate sources of required resources, as well as measures employed to minimize harmful impacts. LIT Information Technology shall exercise or test key aspects of the Disaster Recovery Plan and make periodic updates as necessary to assure its viability.[TAC 202.74(a)(5)]