The Texas State University System considers information technology critical to fulfillment of its mission and has made significant investments in information technology assets and capabilities. In order to assure that System and Component networks are effectively and properly managed; to protect these assets against unauthorized access, disclosure, modification or destruction; and to assure the security, availability, integrity, utility, authenticity, and confidentiality of information, including server hardware and software, each Component institution shall develop and disseminate an institutional policy statements consistent with the policy guidelines as referenced in Subparagraph 19.2 (See Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C (TAC 202)).
19.2 Policy Components.
Each Component shall adopt an information technology policy addressing the following areas and that are consistent with the associated TSUS “IT” Policy Guidelines:
(1)Network Management, including network purpose; address and device management; oversight roles and responsibilities; usage responsibilities; and, threat and incident response; (See Appendix A-4);
(2) Information Security, including purpose; organization; risk assessment; asset management; human resources security; physical and environmental security; communication and operations management; access control; information systems acquisition, development and maintenance; information security incident management; business continuity management; and legal, regulatory, and contractual compliance; (See Appendix A-3);
(3)Appropriate Use of Information Technology Resources, including general purpose; individual versus institutional purpose, personal versus official representation; limitations on availability of information technology resources; privacy and confidentiality of electronic documents; TSUS institutional responsibilities; consequences of failure to comply with informational technology policy; (See Appendix A-2) and,
(4)Server Management, including server purpose and function; server management roles and responsibilities; conformance with server management best practices; and, threat and incident response. (See Appendix A-5).
19.3 Central Review and Oversight.
Each Component shall develop policies and mechanisms, providing for chief information officer or other central review and oversight of all Component information technology acquisitions, including, but not limited to, computing hardware, software, and hosting services, regardless of source of funds.