1 TAC §202 Changes

Changes to 1 TAC Section 202:
Subchapter A (Definitions)
2004 Approved Version	2006 Latest Approved Version	Subchapter A Definitions	Comments
202.1 Definitions		Same
202.1(1-11)		Same
	202.1(12)	Restricted Personal Information--Includes an individual's social security number, or data protected under state or federal law (e.g., financial, medical or student data).	New Definition
	202.1(13)	Sanitized--Overwriting data using software tools and procedures to comply with the U.S. Department of Defense 5220.22-M standard for disk-sanitization. For specific types storage media see Department of Defense 5220.22-M §8-500. Software and Data, Table 1 Clearing and Sanitization Data Storage	New Definition
202.1(12)	202.1(14)	Same	Number Change
202.1(13)	202.1(15)	Same	Number Change
202.1(14)	202.1(16)	Same	Number Change
202.1(15)	202.1(17)	Same	Number Change
	202.1(18)	Storage Device--Any fixed or removable device that contains data and maintains the data after power is removed from the device.	New Definition
202.1(16)	202.1(19)	Test--A simulated or documented "real-live" incident for which records are kept of the incident.	Number Change
202.1(17)	202.1(20)	User of an Information Resource--An individual or automated application authorized to access an information resource in accordance with the owner-defined controls and access rules.	Number Change
	202.1(21)	Vulnerability Assessment--A measurement of vulnerability which includes the susceptibility of a particular system to a specific attack and the opportunities available to a threat agent to mount that attack.	New Definition
202.1(18)	202.1(22)	Vulnerability Report--A computer related report containing information described in §2054.077(b), Government Code, as that section may be amended from time to time.	Number Change
	202.1(23)	Wireless Access--Using one or more of the following technologies to access the information resources systems of a state agency or institution of higher education:	New Definition
	202.1(24)	Wireless Security Guidelines--The National Institute of Standards and Technology Special Publication 800-48, Wireless Network Security 802.11, Bluetooth and Handheld Devices.	New Definition
	202.1(24) (A)	Wireless Local Area Networks--Based on the IEEE 802.11 family of standards.	New Definition
	202.1(24) (B)	Wireless Personal Area Networks--Based on the Bluetooth and/or InfraRed (IR) technologies	New Definition
	202.1(24) (C)	Wireless Handheld Devices--Includes text-messaging devices, Personal Digital Assistant (PDAs), and smart phones	New Definition

Changes to 1 TAC Section 202:
Subchapter B (Agencies) &
Subchapter C (Institutions of Higher Education)
2004 Approved Version	2006 Latest Approved Version	Subchapter B (Agencies) & C (Institutions of Higher Education)	Comments
202.25 (c) (5) 202.75(3)(E)	202.25(3)(E) 202.75(3)(E)	For electronic communications where the identity of a sender or the contents of a message must be authenticated, the use of digital signatures is encouraged. Institutions of higher education should refer to guidelines and rules issued by the department for further information. (Ref. 1 TAC Chapter 203. Additional information and guidelines are included in PART 2: Risks Pertaining to Electronic Transactions and Signed Records in "The Guidelines for the Management of Electronic Transactions and Signed Records" that are available at http://www.dir.state.tx.us/UETA_Guideline.htm.)	Changed wording and number change 2004 and 2006
202.25(g)	202.25(7)		The numbers have changed for Agencies (not Institutions of Higher Education)
202.25(g)(6)	202.25(7)(F) 202.75(7)(F)	Email--Establishes prudent and acceptable practices regarding the use of email for the sending, receiving, or storing of electronic mail. Ensures compliance with applicable statutes, regulations, and mandates. The policy shall prohibit sending an individual’s name along with any restricted personal information unless the data (individual’s name and restricted personal information) is encrypted.	Number change for Agencies. Added wording for both subchapters.
	202.25(7)(W) 202.75(6)W	Wireless Access--Establishes the requirements and security restrictions for installing or providing access to the state agency information resources systems. Using the wireless security guidelines, the policy shall address the following topics areas	New Section
	202.25(7)(W) (i) 202.75(7)(W) (i)	For Wireless Local Area Networks, ensure that Service Set Identifiers (SSID) values are changed from the manufacturer default setting. Some networks should not include organizational or location information in the SSID. Additional equipment configuration recommendations are included in the Wireless Security Guidelines.	New Section
	202.25(7)(W) (ii) 202.75(7)(W) (ii)	Types of information that may be transmitted via wireless networks and devices with or without encryption. State agencies shall not allow access to confidential information, mission critical information or restricted personal information unless the cryptographic keys used are larger than 80-bits (See §3.3 Security of 802.11 Wireless LANs in the Wireless Security Guidelines).	New Section
	202.25(7)(W) (iii) 202.75(7)(W) (iii)	Types of information that may be stored on laptop computers or wireless handheld devices with or without encryption	New Section
	202.25(7)(W) (iv) 202.75(7)(W) (iv)	Prohibit the installation of Wireless Personal Area Networks on state agency IT systems by individuals without the approval of the state agency information resources manager	New Section
	202.25(7)(X) 202.75(7)(X)	Vulnerability Assessment--Establishes the requirements to conduct periodic information vulnerability assessments and specific focus areas for the assessments based on the results of the security risk assessment.	New Section
	202.28 202.78	Removal of Data from Data Processing Equipment.	New Section
	202.28(a) 202.78(a)	State agencies shall comply with the requirements and procedures addressing the sale or transfer of data processing equipment in §403.278, Government Code (between institutions of higher education or state agencies) or Chapter 2175, Government Code (for all other transactions).	New Section
	202.28(b) 202.78(b)	Prior to the sale or transfer of data processing equipment, to other than another Texas state agency or agent of the state, state agencies shall assess whether to remove data from any associated storage device.	New Section
	202.28(b)(2) 202.78(b)(2)	Electronic state records shall be destroyed in accordance with §441.185, Government Code. If the record retention period applicable for an electronic state record has not expired at the time the record is removed from data process equipment, the state agency shall retain a hard copy or other electronic copy of the record for the required retention period.	New Section
	202.28(b)(2) 202.78(b)(2)	If it is possible that restricted personal information, confidential information, mission critical information, intellectual property, or licensed software is contained on the storage device, the storage device should be sanitized or the storage device should be removed and destroyed. Additional information on sanitization tools and methods of destruction (that comply with the Department of Defense 5220.22-M standard) are provided in the "Sale or Transfer of Computers and Software" guidelines available at http://www.dir.state.tx.us.	New Section
	202.28(c ) 202.8(c )	State agencies shall keep a record/form (electronic or hard copy) documenting the removal and completion of the process with the following information	New Section
	202.28(c )(1) 202.78(c )(1)	date;	New Section
	202.28(c )(2) 202.78(c )(2)	description of the item(s) and serial number(s);	New Section
	202.28(c )(3) 202.78(c )(3)	inventory number(s);	New Section
	202.28(c )(4) 202.78(c )(4)	the process and sanitization tools used to remove the data or method of destruction; and	New Section
	202.28(c )(5) 202.78(c )(5)	the name and address	New Section