Skip Repetitive Navigation

To Department of Information Resources home pageState of Texas
Department of Information Resources
Leadership for Texas Government Technology

Texas state flag and capitol building composite
 
DIR Home | Store | Document Library | Education & Training | DIR Overview | Site Map
 
 
Standards
 
Related Information
Information Resources Management Act
Texas Administrative Code
IRM Overview
Resources
Security Info
Training
Procurement
Publications
PESO Working Group
 

(Revisions in Progress) State Agency Checklist based on the Texas Administrative Code (TAC) Title 1 Administration Part 10 Department of Information Resources and the Information Resources Management Act (IRMA).

As of February 18, 2005

Information Resources Manager

  1. Has the agency designated an individual as the Information Resources Manager (IRM)?
  2. Is the IRM a senior official of the agency?
  3. Does the IRM report directly to a person with a title functionally equivalent to executive director or deputy executive director?
  4. Does the IRM have a four-year degree from a fully-accredited institution?
  5. Did the IRM meet or exceed the continuing education requirements? Level 5: 30 contact hours per fiscal year
  6. Did the IRM take the required topics by competency area and required minimum hours?
  7. If the IRM did not meet the continuing education requirements, did the agency obtain an approved compliance waiver from the Department?

~ References TAC §201.3 and IRMA §2054.071 - 2054.076

Agency Planning

  1. Is the agency strategic plan consistent with the State Strategic Plan for Information Resources Management?
  2. Does the plan include a statement of the agency's goals, objectives, and programs as found in the agency's legislative appropriations request?
  3. Does the plan include a description of the agency's major data bases and their applications?
  4. Does the plan include a description of the agency's information resources (IR) management organizations, policies, and practices?
  5. Does the plan include a description of interagency computer networks in which the agency participates?
  6. Does the plan include a statement of the strategic objectives of the agency relating to IR management for the next five fiscal years, beginning with the fiscal year during which the plan is submitted, with a description of how those objectives help achieve the agency's programs and goals, and a description of how those objectives support and promote the goals and policies of the state strategic plan?
  7. Has the presiding officer of the governing body of the agency or the executive director of the agency signed the agency strategic plan?
  8. Did the agency submit a biennial operating plan, not later than the 30th day after the date the General Appropriations Act for the biennium became law, and in compliance with the instructions provided?
  9. Has the agency submitted an amended plan to reflect new or changed initiatives contained in the agency's legislative appropriations request?

~ References IRMA § 2054.095 - § 2054.104

IR Standards

  1. Does the agency use the Texas Agency Network (TEX-AN), or have an approved waiver? ~ IRMA § 2054.203 - § 2054.207
  2. Does the agency adhere to the published standards when wiring or rewiring state-owned or state-leased space? ~ TAC §208
  3. If the agency holds an open or closed meeting by videoconference call, do the systems used comply with the approved standards? ~ TAC §209
  4. Do the audience and members of the governmental body have full view of at least one monitor at each videoconferencing location? ~ TAC §209
  5. Are the audio signals perceptible from the remote videoconferencing sites of similar quality and volume as the local audio at the originating site? ~ TAC §209
  6. Are videoconference calls involving more than two sites controlled such that the received video at all sites is switched to the speaking participant's site within two seconds of the participant's commencement of speaking? ~ TAC §209
  7. Does the agency purchase commodity software in accordance with contracts developed by the department, or has it obtained an approved waiver? ~ TAC §201.18
  8. Has the agency developed and documented processes and procedures for quality assurance guidelines for IR projects? TAC §201.19 and IRMA §2054.156
  9. Do the agency's quality assurance guidelines include processes for analyzing and managing information resource project risk? TAC §201.19 and IRMA §2054.156
  10. Do the agency's quality assurance guidelines include processes for determining benefits and costs of IR projects? TAC §201.19 and IRMA §2054.156
  11. Do the agency's quality assurance guidelines include processes for evaluating the effectiveness and efficiency of information resource projects? TAC §201.19 and IRMA §2054.156
  12. Has the agency used the quality assurance guidelines on major IR projects? TAC §201.19 and IRMA §2054.156
  13. Are all security-related IR changes approved by the owner through a quality assurance process prior to implementation? TAC §202
  14. If the agency has received IR technologies under a contract from another state agency, did they solicit bids or proposals for the procurement of such technologies by giving public notice of a request for proposals or a request for bids? TAC §201.7 and IRMA §2054.119
  15. If Geographic Information Systems (GIS) are used, do they comply with the state standards? TAC §201.6 and Water Code, 16.021
  16. If the agency receives information from members of the public or from regulated persons by means of a form or that receives payments of money from members of the public or from regulated persons, does it include a plan for receiving the forms or the payments through the Internet or through other electronic means? IRMA § 2054.096

Security, Risk Management, Disaster Recovery and Business Continuity

  1. Has the agency developed and documented an information security program?
  2. Does the security program include written descriptions of IR security responsibilities, assigned resources, policies, guidelines, data security classification schemes, standards and procedures for the protection of information resources?
  3. Has the agency head approved the security program?
  4. Does the security function report, at least annually, to the agency head on the status and effectiveness of IR security controls?
  5. Has the agency performed and documented a security risk analysis?
  6. Is the security risk analysis updated at least annually for those resources which have been ranked as "high" risk?
  7. Is the security risk analysis updated at least biennially for those resources which have been ranked as "medium" or "low" risk?
  8. Does the security risk analysis include a cost benefit analysis to ensure that the expense of security safeguards is commensurate with the value of the assets being protected?
  9. Does the security risk analysis weigh the cost of implementing preventative measures against the risk of loss from not taking action?
  10. Has the agency head approved the security risk management plan?
  11. Has the agency developed and documented a disaster recovery plan for information resources?
  12. Does the disaster recovery plan contain measures that address the impact and magnitude of loss or harm that will result from an interruption?
  13. Does the disaster recovery plan identify recovery resources and establish a source for each?
  14. Does the disaster recovery plan ensure the continuity of information resources supporting critical services in the event of a disaster or business interruption?
  15. Does the disaster recovery plan contain step-by-step implementation instructions?
  16. Is the disaster recovery plan maintained to ensure currency?
  17. Is the disaster recovery plan tested annually?
  18. Is physical access to mission critical IR facilities managed and documented by the agency head or his/her designated representative(s)?
  19. Are reviews of physical security measures for information resources conducted annually by the agency head or his/her designated representative(s)?
  20. Are employees designated and trained to monitor and protect information resources from environmental hazards, and to respond in case of emergency or equipment problems?
  21. Have emergency procedures been developed and documented?
  22. Are the emergency procedures updated and tested at least annually?
  23. Does the agency maintain a written business continuity plan?
  24. Does the business continuity plan include a business impact analysis to systematically assess the potential impacts of a loss of business functionality due to interruption of computing and/or infrastructure support services?
  25. Does the business continuity plan address maximum tolerable downtime for time-critical support services and resources, including personnel, facilities, technology platforms, software, IR security utilities, data networks and equipment, voice networks and equipment, and vital electronic records and/or data?
  26. Has the agency created, distributed and implemented information security policies covering: acceptable use; account management; backup and recovery; change management; e-mail; incident management; Internet/Intranet use; intrusion detection; network access; network configuration; passwording/authentication; physical access; portable computing; privacy; security monitoring; security awareness and training; platform hardening; authorized software; system development and acquisition; vendor access; and malicious code?
  27. Has the agency information security officer created a DMZ network area between the public Internet and internal private networks?
  28. Does the agency have firewalls to prevent unauthorized access to/from private networks?
  29. Has the agency installed an intrusion detection system?
  30. Has the agency installed routers between networks?
  31. Do agency systems have system identification/ logon banners with warning statements including: Unauthorized use is prohibited; Usage may be subject to security testing and monitoring; Misuse is subject to criminal prosecution; No expectation of privacy except as otherwise provided by applicable privacy laws.
  32. Is access to information resources managed to ensure authorized use?
  33. Has the agency identified and documented information containing any confidential data, and how that information is protected?
  34. Has the agency developed policies and procedures that limit access to confidential information to authorized users?
  35. Has information containing confidential data been identified, documented, and protected in its entirety?
  36. When information resources are assigned from one agency to another, are those resources protected in accordance with the conditions imposed by the providing agency?
  37. Where risk analysis demonstrates a need for individual accountability of users, is user identification authenticated before the system grants that user access?
  38. Are user's access authorizations removed or appropriately modified when the user's role or responsibilities change?
  39. Do IR systems contain authentication controls that comply with documented agency security risk management decisions?
  40. Are systems which use passwords based on industry best practices on password usage and documented agency security risk management decisions?
  41. Has the agency developed policies and procedures for accepting electronic communications containing electronic signatures?
  42. Has the agency developed plans for the acceptance of digital signatures for written electronic communications sent to a state agency where the identity of a sender or the contents of a message must be authenticated?
  43. If the agency accepts electronic communications from the public that contain a digital signature, was the certificate issued by, or from, an approved public key infrastructure (PKI) service provider?
  44. Is encryption for storage and transmission of information based on documented agency security risk management decisions?
  45. Has the agency developed and documented processes and procedures whereby authorized personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, modification of, or effect the release of confidential information?
  46. Are appropriate audit trails maintained to provide accountability for updates to mission critical information, hardware and software, and for all changes to automated security or access rules?
  47. Based on the security risk assessment, is a transaction history maintained which is sufficiently complete to permit an audit of the system by logging and tracing the activities of individuals through the system?
  48. Has the agency developed and documented processes and procedures to identify security incidents, and are they reported, investigated and documented promptly?
  49. Are security incidents reported to DIR within 24 hours if there is a substantial likelihood that such incidents could be propagated to other systems beyond the control of the agency?
  50. If criminal action is suspected, does the agency contact the appropriate law enforcement and investigative authorities immediately?
  51. Has the agency identified and implemented network resource controls, commensurate with the security risk analysis?
  52. Is the agency making monthly summary reports to DIR on intrusions, viruses or other incidents that affect the security of their IT resources?
  53. Do the monthly summary reports include a description of the type of activity, the agency's response to the incident, the time elapsed between initial detection and containment/restoration, and the estimated total cost of the response?
  54. Are the monthly summary reports sent to DIR no later than the ninth calendar day of the month?
  55. Are security requirements identified, documented and addressed in all phases of development or acquisition of information resources?
  56. Are test functions kept either physically or logically separate from production functions?
  57. Are information security and audit controls included in all phases of the system development life cycle or acquisition process?
  58. Are all authorized users of the agency's information resources required to formally acknowledge that they will comply with the agency's security policies and procedures prior to being granted access?
  59. Does the agency identify owners, custodians and users of information resources, and define and document their responsibilities?
  60. Are all devices designated for public access configured to enforce security policies and procedures without the requirement for formal acknowledgment?
  61. Has the agency information security officer established a strategy for the use of written non-disclosure agreements to protect information from disclosure by employees and contractors prior to granting access?
  62. Does the agency have an ongoing IR security awareness education program for all users?
  63. Does the agency use new employee orientation to introduce information security awareness and inform new employees of information security policies and procedures?

Reference TAC §202

State Web Sites

  1. Does the agency's accessibility policy address the following:
    • Testing and validation of Web pages, including what site validation standard (e.g., W3C) is used and what brand of validation tool is used.
      The current validation standards are:
      World Wide Web Consortium (W3C) Level 1, 2, or 3
      Section 508
      Brands include:
      W3C http://www.w3.org/WAI/
      Bobby http://bobby.watchfire.com/bobby/html/en/index.jsp
      WAVE http://www.wave.webaim.org/index.jsp
      The W3C maintains a list of other testing tools at http://www.w3.org/WAI/ER/existingtools.html
    • Does the policy contain contact information for the agency's accessibility coordinator? Note: This should list a contact number and e-mail address (e.g., dirinfo@dir.state.tx.us), if the organization does not want employees names listed.
    • Does the policy contain a link to the Governor's Committee on People with Disabilities Web site?
  2. Does the agency's privacy and security policy address the following:
    • Notice: Disclose the agency's information practices before collecting personal information from the public. The use of logging software, cookies, and/or Web bugs. Information collected by other technologies and processes. Information collected via e-mail and Web-based forms.
    • Choice: Options with respect to how personal information collected from them may be used for purposes beyond those for which the information was provided and whether they wish to have that information shared.
    • Access: The procedure under which an individual may obtain and/or have the agency correct information about the individual.
    • Security: The procedures to ensure that information collected from individuals is accurate and secure from unauthorized use.

  3. If the Web site requires an individual to enter the following information in a Web based electronic form, is an SSL session or equivalent technology used to encrypt the data:
    • Both the individual's name and other personal information, such as an SSN;
    • Transaction payment information;
    • An individual's access identification code and password.
    • An individual's e-mail address.

  4. Do all Web based forms, that request information from the public, have a link to the associated privacy and security policy?
  5. Do all new or changed HTML documents that meet the criteria of a "state publication" as defined by the Texas State Library and Archives Commission, include a descriptive page title and the following meta tags:
    • Description - brief description of the subjects covered.
    • Keywords - specific to the page subject, and should not exceed 25 words.
    • Author - State of Texas, agency name, and/or other identifying information as set by the agency.

  6. Does the home page of a state Web site include the TRAIL metadata?
  7. Does the home page include the following links:
    • Texas home page;
    • Link Policy; (Does the main page have a "State Web Site Link and Privacy" link or a Linking Policy that includes a link to the "State Web Site Link and Privacy" policy)
      Statewide Search.
    • Privacy and Security policy;
    • Accessibility policy (Does the Accessibility policy have a link to the Governor's Committee on People with Disabilities Web site);
    • Agency contact information;
    • Description of the agency's Open Records/Public Information Act policy/procedures
    • Compact With Texans.
  8. Do all key public entry points provide links to the following:
    • Agency contact information;
    • Agency home page;
    • Accessibility policy;
    • Privacy and Security policy

Reference TAC §206

Management of Electronic Transactions and Signed Records

  1. Has the agency assessed the benefits that may accrue from the use of electronic transactions or documents?
  2. Has the agency considered what risks may arise from the use of electronic transactions or documents? This evaluation should take into account the relationships of the parties, the value of the transactions or documents, and the later need for the documents.
  3. Did the agency consult with counsel about any legal implications about the use of electronic transactions or documents in the particular application?
  4. Did the agency evaluate how each electronic signature alternative may minimize risk compared to the costs incurred in adopting the alternative?
  5. Did the agency determine whether any electronic signature alternative, in conjunction with appropriate process controls, represents a practicable trade-off between benefits and costs and risks?
  6. Did the agency develop plans for retaining and disposing of information, ensuring that it can be made continuously available to those who will need it, for managerial control of sensitive data and accommodating changes in staffing, and for ensuring adherence to these plans?
  7. Did the agency develop management strategies to provide appropriate security for physical access to electronic records?
  8. Has the agency performed periodic reviews and re-evaluations of the electronic transactions or documents, as appropriate?

Reference TAC §203

Address you questions about the Texas Information Technology Standards to: DIR Standards and Architecture
 
  Texas State Seal  
 
  Department of Information Resources
300 West 15th St., Suite 1300
Austin, TX 78701 (Map & Directions)
1-512-475-4700		 Privacy & Security Policy
Accessibility | Open Records Policy
Link Policy | Compact with Texans
DIR Contacts | dirinfo@dir.state.tx.us		  
 
Last updated May 27, 2008