Agency Security Plan

2020 Agency Security Plan Resources

In developing Agency Security Plans, agencies should: 

  • consider any vulnerability report prepared under Section 2054.077, Texas Government Code; 
  • incorporate NSOC network services provided to the agency; 
  • identify and define responsibilities of agency staff relating to information custodianship; 
  • identify risk management activities and other measures taken to protect agency information from unauthorized access, disclosure, modification, or destruction
  • include information security best practices or a written explanation of why best practices are not sufficient, if applicable.

Agencies should take care to omit information that could expose vulnerabilities in the agency's network or information systems from any written copies of the plan . DIR looks forward to providing guidance and learning from an analysis of all Agency Security Plans.

Agency Security Plan Overview

The Agency Security Plan template developed by DIR was created through collaboration between government and the private sector. It uses a common language to address and manage cybersecurity risk in a cost-effective way, based on business needs, without placing additional regulatory requirements on agencies.

The template is divided into five concurrent and continuous functions, which are the same as the National Institute of Standards and Technology (NIST): Identify, Protect, Detect, Respond, and Recover.

chart displaying the five areas of an agency security plan 

Within these five areas, DIR has established 46 distinct security objectives:

​Functional Area

​Security Objective

​Identify
  • ​Privacy and Confidentiality
  • Data Classification
  • Critical Information Asset Inventory
  • Enterprise Security Policy, Standards and Guidelines
  • Control Oversight and Safeguard Assurance
  • Information Security Risk Management
  • Security Oversight and Governance
  • Security Compliance and Regulatory Requirements Management
  • Cloud Usage and Security
  • Security Assessment and Authorization / Technology Risk Assessments
  • External Vendors and Third Party Providers
  • Secure Application Development (if applicable)
  • Beta Testing (if applicable)
  • Penetration Testing (if applicable)
  • Vulnerability Testing (if applicable)
​Protect
  • Enterprise Architecture, Roadmap & Emerging Technology
  • Secure System Services, Acquisition and Development
  • Security Awareness and Training
  • Privacy Awareness and Training
  • Cryptography
  • Secure Configuration Management
  • Change Management
  • Contingency Planning
  • Media
  • Physical Environmental Protection
  • Personnel Security
  • Third-Party Personnel Security
  • System Configuration Hardening & Patch Management
  • Access Control
  • Account Management
  • Security Systems Management
  • Network Access and Perimeter Controls
  • Internet Content Filtering
  • Data Loss Prevention
  • Identification & Authentication
  • Spam Filtering
  • Portable & Remote Computing
  • System Communications Protection
  • Information Systems Currency (New)
​Detect
  • ​Malware Protection
  • Vulnerability Assessment
  • Security Monitoring and Event Analysis
  • Audit Logging & Accountability (New)
​Respond
  • ​Cyber-Security Incident Response
  • Privacy Incident Response
​Recover
  • ​Disaster Recovery Procedures

Each agency and institution of higher education then uses their Agency Security Plan to demonstrate how they will achieve these objectives.

Agency Security Plan Template

The Agency Security Plan template gives agencies:

  • A method for reporting on the types of controls they have in place
  • An evaluation of their ability to operate the control environment at their required level
  • A standardized approach for preparing the agency’s ongoing security plan
  • The Agency Security Plan is now available in the SPECTRIM Portal. 

Information Security Site Navigation

About OCISO
Agency Security Plan
Communications
Cyber Awareness Month
​Cybersecurity Strategic Plan
Designate an ISO
Education & Awareness
Information Security Forum
InfoSec Academy
Security Services
​SISAC
SPECTRIM Portal
TAC §202
Templates & Guides
Texas Cybersecurity Council
DIR Home

Information about file formats