SecurityRequirements for RFP by r6G0LFGJ


									                            Security Requirements for RFP-1

TxDMV Policy Statement:

The department will:

      protect the automated information and information resources TxDMV uses against
       accidental or unauthorized access, disclosure, damage, and loss
      assure the security, reliability, integrity, and availability of the information and
       information resources that TxDMV uses, develops, or acquires
      adequately separate functions for tasks susceptible to fraud or other unauthorized activity
      implement security policies, procedures, and practices that are responsible, adaptable, and
       cost-effective, based on the relative value of the information and resources and the
       assessment of risk to them.


Compliance with laws and department policies, procedures, and practices governing the security
of information and information resources is a TxDMV condition of continued employment.
Violators may be:

      disciplined in accordance with TxDMV human resource policies and procedures
      prosecuted under appropriate law.


All TxDMV managers, employees, consultants and contractors are responsible for:

      protecting information and information resources
      using information and information resources only for department business purposes
      complying with TxDMV information security policies, procedures, and practices.

Central information security will:

      establish, maintain, and communicate TxDMV's program of integrated information
       security policies, procedures, and practices
      provide local management with tools for implementing and monitoring local compliance
       with information security policies, procedures, and practices
      coordinate management of information security and business interruption risk.

Security implementation is a local management function. Local managers and security
administrators will:

      ensure that the employees they supervise:
       o understand their responsibilities for information resource use
        o    agree to accept responsibility for information and information resources they use
        o    agree to protect information and information resources used by TxDMV
       emphasize security awareness and training in their local offices
       monitor local compliance with information security laws, regulations, policies,
        procedures, and practices
       initiate action to:
        o correct noncompliance with information security policies, procedures, and practices
        o discipline violators of information security policies, procedures, and practices.


The Information Security Volume of the Information Resource Manual.


Texas Administrative Code, Title 1, Part 10, Chapter 202, Information Security Standards.

Reference Laws and Standards

This information provides resource to those who need to comply with applicable legal and policy
requirements for information security. It is based on federal and state laws, state standards on
information security, and agency policy, including:
    Texas Administrative Code, Title 1, Chapter 202 Information Security Standards
    Texas Penal Code, Chapter 33, Computer Crimes
    Texas Government Code, Chapter 552, Public Information
    Texas Government Code, Section 2203.004, Requirement to Use State Property for State
    Texas Government Code, Section 403.273(d); Property Manager, Property Inventory
    Texas Government Code, Section 403.275, Liability for Property Loss
    Federal Information Security Management Act of 2002, SEC 305 (a)
    Drivers Privacy Protection Act, 18 U.S.C. § 2721 et. seq. (Public Law 103-322)
    Computer Fraud and Abuse Act of 1986, (Title 18, U.S. Code, Section 1030)

The Texas Department of Information Resources (DIR) has:
       Established state information security standards, which are described in Texas
        Administrative Code, Title 1, Chapter 202, Information Security Standards
       State Enterprise Security Plan, Securing Texas Information Resources, FY 2007-2012
       Practices for Protecting Information Resources Assets
       Published minimum information security requirements in the DIR manual, titled
        Information Resources Security and Risk Management: Policy, Standards, and
Why Policy Is Needed

This policy:

       provides the foundation for the TxDMV information security program
       supports the state information security policy
       complies with applicable state law.

General Boundaries for Security Implementations

The following are illustrative of broad principles and boundaries from which security access
should be provided:

       All security should be provided external to the application, as an architecture layer or
        module, and
       All hardware including servers, storage, and network devices should be configured as
        "hardened" devices using best practices.
       Security should be established and controlled using an Active Directory and/or LDAP
        technology solution
       All individual access security will be establish from a “roles based” perspective
       Best practices for security, must be integral to any proposed solution
       All personally identifiable information that is stored within TxDMV systems must be
       All security must be rooted in published open standards and able to be referenced from
        resources such as National Institute for Standards and Technology (NIST); SysAdmin,
        Audit, Networking and Security Institute (SANS); Information Systems Audit and
        Control Association (ISACA); as well as the reference Laws and Standards described
        above, etc.

NOTE: Due to the sensitive nature and requirement of security, based upon need-to-know,
detail access criteria and other information for various application areas may be available
upon request and completion of appropriate non-disclosure and privacy documentation.

To top