Security Requirements for RFP-1 TxDMV Policy Statement: The department will: protect the automated information and information resources TxDMV uses against accidental or unauthorized access, disclosure, damage, and loss assure the security, reliability, integrity, and availability of the information and information resources that TxDMV uses, develops, or acquires adequately separate functions for tasks susceptible to fraud or other unauthorized activity implement security policies, procedures, and practices that are responsible, adaptable, and cost-effective, based on the relative value of the information and resources and the assessment of risk to them. Violation Compliance with laws and department policies, procedures, and practices governing the security of information and information resources is a TxDMV condition of continued employment. Violators may be: disciplined in accordance with TxDMV human resource policies and procedures prosecuted under appropriate law. Responsibility All TxDMV managers, employees, consultants and contractors are responsible for: protecting information and information resources using information and information resources only for department business purposes complying with TxDMV information security policies, procedures, and practices. Central information security will: establish, maintain, and communicate TxDMV's program of integrated information security policies, procedures, and practices provide local management with tools for implementing and monitoring local compliance with information security policies, procedures, and practices coordinate management of information security and business interruption risk. Security implementation is a local management function. Local managers and security administrators will: ensure that the employees they supervise: o understand their responsibilities for information resource use o agree to accept responsibility for information and information resources they use o agree to protect information and information resources used by TxDMV emphasize security awareness and training in their local offices monitor local compliance with information security laws, regulations, policies, procedures, and practices initiate action to: o correct noncompliance with information security policies, procedures, and practices o discipline violators of information security policies, procedures, and practices. Manual The Information Security Volume of the Information Resource Manual. Authority Texas Administrative Code, Title 1, Part 10, Chapter 202, Information Security Standards. Reference Laws and Standards This information provides resource to those who need to comply with applicable legal and policy requirements for information security. It is based on federal and state laws, state standards on information security, and agency policy, including: Texas Administrative Code, Title 1, Chapter 202 Information Security Standards Texas Penal Code, Chapter 33, Computer Crimes Texas Government Code, Chapter 552, Public Information Texas Government Code, Section 2203.004, Requirement to Use State Property for State Purposes Texas Government Code, Section 403.273(d); Property Manager, Property Inventory Texas Government Code, Section 403.275, Liability for Property Loss Federal Information Security Management Act of 2002, SEC 305 (a) Drivers Privacy Protection Act, 18 U.S.C. § 2721 et. seq. (Public Law 103-322) Computer Fraud and Abuse Act of 1986, (Title 18, U.S. Code, Section 1030) The Texas Department of Information Resources (DIR) has: Established state information security standards, which are described in Texas Administrative Code, Title 1, Chapter 202, Information Security Standards State Enterprise Security Plan, Securing Texas Information Resources, FY 2007-2012 Practices for Protecting Information Resources Assets Published minimum information security requirements in the DIR manual, titled Information Resources Security and Risk Management: Policy, Standards, and Guidelines. Why Policy Is Needed This policy: provides the foundation for the TxDMV information security program supports the state information security policy complies with applicable state law. General Boundaries for Security Implementations The following are illustrative of broad principles and boundaries from which security access should be provided: All security should be provided external to the application, as an architecture layer or module, and All hardware including servers, storage, and network devices should be configured as "hardened" devices using best practices. Security should be established and controlled using an Active Directory and/or LDAP technology solution All individual access security will be establish from a “roles based” perspective Best practices for security, must be integral to any proposed solution All personally identifiable information that is stored within TxDMV systems must be encrypted All security must be rooted in published open standards and able to be referenced from resources such as National Institute for Standards and Technology (NIST); SysAdmin, Audit, Networking and Security Institute (SANS); Information Systems Audit and Control Association (ISACA); as well as the reference Laws and Standards described above, etc. NOTE: Due to the sensitive nature and requirement of security, based upon need-to-know, detail access criteria and other information for various application areas may be available upon request and completion of appropriate non-disclosure and privacy documentation.
Pages to are hidden for
"SecurityRequirements for RFP"Please download to view full document