Chapter 1: About Information Security Policies

Anchor: #i998872

Section 1: Overview

Anchor: #i1089214

Policy Overview

Five policy statements define how TxDOT protects its information resources and the systems in which they reside. These policies establish the intention to

  • meet state and federal regulations
  • protect assets
  • support business goals.

Security Framework. References to the five objectives of the Texas CyberSecurity Framework (Identify, Protect, Detect, Respond and Recover) appear throughout this manual. These references further illustrate how TxDOT policy objectives align with statutory requirements. The protocol and general responsibilities listed under each objective include industry best practices as well as guidelines established by the National Institute of Standards and Technology, NIST.

Anchor: #i1028544

Manual Intent

This manual establishes the policies to govern TxDOT’s Information Security Program and describes the objectives of each policy. Each objective includes a subsection on the protocol and general responsibilities of individuals who use information resources.

This manual does not intend to be a comprehensive approach for administering TxDOT’s Information Security Program. Authorized individuals who have a greater operational interest in TxDOT’s Information Security Program may also read the additional manuals pertaining to the program. Those are described at the end of this section.

Anchor: #i1027425

Intended Audience

The policies in this manual apply, at all times, to individuals who use TxDOT-owned information and systems while employed with TxDOT, regardless of work location. These policies also apply to systems, tools, and methods used to conduct business on behalf of the Agency. Individuals who use TxDOT information resources are required to familiarize themselves with the policy statements, their objectives, and the general responsibilities listed. The “Additional Focus Areas” table shows functional job descriptions that carry additional work responsibilities:

Anchor: #i1101531Additional Focus Areas

IF you...

Become familiar with the policy and objectives of...

use TxDOT-owned information, equipment, or networks

Security Awareness

are business owners or involved with the daily operations of a functional business process, also known as information owners and information custodians

  • Security Awareness
  • Intrusion Prevention
  • Information Quality and Integrity
  • Business Continuity

work to support information technology projects, acquisitions or improvements

  • Security Awareness
  • Information Quality and Integrity
  • Investment Protection
  • Business Continuity

administer TxDOT-owned information, equipment, or networks or work in the Information Management Division

All the policies and their objectives

Violations of the information security policies or misuse of TxDOT information resources may result in disciplinary actions, including termination and legal prosecution. Questions about the policies or their applicability may be directed to: Only TxDOT's Information Security Officer can issue information security policies.

Anchor: #i1040920


As much as possible, the manual avoids using industry-specific terminology. When technical terms are necessary for accurate discussions, definitions are provided within the paragraph.

Anchor: #i1041394

Equivalent Titles

The “General Responsibilities” subsections under each policy objective also list the functional responsibilities the Texas Information Security statutes assign to generic business roles. Definitions for each of the roles are available in 1TAC§202.1. While TxDOT does not use these generic titles, TxDOT does provide equivalent, specific business roles. The information below maps the term used in the statute to their TxDOT counterparts:

Agency Head
The Agency Head is TxDOT’s Executive Director
Information Custodian
Information Custodian is the person or group responsible for the day-to-day functions of a designated business process and who has access to a TxDOT information asset. For example, the custodian is the person who directly works with the information.
Information Owner
Information Owner is an individual who is the designated owner of a specific business process. For example, this may be a section director, lead worker, or business analyst as long as that person is the named decision-maker for the business operations that use the information.
User of an information resource
User of an information resource is an authorized TxDOT employee, contractor, partner, customer, guest, who has been granted privileges to gain access to the agency’s information systems and their data. The user of an information resource may be another automated system.
Previous page  Next page   Title page