Section 4: Asset Management ProtectionAnchor: #TMIMXTPR
This section establishes how TxDOT manages its information resources assets as part of its Investment Protection policy, and describes the minimum protocols and responsibilities that must be in place to effectively categorize, inventory, maintain, and decommission both physical (tangible) assets such as hardware, physical documents, facilities, etc. and non-physical (intangible) such as intellectual property, digital records, digital connections, virtual machines, etc. This protocol provides a system-based method to address the “Identify” objective of the Texas CyberSecurity Framework.Anchor: #AFYRSAFC
TxDOT identifies and protects all information resources throughout their life cycle by applying information security principles in the specification, design, development, implementation, and modification of the information system. Each information resource is required to be authorized to operate by the Information Security Officer. This includes:
- determining, documenting, and allocating necessary resources to protect the information systems
- creating a security assessment plan
- maintaining the currency of software and information systems
- testing and evaluating the information system
- certifying the security assessment
- providing testing results and evaluations to the Information Security Office.
Individuals who use TxDOT information resources must also maintain and protect them.
Information custodians must maintain accurate inventories of TxDOT's information resources.
Information owners must ensure the information assets within their departments are secure.
Information Security Officer must ensure:
- information owners and custodians adhere to the security standards for asset management
- information resources are properly documented, and
- any assets within the TxDOT environment has an approved authority to operate.
Compliance and Standards
See the “Asset Management Protection Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Investment Protection Policy.