Section 3: Planning for SecurityAnchor: #i1022232
TxDOT’s Information Security Office manages the planning process for security controls to enable business functions while managing risks. This effort links the Agency’s security program with its Strategic Plan. Linking security controls with the Strategic Plan aids project teams to coordinate security concerns as they develop automated business solutions. Planning and managing security controls allows for greater integration with the Strategic Plan and addresses the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #i1022246
TxDOT centrally manages the Information Security planning process to assess the need for, authorize the use of, and monitor the effectiveness of security controls and processes. This effort is integrated in the development process and applies to all applications, systems, and projects throughout their life cycle.Anchor: #i1022260
TxDOT uses federal and state laws and regulations to shape its Information Security policies, including adopting the National Institute of Standards and Technology (NIST) Special Publications standards and the Texas Department of Information Resources (DIR) Control Catalog. All individuals who use TxDOT information resources must adhere to these policies. Unique responsibilities for these policies are identified and discussed below.
Agency Head. As the agency head, TxDOT’s Executive Director is responsible for the Agency’s information resources and designates an Information Security Officer to administer the Agency’s Information Security program. Additionally, the Executive Director sanctions the program by allocating resources, ensuring collaboration from senior agency officials, reviewing the program annually, and ensuring the program’s management processes are integrated with the TxDOT strategic and operational planning processes.
Information Security Officer (ISO). The ISO specifies the security requirements for the Agency. The ISO creates the Agency’s security plans, policies, and procedures; and ensures that security training is available for individuals who use TxDOT information resources. The ISO is the chief source who can issue exceptions to security requirements, provided they are justified, documented, and included in the Agency’s Risk Management and Assessment process.Anchor: #i1105913
Compliance and Standards
See the “Planning Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Security Awareness Policy.