Section 6: System and Information IntegrityAnchor: #i1022331
This section describes how TxDOT segregates the many functions of information systems to maintain their quality and integrity. As part of its Information Protection Policy, this section requires the separation of systems based on functionality and grants access to a select group of authorized individuals. It provides a holistic approach to address the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #UCBRXNKI
TxDOT must provide multiple means of separating access to its information. Commonly referred to as layers of defense, this approach protects the quality and integrity of data assets. Minimally, this includes:
- preventing individuals or systems from accessing a device remotely unless they have the authority to do so and explicitly announced their presence
- using boundary protection devices, such as firewalls, to ensure connections use only approved mechanisms and control the information flow
- terminating network connections when inactivity in session exceeds designated limits
- validating and verifying that the origin of the information matches authenticated individuals and end sources
- separating the functionality within applications to segregate differing levels of permissions, for example: administrative roles, security roles, and user roles. This follows the principle of Least Privilege.
Individuals who use Agency information resources must report when they identify any risks, failures, or breaches while performing their duties.
Information Security Officer must:
- provide information owners, custodians, and individuals with necessary information for the safe use of web services and email filtering
- implement security controls for filtering web and email content to prevent data loss
- ensure that information owners and custodians comply with the Internet content filtering boundaries issued in the Intrusion Prevention Policy.
Compliance and Standards
See the “System and Information Integrity Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Information Protection Policy.