What is an ISO?
An ISO—or Information Security Officer—is the person inside every state agency who has the explicit authority and duty to administer information security requirements. Each state agency is required to designate an ISO by the Texas Administrative Code.
Authorities and Responsibilities of an ISO
An agency’s ISO has authority to handle information security over their entire agency.
Designated ISOs have several responsibilities – all of which are listed in Texas Administrative Code (TAC) §202.21. A few of these responsibilities include:
Defining and maintaining policies and documentation for your security program,
Working with your business owners and technical staff to address risks in your organization,
Conducting risk assessments regularly with data owners, and
Reporting the effectiveness of your security controls to the agency head.
Be sure to read TAC §202.21 for the full, detailed list of an ISO’s specific responsibilities.
Who should become your agency’s ISO?
Ideally, your agency’s Information Security Officer will:
Possess the training and experience necessary to perform all the responsibilities listed above and in TAC §202.
Have their role as ISO as their primary job duty.
Be able to regularly and comfortably communicate and report to executive level managers.
Additional Resources for ISOs
As an Information Security Officer, you will be DIR’s main contact at your agency. And at DIR, you should reach out to the Office of the Chief Information Security Officer (OCISO) for questions or concerns.
Here are some tips and tools to help you perform your role as ISO effectively:
Security Officer Mailing Lists
This is the official email discussion list for ISO. You’re automatically a member. DIR uses this mailing list to make official communications, but you can use it to network with your fellow ISOs.
To post a message to this list, simply send an email to: email@example.com.
Other Mailing Lists
firstname.lastname@example.org – A mailing list dedicated to security-related issues. Seek advice from other state government IT staff. Receive updates on current security alerts. Discuss technical issues. Request referrals or opinions about IT security products and services. Share resources and expertise.
email@example.com – A list dedicated to general technology conversations. Seek advice from other government IT staff. Post training opportunities. Discuss technical issues. Request referrals or opinions about IT products and services. Share resources and expertise.
firstname.lastname@example.org – A list for questions about training. Seek advice and referrals from other government staff. Post training opportunities or needs. Discuss issues involving training, education, e-learning, etc. Request referrals or opinions about products and services. Share resources and expertise. Announce meetings and events.
Emergencies: How to Report
You must immediately report any incident that may:
Propagate to other state systems
Result in criminal violations that shall be reported to law enforcement
Involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information
Report an Emergency
Call DIR's Incident Reporting Assistance Line. The phone is answered 24/7. You may also enter the emergency info into the SPECTRIM portal. In any event, the incident must be reported through the SPECTRIM portal.
DIR Incident Reporting Assistance
(877) DIR CISO
Monthly Incident Reporting
This report is due no later than nine (9) calendar days after the end of the month. This report is submitted through the SPECTRIM portal.
Security Plan (Every Two Years)
Biennial security plans must be submitted by June 1 each even-numbered year—e.g., 2022, 2024, etc. These security plans must be completed in the SPECTRIM portal.
The SPECTRIM portal provides security incident management and analysis, risk assessment analysis and a security plan template. You can visit the SPECTRIM portal here.
DIR negotiates contracts with providers and vendors, using the purchasing power of the State of Texas. Visit the Cooperative Contracts page to learn more about the process and how you can use it at your agency. (State agencies are required to use this service unless they seek and receive an exemption.)
Office of the Chief Information Security Officer (OCISO)
The OCISO is standing by to help you fulfill your responsibilities as your agency’s ISO. Among our services and resources are:
Testing and assessments of your information security systems
InfoSec Academy offers free certification preparation training, along with general technology and business skills classes
“Information Security Forum” is an annual conference that focuses on current information security topics
Visit the OCISO website to learn more.