Data Security Plan Reference Guide

This reference guide contains implementation requirements for security controls prescribed in security plans issued by the ISO. If you are an owner or custodian responsible for a TXST information system please refer to your security plan to determine which of these controls are applicable to your information system.

Data Classification

Expand FAQ List

  • Texas State University uses a TXST uses a 3-tier data classification scheme established by UPPS 04.01.11 § 02.08 a, b, c. The table below provides a quick reference chart for institutional data classification. Please visit https://infosecurity.txst.edu/work/law-policy/policy-university.html to learn more. 

     Confidential InformationSensitive InformationPublic Information
    Level of SensitivityHighModerateLow
    Legal RequirementsProtection of data is required by law (e.g., TPIA, FERPA, and HIPAA data) or contractual agreements.Often considered “public” in the sense it is releasable under the Texas Public Information Act, some assurance is required so release of information is both controlled and lawful.Public information by its very nature is designed to be shared broadly, without restriction, at the complete discretion of the owner.
    Disclosure RiskConfidential information presents the most serious risk of harm if improperly disclosed.Unauthorized disclosure of Sensitive information could adversely impact the University, individuals or affiliates.Confidential information presents the most serious risk of harm if improperly disclosed.
    Examples of Information• Social Security numbers
    • Credit card info
    • Personal health info
    • Student records
    • Crime victim info
    • Library transactions
    • Court sealed records
    • Access control credentials    		• Performance appraisals
    • Employee DOB
    • Employee email addresses
    • Donor information
    • Voicemail records
    • Email contents
    • Unpublished research    		•Job posting
    • Service offerings
    • Published research
    • Directory information
    • Degree programs
    • General information about university products and services
Expand FAQ List

  • This system was determined to have a data classification of public. Therefore, this information system must not store, process, and/or transmit any sensitive or confidential information. 

  • This system was determined to have a data classification of sensitive. Therefore, this information system must not store, process, and/or transmit any confidential information (e.g., grades, medical information, payment-card information, identifiable dates of birth). This information system must only store, process, and/or transmit the minimum-viable amount of sensitive information as required in order to function. 

    • To the greatest extent practicable, data elements with a reduced data classification should be used in lieu of data elements with higher data classification whenever possible (e.g., anonymizing records where feasible, using a Texas State email address or NetID instead of a personal phone number).
    • Standards for Sensitive and Confidential Information outlines the methods by which this data is transferred, stored, processed, and otherwise handled

  • This system was determined to have a data classification of confidential. Therefore, this information system must only store, process, and/or transmit the minimum-viable amount of sensitive and/or confidential information as required in order to function. 

    • To the greatest extent practicable, data elements with a reduced data classification should be used in lieu of data elements with higher data classification whenever possible (e.g., anonymizing records where feasible, using a Texas State email address or NetID instead of a personal phone number or social security number or individual taxpayer identification number).
    • Standards for Sensitive and Confidential Information outlines the methods by which this data is transferred, stored, processed, and otherwise handled

System Categorization & Impact Designation

System categorization is somewhat similar to data classification. Relative to categorization, data classification is narrowly focused on confidentiality requirements of a specific set or type of information. In contrast, system categorization is broader and is based on the institutional impact of an incident that would affect the confidentiality, integrity, or availability of the information system or the university information it stores, processes, or transmits. More information on system categorization can be found here: https://infosecurity.txst.edu/work/spg/standards-system-categorization.html

Expand FAQ List

    • Impact values used to categorize an information system are different than those used to describe actual incidents as detailed in UPPS 04.01.11, Section 02.03. More granular impact values are used in system categorization in order to better inform institutional planning and risk management based on probable scenarios and applied safeguards.
    • The institutional impact of a potential incident that could affect an information system and/or university information it stores, processes, and/or transmits shall be classified by one of five values. Care should be exercised to consider the institutional perspective rather than the effects on an individual team or user.
    • The following table describes each of the five impact values used as part of system categorization.
    Impact ValueImpact Description
    Severe (5)
    • The effect will cause the university to not achieve its goals and initiatives;
    • the effect will significantly harm a large amount of stakeholders or the institution;
    • the effect will have direct, long-lasting effects to core infrastructure systems, services, or other high-value, business-critical information resources;
    • the effect will negatively affect a significant amount of sensitive or confidential information;
    • the effect will cause loss of life or endanger serious, life-threatening injuries;
    • the effect will cause catastrophic financial harm; and/or
    • it is an institutional showstopper.
    Major (4)
    • The effect will cause the component not to achieve its goals and initiatives;
    • the effect will significantly harm a moderate amount of stakeholders or will cause some harm to a large amount of stakeholders or the institution;
    • the effect will degrade or have short-lived effects to core infrastructure systems, services, or other high-value, business-critical information resources;
    • the effect will negatively affect a moderate amount of sensitive or confidential information;
    • the effect will cause significant financial harm; and/or
    • it is a showstopper.
    Moderate (3)
    • The effect will cause the university or component to operate inefficiently or expend unplanned resources to meet goals and initiatives;
    • the effect will cause insignificant harm to stakeholders or the institution;
    • the effect will degrade or have short-lived effects to non-essential systems, services, or other information resources that are not business-critical;
    • the effect will cause some financial harm; and/or
    • the effect will negatively affect some amount of sensitive or confidential information.
    Minor (2)
    • The effects should be monitored to determine if action is required;
    • the effect will not cause any direct harm to stakeholders or the institution;
    • the effect will temporarily degrade or have minor, short-lived effects to non-essential systems, services, or other information resources that are not business-critical;
    • the effect will cause a minor amount of financial harm; and/or
    • the effect will negatively affect some amount of non-confidential information.
    Insignificant (1)
    • The measurable effect upon the achievement of university’s goals and initiatives would be immaterial or insignificant;
    • the effect will not cause any harm to stakeholders or the institution;
    • the effect will have no effect to other institutional systems; and/or
    • the effect will negatively affect some amount of public information.

    • Three separate impact values shall be determined for each information system based on the descriptions outlined in section 1.C above.
    • Each impact value assesses the institutional impact of an incident affecting, respectively, the confidentiality, integrity, and availability of the system and/or the information it stores, processes, and/or transmits. The three impact values determined are:
      • Impact value (Confidentiality): Assesses the institutional impact of an incident affecting system or information confidentiality. Examples of incidents affecting confidentiality include, but are not limited to, data breaches, leaks, sending information to incorrect recipients, theft or loss of storage media or hard copies, and granting a user an inappropriately high level of access to data.
      • mpact value (Integrity): Assesses the institutional impact an of incident affecting system or information integrity. Examples of integrity incidents include, but are not limited to, data corruption in transmission or at rest and inappropriate or unintentional modification or deletion of data by authorized or unauthorized users.
      • Impact value (Availability): Assesses the institutional impact an of incident affecting system or information availability. Examples of availability incidents include, but are not limited to, system outages or downtime and data or system loss or deletion.
    • The highest of the three impact values for each information system will determine the category of the information system as noted in the below table:
    Impact ValueSystem Category
    Severe (5)Essential (V)
    Major (4)Critical (IV)
    Moderate (3)Moderate (III)
    Minor (2)Low (II)
    Insignificant (1)Insignificant (I)

    • Texas State uses a more granular, five-tiered system categorization scheme to better inform its risk management functions and other activities that may rely on such information. However, Texas Administrative Code, some information security frameworks, and other resources instead use a simpler, three-tier scheme for system categorization.
    • The table below shows the translation of institutional system categories and TAC 202 Designations
    Institutional System CategoryTAC 202 Designation
    Essential (V)High Impact Information Resource
    Critical (IV)
    Moderate (III)Moderate Impact Information Resource
    Low (II)Low Impact Information Resource
    Insignificant (I)

Texas Risk and Authorization Management Program (TX-RAMP)

Expand FAQ List

  • TX-RAMP stands for the Texas Risk and Authorization Management Program. It's a state-mandated program created to ensure that cloud computing services used by Texas government agencies, including public universities, meet minimum security requirements.

  • Purpose:
    To protect sensitive state and institutional data when using cloud services.

    Scope:
    Applies to cloud-based systems (like SaaS, PaaS, IaaS) used by state entities.

    Certification Levels:
    Cloud providers that fall within scope of TX-RAMP must be certified at one of two levels:

    • TX-RAMP Level 1: For systems that are low-impact and handling confidential data.
    • TX-RAMP Level 2: For systems that are moderate/high-impact

    More information on system categorization can be found here: https://infosecurity.txst.edu/work/spg/standards-system-categorization.html

    Requirement:
    Agencies must not acquire or use cloud services that fall under TX-RAMP unless the service is certified at the appropriate level.

    Enforcement:
    Non-compliant cloud services can’t be purchased or renewed. In some cases, current usage may be revoked—even if a contract is still active.

Accounts, Authentication, and Permissions

Expand FAQ List

  • SAML2-based Single Sign-On (SSO) must be used to authenticate all users to this information system. --Access to the information system must be promptly revoked when a user loses the need to access the information system (e.g., employee separation, changes in job duties)

  • This information system does not support Single Sign-On (SSO), and instead, individual accounts must be created and managed within the information system in a manner compliant with the university’s Standards for Identification and Authentication (seehttps://infosecurity.txst.edu/work/spg/standards-identity-authentication.html). Requirements of the standard include:

    • Unique accounts must be created for each individual user within the information system.
    • Passwords for those accounts must be stored in each user’s TXST LastPass Enterprise password vault.
    • Passwords for each account must be:
      • Unique (i.e., not users’ NetID passwords or derivative of other passwords);
      • Randomly generated via LastPass Enterprise;
      • Composed of as many character types as the service supports (i.e. upper-case letters, lower-case letters, numbers, and symbols);
      • Set to at least 15 characters in length; and 
      • Changed annually.
    • The ISO must be contacted if or when SSO becomes available for this information system to determine if SSO option(s) available are compatible with the university’s SSO services prior to enablement of the feature.

  • This information system does not support Single Sign-On (SSO), and instead, individual accounts must be created and managed within the information system in a manner compliant with the university’s Standards for Identification and Authentication (seehttps://infosecurity.txst.edu/work/spg/standards-identity-authentication.html). Requirements of the standard include:

    • Unique accounts must be created for each individual user within the information system.
    • Passwords for those accounts must be stored in each user’s TXST LastPass Enterprise password vault.
    • Passwords for each account must be:
      • Unique (i.e., not users’ NetID passwords or derivative of other passwords);
      • Randomly generated via LastPass Enterprise;
      • Composed of as many character types as the service supports (i.e. upper-case letters, lower-case letters, numbers, and symbols);
      • Set to at least 15 characters in length; and 
      • Changed annually.
    • Multi-factor authentication (MFA) must be enabled for each user account. If MFA cannot be enforced through technical means (e.g., default settings for all users), user onboarding procedures and guidance implemented by the information resource owner and custodian must incorporate MFA enablement.
    • The ISO must be contacted if or when SSO becomes available for this information system to determine if SSO option(s) available are compatible with the university’s SSO services prior to enablement of the feature.

  • This information system is intended to be accessed through the use of a single account shared between multiple individuals. The information resource owner and custodian understand and accept the risks associated with this method of access (e.g., little to no individual accountability of users, diminished ability to attribute actions within the system to individual users, increased risks of account compromise because of incompatibility with multi-factor authentication). This shared account must be used and managed in a manner compliant with the university’s Standards for Identification and Authentication (see https://infosecurity.txst.edu/work/spg/standards-identity-authentication.html). Requirements of the standard include the following: 

    • The shared account must be tied to a limited access, shared @txstate.edu email address (i.e., a shared mailbox or a distribution list). Note, shared mailboxes and distribution lists may be requested via the IT Assistance Center’s website. 
    • The password for the shared account must be stored in the information resource owner’s TXST LastPass Enterprise password vault. 
    • The password for the shared account must be: 
      • Unique (i.e., not users’ NetID passwords or derivative of other passwords); 
      • Randomly generated via LastPass Enterprise; 
      • Composed of as many character types as the service supports (i.e. upper-case letters, lower-case letters, numbers, and symbols); 
      • Set to at least 15 characters in length; and
      • Changed annually. 
    • The password may only be shared via LastPass Enterprise with authorized users. 
    • Any time an authorized user loses their need to access the password (e.g., employee separation or change in job duties), that user’s access to the password must be promptly revoked via LastPass, and the password must then be changed. 
    • The list of users with access to the password in LastPass Enterprise must be reviewed at least twice a year or at the end of each long semester to ensure only authorized users have access to the shared credentials. If unauthorized users are discovered to have access to the credentials, their access must be removed, and the password must be reset. 

Owner and Custodian Responsibilities

Expand FAQ List

    • Access to the information system must be promptly revoked when a user loses the need to access the information system (e.g., employee separation, changes in job duties).
    • Users and administrators within this information system must only be granted the minimum-viable set of permissions required and approved by the information resource owner (i.e., in alignment with the model of least privilege).
    • User accounts and permissions must be reviewed by the information resource owner and custodian at least twice a year or at the end of each long semester to ensure, at minimum, (a) only users with a need to access the system have active accounts and (b) active user accounts only have the minimum-viable set of permissions required and approved by the information resource owner.
       

  • A data lifecycle for information stored, processed, and/or transmitted by this information system must be established and maintained by the Information Resource Owner and Custodian in order to remove information that no longer needs to be retained in the system while also remaining compliant with the University Records Retention Schedule (see: https://www.univarchives.txst.edu/records/rm-rrs.html for more information). 

    • Authentication and access management controls must be configured, enabled, and tested by the information resource custodian and/or owner prior to the use of this information system for production purposes or to store, process, or transmit any production or non-public information.
    • Unless separately assessed and authorized by the ISO, features that were not included in this assessment are outside the scope authorization and may not be used or enabled unless or until separately assessed and authorized.

  • A data recovery or exit plan must be established by the Information Resource Owner and Custodian in order to prepare for the possibility of termination of the use of this information system (e.g., determining what data would need to be retrieved and preserved, confirming the means by which information may be exported).  Such planning will be important to the continuity of operations and compliance with applicable record retention requirements if or when the information system is replaced and/or decommissioned.

  • If individually identifiable biometric or GPS-based location information will be stored, processed, and/or transmitted by tine information system or related information system components, the institution’s Data Management Officer must be contacted to consult on data-subject consent management processes as required by Texas Government Code and University policy.

Integrations with Other Information Systems

Expand FAQ List

    • Unless otherwise assessed and authorized by the ISO, no integration between this information system and other products, systems, services, or platforms may be established or used. This includes university-managed information systems as well as external services and information systems that are otherwise unauthorized or have not yet been assessed.
      • For clarity, the use of endpoint devices like university-owned computers to access or use the information system is generally expected and authorized. Similarly, if Single Sign-On (SSO) is available as a means of authentication, connections with the planned SSO service is also expected and authorized. 
    • Features or interconnections that may involve payment-card data or processing of payment cards must be authorized by the Office of the Treasurer and/or Student Business Services. 
      • For clarity, authorization by the Office of the Treasurer and/or Student Business Services is not required if the extent to which payment-card data will be involved is limited to the use of a university procurement card (i.e., "P-Card") to purchase access to or licensees for this information system.

Systems Hosted On-Premises

Expand FAQ List

Email Configuration Controls

Expand FAQ List

  • A dedicated, fourth-level subdomain (e.g., noreply@updates.dept.txstate.edu) and a corresponding, narrowly scoped SPF/DKIM record should be used for sending email from this service provider. 

  • Some email marketing vendors may provide additional services beyond email marketing such as SMS text messaging, two-way email communication through their platform, website hosting, and domain name registration. Unless otherwise vetted and authorized by the Information Security Office, these features are outside the scope of this data security plan and may not be used or enabled until otherwise vetted and authorized.

Risk Advisories

Expand FAQ List

  • Upon review of the authentication options available for this information system, it was discovered that neither Single Sign-On (SSO) nor Multi-Factor Authentication (MFA) were supported. The lack of these features is counter to baseline requirements of university information systems and best practice. Without protection afforded by SSO or MFA, user accounts within this information system are at an elevated risk of compromise, which increases the likelihood of data breach or disclosure incidents, corruption or loss of data, and other negative outcomes. These risks must be accepted by at least the information resource owner and custodian before authorization may be granted by the ISO as an exception to the requirements of Standards for Identification and Authentication (IA-2).

  • Upon review, it was discovered that the information resource cannot be managed or administered via centralized systems used by the Division of IT to govern and protect the university’s devices (e.g., JAMF for macOS and iPadOS devices, SCCM for Windows devices). These systems allow the university to control its devices; monitor for malicious activity and applications; remotely wipe devices if they become lost, stolen, or compromised; ensure updates are installed; and prove ownership if the device is recovered after being lost or stolen. 

  • Upon review of supporting documentation and with further consultation with vendor personnel, it was determined that pen-test results would not be made available. This is counter to baseline requirements for university information systems, as well as best practices. Without access to all required documentation, decisions regarding robust controls and configurations cannot be made. This condition creates an elevated risk of compromise, which increases the likelihood of an incident involving a data breach or disclosure, corruption or loss of data, and other negative outcomes. These risks must be accepted by at least the information resource owner and custodian before authorization can be granted by the ISO as an exception to the best practice standards.

    • Effective IT governance enables an organization to help establish and monitor accountability for IT activities to ensure that IT-enabled investments are aligned with enterprise objectives. Any misalignment can result in improper identification of critical services, along with substandard security controls. Additionally, impaired alignment between the enterprise and IT weakens communication and priorities, resulting in poor allocation of resources and a lack of transparency in actual risk reduction.
    • TXST has established an IT governance framework that enables the effective management of IT risk and ensures that effective security controls are identified and implemented. TXST has no visibility into this system’s current IT governance and security control framework.

    • Upon review, it was determined that this service involves a third-party processing, storing or transmitting TXST data. The cloud infrastructure is completely owned, managed, and monitored by the service provider, so the cloud users have less control over the function and execution of services. One of the greatest challenges facing a cloud customer is the lack of an in-depth visibility needed to determine if data are adequately secured. Failing to maintain this visibility leaves TXST vulnerable to data exposure, unauthorized access, and other security threats.
    • A cornerstone of any effective cloud-based system is how quickly threat notifications and alerts can be sent to website or security personnel. Unless a security alert or notification is issued by the provider, the customer won’t have the insight to recognize security incidents or other anomaly going wrong within the cloud infrastructure. This lack of information prevents the institution from being able to detect and respond to incidents prior to discovery by impacted user(s) or to engage in measures that would reduce the likelihood of an incident. Additionally, if an incident were to occur, such as a compromised account, Texas State would have no access to critical event logging information required for conducting a due diligence investigation.

  • Vulnerabilities classified as critical have been found by TXST's third party risk management partner in this system's cloud services. The ISO will provide detailed vulnerability information to the information system owner. Along with the Data Security Plan (DSP), a detailed list of findings will be sent to the Information System Owner and Custodian. The Information System Owner/Custodian should share this information with the vendor so they can determine how these vulnerabilities can be mitigated.

  • It has been determined that the vendor has recently been exposed to a data security breach. Using a vendor that has recently experienced a security breach presents a significant risk to TXST, including potential exposure of sensitive data, service disruptions, and non-compliance with regulatory requirements. The breach may indicate vulnerabilities in the vendor’s security controls, increasing the likelihood of future incidents. Without clear assurances of remediation efforts and improved security measures, continued reliance on the vendor could compromise data integrity, confidentiality, and overall cybersecurity posture. The Information Resource Owner agrees to implement and maintain appropriate safeguards in accordance with applicable laws, regulations, and organizational policies to mitigate such risks. This includes adhering to cybersecurity best practices, and promptly reporting any suspected or confirmed breaches.