DIR Administrative Rules
VOLUME 1, TEXAS ADMINISTRATIVE CODE
PART X. DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 201. PLANNING AND MANAGEMENT OF INFORMATION RESOURCES
TECHNOLOGIES.
Contents:
Section 201.1. Definitions.
Section 201.3. Information Resources Managers.
Section 201.5. Agency Planning.
Section 201.7. Interagency Contracts for Information Resources Technologies
Section 201.9. Board Policies.
Section 201.11. Procedure for Adoption of Information Resources Standards and
Policies.
Section 201.13. Information Resource Standards.
Section 201.15. Charges for Copies of Public Records.
Section 201.17. Advisory Committees.
Section 201.1. Definitions.
The following words and terms, when used in this chapter, shall have the following
meanings, unless the context clearly indicates otherwise.
Application - A separately identifiable and interrelated set of information resources
technologies that allows a state agency to manipulate information resources to support
specifically defined objectives.
Board - The governing board of the Department of Information Resources.
Data processing - Information technology equipment and related services designed for the
automated storage, manipulation, and retrieval of data by electronic or mechanical means, or
both. The term includes:
(A) central processing units, front-end processing units, miniprocessors, microprocessors,
and related peripheral equipment such as data storage devices, document scanners,
data entry equipment, terminal controllers, data terminal equipment, computer-based
word processing systems other than memory typewriters, and equipment and systems
for computer networks;
(B) all related services, including feasibility studies, systems design, software
development, and time-sharing services, whether provided by state employees or by
others; and
(C) the programs and routines used to employ and control the capabilities of data
processing hardware, including operating systems, compilers, assemblers, utilities,
library routines, maintenance routines, applications, and computer networking
programs.
Department - The Department of Information Resources.
Geographic information system - A computer hardware and software system designed to
collect, manage, manipulate, analyze, and display spatially referenced data; includes attribute
data (usually in an associated data base), as well as graphic data which may be in vector (line) or
raster (image) form; may include cartographic and geographic data such as earth science, natural
resource, engineering, demographic, or socioeconomic data; and will include for purposes of
these rules all types of automated mapping, facilities management, and mapping applications
from a computer-aided design system.
Imaging systems - Information resources technologies with video, scanning, and computer
graphics capabilities (including raster formats) which are used to capture, process, create, output,
store, and/or archive images, excluding process-control systems for medical diagnostic
applications.
Information resources - The procedures, equipment, and software that are designed, built,
operated, and maintained to collect, record, process, store, retrieve, display, and transmit
information, and associated personnel including consultants and contractors.
Information resources services - Services provided under contract to a state agency by an
individual or firm, or by a consultant or professional engineer under Texas Civil Statutes,
Articles 664-4 and 6252-11c, which include: studying agency's existing information resources;
advising on necessary changes or additions to the information resources environment; performing
information resources feasibility studies; information resources training; or recommending,
managing, converting, designing, procuring, developing, documenting, programming, testing,
implementing, or installing new information resources, including systems development
methodologies and disaster recovery capabilities.
Information resources technologies - Data processing and telecommunications hardware,
software, services, supplies, personnel, facility resources, maintenance, and training.
Interagency application - An information resources project implemented or used by
multiple agencies.
Project - A program to provide information resources technologies support to functions
within or among elements of a state agency, which should be characterized by well-defined
parameters, specific objectives, common benefits, planned activities, a scheduled completion
date, and an established budget with a specified source of funding.
Risk - The possibility of an act or event occurring that would have an adverse effect on the
state, an organization or an information system. Risk involves both the probability of failure and
the possible consequences of a failure.
Risk Analysis - Risk analysis is the evaluation of planned project events and deliverables in
regards to various factors to consider the possibility or probability of failure and the
consequences of such a failure. Risk analysis will yield an identification of the areas of greater
and lower risk.
State agency - A department, commission, board, office, council, or other agency in the
executive or judicial branch of government that is created by the constitution or a statute of this
state, including a university system or institution of higher education as defined by the Education
Code, Section 61.003.
Statewide application - An information resources project implemented or used throughout
state government.
Telecommunications - Any transmission, emission, or reception of signs, signals, writings,
images, and sounds of intelligence of any nature by wire, radio, optical, or other electromagnetic
systems and includes all facilities and equipment performing those functions that are owned,
leased, or used by state agencies and branches of state government.
Telecommunications services - Intercity communications facilities or services.
"Telecommunications services" does not include single agency point-to-point radio systems or
facilities or services of criminal justice information systems.
Wide area network - A network that interconnects geographical boundaries (such as
buildings, campuses, cities, regions, and/or states) which has a total distance (first node to last
node) of 2 or more miles and might be connected using common carrier services.
Section 201.3. Information Resources Managers.
(a) Selection of information resources managers.
(1) The head of each state agency is ultimately responsible for the management of
state information resources.
(2) The head of a state agency may serve as the agency's information resources
manager or may designate another senior agency official to serve as the agency's
information resources manager in his behalf. If an institution of higher education
has separate computing facilities for academic and administrative computing
services, the institution may designate separate information resources managers
for academic and administrative information resources. The designation of an
agency information resources manager is intended to establish clear
accountability for setting policy for information resources management
activities, provide for greater coordination of the state agency's information
activities, and ensure greater visibility of such activities within and between
state agencies.
(3) A member of the board of the department may not also serve as the information
resources manager of a state agency.
(4) The head of each state agency shall designate an information resources manager.
The state agency's designation must contain the name, title, authority,
responsibilities, organizational resources, and education and experience of the
proposed information resources manager in the format prescribed by the
department. The department must notify the state agency in writing of receipt of
the designation of the information resources manager within 30 days after
receipt of the designation.
(b) Initial qualifications and continuing education.
(1) Any person who is appointed the information resources manager of a state
agency before September 1, 1992 is exempt from the requirements of the
department regarding initial education needed for that position.
(2) Any person who is designated by the head of a state agency as the information
resources manager of that agency on or after September 1, 1992 must be a senior
official of the agency. Agency heads are encouraged, but not required, to make
designations on the basis of qualification guidelines provided by the department.
After September 1, 1992, information resources managers for agencies should,
as a minimum, possess a four-year college or university degree from a
fully-accredited institution.
(3) Each designated agency information resources manager shall be required to
complete continuing education requirements approved by the board of the
department and provided by the department.
(4) The department will provide continuing education programs, including
educational materials and seminars, to assure that agency information resources
managers remain current in the field of information resources management.
Section 201.5. Agency Planning.
(a) Agency strategic plans.
(1) Submittal procedures.
(A) Each state agency shall prepare and submit to the department an agency
strategic plan for information management.
(B) The governing officer or chairman of the governing body of the agency
shall sign the plan if the agency is governed by fully paid, full-time state
officials. Otherwise, the executive director of the agency shall sign the
plan.
(C) Format of the agency strategic plan must comply with instructions, based
on paragraph (2) of this subsection, published by the department and
distributed to each agency prior to February 1 of each even-numbered year.
Content of the plan must include, in the format prescribed by the
department:
(i) an executive summary;
(ii) a statement of the agency's mission, goals, and programs;
(iii) a statement of the agency's planning assumptions;
(iv) a description of the present status of the organizational environment, information resources management policies and practices, personnel resources, and operating environment;
(v) a statement of information resources goals and strategies;
(vi) a statement of agency compliance with and support for the state
strategic plan for information resources;
(vii) a statement of the agency's long-term information resources needs.
(D) Each agency must submit the agency strategic plan by January 1 of each
odd-numbered year.
(2) Contents. Each agency strategic plan must include:
(A) a summary of the agency's goals, objectives, and current programs as
found in the agency's legislative appropriations request;
(B) a description of the agency's major data bases and applications;
(C) a description of the agency's current information resources management
organizations, policies, and practices;
(D) a description of interagency computer networks in which the agency
participates;
(E) a statement of the strategic objectives of the agency relating to information
resources management for the next five fiscal years, beginning with the
fiscal year in which the plan is submitted, with a description of how those
objectives help achieve the agency's programs and goals and support the
goals and policies of the state strategic plan;
(F) other planning components as defined in the department's published
instructions.
(3) Review procedures.
(A) The department will evaluate agency strategic plans:
(i) for consistency with the state strategic plan, including compliance
with standards adopted by publication in the state strategic plan;
(ii) for assurance that agency goals and strategies for information
resources are consistent with agency mission, goals, and
objectives;
(iii) for the effective use of information resources technologies in
support of the agency's mission and its information needs;
(iv) for the technical feasibility of the plan.
(B) The department will review and approve or disapprove each agency strategic
plan in writing no later than April 15 of each odd-numbered year. If the
department disapproves an agency's plan, it shall notify the agency's information
resources manager and executive director in writing of the reasons for
disapproval. The agency may appeal the department's disapproval at the next
regularly scheduled board meeting.
(b) Biennial operating plans.
(1) Submittal procedures.
(A) Each state agency shall prepare and submit a biennial operating plan to the
department once each biennium. The plan is due no later than the 30th day
after the date the General Appropriations Act becomes law.
(B) Format of the biennial operating plan must comply with instructions,
based on paragraph (2) of this subsection, published by the department and
distributed to each state agency.
(C) The governing body of the submitting agency must approve the biennial
operating plan, and the information resources manager or the agency head
must sign the biennial operating plan.
(D) Extensions on the Biennial Operating Plan deadline may be granted by the
department. Within ten days of receiving an agency's request for extension,
the department shall inform the agency whether the extension is approved
or disapproved.
(E) An agency may request an extension of the deadline for submitting its
Biennial Operating Plan. The request should describe the agency's need for
additional time, and must be submitted to the department within 15 days
after the General Appropriations Act becomes law.
(2) Contents. An agency's biennial operating plan must include:
(A) the amount of money related to information resources actually
appropriated to the agency for the biennium beginning September 1; and
(B) Information in the format specified by the department in the operating plan
instructions. These instructions are adopted by reference. Copies may be
obtained in person or in writing at the Department of Information
Resources, P.O. Box 13564, Austin, Texas 78711.
(3) Review procedures.
(A) The department will evaluate biennial operating plans:
(i) for consistency with the General Appropriations Act, other
legislation;
(ii) for consistency with the state and agency strategic plans;
(iii) for completeness with respect to published instructions based on
paragraph (2) of this subsection;
(iv) for the agency organizational and operational environment;
(v) for needs and benefits;
(vi) for technical validity;
(vii) for cost effective implementation of information resources
technologies to meet the agency mission.
(B) The department will review and approve or disapprove each biennial
operating plan in writing no later than 45 working days after receipt of the
plan. The department may approve all or part of a plan.
(C) The department may not approve an agency's biennial operating plan
unless the agency has submitted, and the department has approved, a
current agency strategic plan.
(D) If the department disapproves an agency's biennial operating plan, the
agency may appeal the decision at the next regularly scheduled board
meeting.
(c) Plan amendments.
(1) Submittal procedures.
(A) A state agency shall amend its strategic plan, and/or biennial operating
plan when necessary during a biennium. An agency may amend the plans,
for example, to implement recommendations resulting from a consulting
services contract or staff report that may affect information resources
strategies, changes in information resources technologies, or changes in
the agency's management of information resources.
(B) A state agency must submit proposed plan amendments to the department
for approval.
(2) Review procedures. The department will review and approve or disapprove each
proposed plan amendment no later than 30 working days after it is received.
Instructions for the format and content of plan amendments and criteria for
review of these amendments based on this paragraph for strategic plans, and this
paragraph of this subsection for biennial operating plans will be published by
the department.
(d) Appeal procedures.
(1) Submittal procedures. A state agency that disagrees with the department's
disapproval of a plan, part of a plan, plan amendment, or analysis of project
acquisition alternatives may submit a written request to the department for
special review no later than 30 days after notification of department disapproval.
(2) Department response.
(A) Upon receipt of a request for appeal, the executive director of the
department shall immediately:
(i) inform the agency requesting appeal of the date of the next
regularly scheduled board meeting;
(ii) inform the board of the request for appeal; and
(iii) post the appeal on the agenda of the next regularly scheduled board
meeting.
(B) The executive director of the department shall provide the following at
least three days before the appeal will be heard by the board:
(i) to each board member - a copy of the agency's document to which
the appeal pertains, a copy of the department's analysis, a copy of
the notice of disapproval, and any other documentation the
department considers pertinent or the board member requests;
(ii) to the agency - a copy of the department's analysis.
(C) The board shall decide by majority vote whether to support or overturn the
department's disapproval. The state agency may appear and present its
position at that meeting. The decision of the board is final.
(e) Implementation of approved plans.
(1) As a consequence of evaluating an agency's biennial operating plan, the
department may make approval of the plan, or part of a plan, conditional upon
the submission of the following additional information relating to a proposed
action to implement the plan:
(A) total estimated costs of the proposed action;
(B) updated statements of need and related performance objectives;
(C) a cost-benefit analysis of the proposed action and alternatives; and
(D) any other factors the department determines necessary.
(2) The department will identify the additional information required under this
subsection with reasonable specificity at the time it completes its evaluation of a
plan. The condition to the plan approval must be satisfied prior to the agency
implementing the affected portions of the plan.
(f) Review of State Agency Analyses of Project Acquisition Alternatives.
(1) Applicability.
(A) Departmental review of analyses of project acquisition alternatives is
required for:
(i) state agency information resources projects over the agency
threshold as described in an agency's biennial operating plan, or
(ii) any state agency information resources project or other activity as
stipulated by the department in its approval of the biennial
operating plan; except
(iii) These provisions shall not apply for any agency projects to expand
or enhance existing information resources capacity with no
significant change in technical environment.
(B) The provisions of this subsection shall only apply to any state agency
specified in Article V, Section 96, subsection 6 of the General
Appropriations Act.
(2) Waivers.
(A) A waiver shall be granted to any state agency on an emergency basis
without first complying with the procedures prescribed by this section for
any projects which may become necessary as a result of a natural or human
disaster; any order of a court of competent jurisdiction when the ordered
period of compliance is less than six months unless the agency has
received prior approval for an emergency implementation period in excess
of six months; any act of exemption by the Texas Legislature; or other
documented emergency conditions. The agency must report and explain to
the department any emergency action within 30 days after the action is
taken.
(B) A waiver shall automatically apply to any agency whose biennial operating
plan projects are classified only as baseline operations, or growth and
expansion, or telecommunications and where the agency's total direct costs
for all of those projects are less than $750,000.
(C) A waiver shall apply for any agency projects in progress beyond the
planning or feasibility study stage on or before May 1, 1992. Such waivers
must be requested in writing by the Information Resources Manager. The
department will grant or deny waiver requests within 10 working days of
receipt of the request, based on evidence of project status.
(3) Compliance; Adoption by Reference. Each analysis of project acquisition
alternatives prepared by an agency and submitted to the department must
include information in the format specified by the department in the Guide for
the Analysis of Project Acquisition Alternatives (hereafter referred to as
"Guide"). Information concerning the Guide adopted by reference may be
obtained from the Department of Information Resources, P. O. Box 13564,
Austin, Texas 78711.
(4) Submittal procedures.
(A) Before project initiation beyond the planning or feasibility stage, each state
agency shall prepare and submit to the department an analysis of project
acquisition alternatives for projects which meet the applicability
requirements stated in paragraph (1) of this subsection and which do not
qualify for a waiver under paragraph (2) of this subsection. Agency
submissions of information for departmental review shall occur within the
timeframes specified in the Guide.
(B) The Information Resources Manager shall sign the transmittal document
for the analysis of alternatives.
(5) Review procedures. The department may not approve an agency's analysis
unless the agency has submitted, and the department has approved, a current
agency strategic and operating plan.
(A) The department will evaluate alternative analyses:
(i) for completeness with respect to published instructions in the
Guide. The analysis shall address, but not be limited to, the
following factors:
(I) start-up costs associated with the acquisition, including but
not limited to the purchase price of the acquisition, site
preparation costs, freight charges, and staff costs;
(II) estimated cost of maintenance;
(III) estimated cost of supplies;
(IV) estimated cost of employee training;
(V) estimated cost of additional long-term staff needed;
(VI) estimated increase in employee productivity;
(VII) consistency with agency plans approved by DIR;
(VIII) consistency with statewide standards and policies
established in the Statewide Strategic Plan.
(ii) for cost-effectiveness in accordance with published instructions in
the Guide or other rule of the department; and
(iii) for any other information the department deems necessary and
appropriate.
(B) The department will review and approve or disapprove each analysis of
project acquisition alternatives in writing no later than 30 days after receipt
of the documents. If the department does not act within the time allowed,
the agency may proceed with its project; however, departmental inaction
does not exempt the agency, its projects, or its activities from other
procedural requirements of the department under this chapter.
(i) First review. If the department disapproves an agency's initial
analysis, the agency may perform a recertification of the analysis
by an independent reviewer and request a second review as
specified in the Guide.
(ii) Second review. If the department disapproves an agency's second
analysis, the agency may appeal the decision to the board, under
the provisions of subsection (e) of this section, provided the
request for appeal is accompanied by the department's disapproval
notices and the independent certification of the analysis.
(g) Quality Assurance Review.
(1) Applicability.
(A) Major information resources projects shall be construed as any information
resources technology project identified in an agency operating plan whose
development cost exceeds $1,000,000 and include one or more of the
following:
(i) require a year or more to reach operational status;
(ii) involve more than one state agency or government; or
(iii) materially alters work methods of agency personnel and/or the
delivery of services to agency clients.
(B) Appropriation authority provided for major information resources projects
as specified in Subparagraph (A) of this paragraph is contingent upon
approval of the project by a Quality Assurance Team comprised of the
Legislative Budget Office, Department of Information Resources, and
Office of the State Auditor.
(2) Waivers.
(A) Emergencies. A waiver from the quality assurance review and
independent risk analysis shall be granted to any state agency on an
emergency basis without first complying with the procedures prescribed by
this section for any projects which may become necessary as a result of a
fire, natural disaster or other actual emergency. A report explaining the
emergency action must be filed with the Quality Assurance Team not later
than the 30th calendar day after the action is taken.
(B) The Quality Assurance Team may at any time waive in whole or in part,
the requirement for the independent risk analysis for any project it deems
appropriate.
(3) Submittal.
(A) Based on the determination of the level of risk by the Quality Assurance
Team, it may require the agency to submit a project development plan.
The project development plan shall include a description of management
and project controls and shall detail system development milestones.
(B) The Project Development Plan will be signed by the agency's Information
Resources Manager and will be submitted to Quality Assurance Team if it
is required to be accomplished. Any subsequent changes to the plan by the
agency that are material in scope or affect the cost or schedule of the
project will be signed by the Information Resources Manager and provided
to the Quality Assurance Team.
(C) An independent risk analysis is required unless it has been waived by the
Quality Assurance Team. The results of the independent risk analysis
must be reviewed by the Quality Assurance Team before appropriation
authority is approved for the project.
(4) Quality assurance process.
(A) Using the agency's Biennial Operating Plan, Biennial Operating Plan
amendments and any risk assessment information or recommendations, the
Quality Assurance Team will determine the project risk level, whether an
independent risk analysis is required, the level of monitoring required and
if any other action(s) may be necessary. The level of monitoring shall be
proportional to the level of risk identified.
(B) Independent Risk Analysis Requirements.
(i) If an independent risk analysis is required, it shall be performed
without conflict of interest, prepared by parties independent from
the management directly responsible for the development,
acquisition, or delivery of information resources projects. Any
need for subsequent independent risk analyses will be determined
by the Quality Assurance Team.
(ii) The risk analysis must identify potential risks that may occur
throughout the project development life cycle.
(iii) The risk analysis shall include, but not be limited to, the following
factors:
(I) potential impact on statewide goals, objectives, or
operations;
(II) completeness of planning;
(III) appropriateness of the technical solution and/or feasibility;
(IV) consideration of alternatives;
(V) size, costs, and complexity of project;
(VI) use of a standard systems development methodology;
(VII) past performance of the agency; and
(VIII) any other factors the quality assurance team may prescribe.
(C) A post-implementation evaluation report may be required and would be
provided to agency executive management and the Quality Assurance
Team after the implementation of a major information resources project.
The report shall serve as an assessment of the new system in terms of
benefits and costs.
(5) Approval Process.
(A) The agency must demonstrate to the satisfaction of the Quality Assurance
Team that the agency has met project milestones as identified in the
approved project development plan prior to the expenditure of funds for
major information resources projects in subsequent specified intervals.
The agency may be required to submit reports regarding significant project
delays and cost overruns.
(B) The Quality Assurance Team will determine the funding status. A letter
will be sent notifying the agency of the project risk status, funding amount
approved, conditions, stipulations, monitoring level and actions, and the
next scheduled review point in time or by event/milestone. An agency
may request the opportunity to provide additional information.
(6) Notification of project termination and appeal process.
(A) If the Quality Assurance Team disapproves a project, the following
information will be provided to the agency:
(i) notification of pending action;
(ii) reasons for termination of funding; and
(iii) procedures for requesting a reconsideration action.
(B) The agency may request a hearing within 10 work days of the notification
of pending action.
(C) After the appeal process is completed, the Quality Assurance Team will
notify the agency and the Comptroller of Public Accounts as to
expenditure limitations of the project. The Quality Assurance Team will
also notify the Legislative Budget Board and the Governor's Office of
Budget and Planning regarding the restriction of expenditures and
recommended action, if appropriate. The Legislative Budget Board will
notify the Comptroller of Public Accounts as to the final disposition of
project funds.
Section 201.7. Interagency Contracts for Information Resources Technologies.
(a) Public solicitation required.
(1) Except as otherwise provided in subsection (b) of this section, each state agency
that proposes to receive information resources technologies under a contract
from another state agency must first solicit bids or proposals for the
procurement of such technologies by giving public notice of a request for
proposals or a request for bids.
(2) Each state agency that solicits bids or proposals from the public for the
procurement of information resources technologies must do so in accordance
with applicable rules adopted by the General Services Commission pertaining to
competitive bidding or competitive sealed proposals.
(3) If a state agency receives a bid or a proposal from a private vendor in
response to a solicitation issued in accordance with this subsection, it must
review the bid or proposal and compare it with the best proposed
interagency contract that is currently available to the state agency for the
receipt of such information resources technologies. Specifically, the state
agency must determine whether the bid or proposal:
(A) is for the same or substantially the same technologies as those
available under the proposed interagency contract;
(B) would allow the state agency to accomplish the application or
project at an acceptable level of quality;
(C) would allow the state agency to accomplish the application or
project in an acceptable period of time; and
(D) would have a total cost to the state that is less than the total cost to
the state of the best proposed interagency contract that is currently
available to the state agency.
(4) If a state agency receives a bid or proposal from a private vendor that
satisfies all of the criteria listed under paragraph (3) of this subsection, it
may not enter into an interagency contract for the receipt of such
information resources technologies.
(b) Exceptions to public solicitation requirement. A state agency may procure
information resources technologies from another state agency without first giving
public notice of a request for proposals or an invitation for bids in the following
cases:
(1) the total dollar amount of the proposed interagency contract does
not exceed $50,000;
(2) the state agency has requested and received a waiver from the department
in accordance with subsection (c) of this section, and the total dollar
amount of the proposed interagency contract does not exceed the amount
specified by the department in the waiver; or
(3) the total dollar amount of the proposed interagency contract does
not exceed $1,000,000, and one or more of the following
circumstances are present:
(A) the primary purpose of the proposed interagency contract is the
direct accomplishment of a specific legislative mandate;
(B) the same or substantially the same information resources
technologies are available from two or more private vendors under
the catalogue purchasing procedure of the General Services
Commission at a cost that exceeds the cost of the proposed
interagency contract;
(C) the procurement constitutes an emergency purchase under
applicable rules of the General Services Commission;
(D) the procurement constitutes a proprietary purchase under
applicable rules of the General Services Commission;
(E) both parties to the proposed interagency contract are institutions of
higher education with a common governing board, as those terms
are defined in the Education Code, Section 61.003; or
(F) both parties to the proposed interagency contract are health and
human service agencies, as that term is defined in Texas Civil
Statutes, Article 4413(502).
(c) Waivers.
(1) A state agency may submit a written request to the department for a waiver of
the public solicitation requirement described in subsection (a) of this section.
The written request must include the following:
(A) a description of the proposed interagency contract, including the total
dollar amount of the contract;
(B) a description of the circumstances that would, in the opinion of the
requesting state agency, justify an exception to the public solicitation
requirement;
(C) a certification that a procurement under the proposed interagency
contract would, in the opinion of the requesting state agency, be
more cost effective than a procurement based on a public
solicitation of bids or proposals;
(D) detailed cost information to support the certification of cost
effectiveness; and
(E) any other information requested by the department.
(2) Upon receipt of a request for a waiver, the department shall promptly review the
request to determine whether it contains the required information and the
required certification of cost effectiveness. If the request does contain such
information and certification, the department will then review the request to
determine whether the proposed interagency contract is consistent with the
requesting state agency's current biennial operating plan and all amendments, if
any, that have been approved by the department. Unless the proposed
interagency contract is clearly inconsistent with the agency's current approved
plan and amendments, the department shall issue a written determination that a
procurement under the proposed contract is presumed by the department to be
more cost effective than a procurement based on a public solicitation of bids or
proposals, and shall issue a written waiver of the public solicitation requirement
for the proposed contract. The written waiver shall specify the maximum dollar
amount that may be expended in connection with the proposed contract without
having to comply with the public solicitation requirement.
(3) If the department has not issued a written denial of the waiver request within
thirty calendar days following the date of its receipt of the request, the request
for a waiver shall be deemed to have been approved for an amount equal to the
total dollar amount of the proposed interagency contract.
(4) A decision by the department regarding the issuance of a waiver or a
determination of cost effectiveness is final and may not be appealed.
Section 201.9. Board Policies.
The executive director is hereby delegated authority by the board to grant a requesting state
agency a compliance waiver from administrative rule, statewide standards, or other board
policies. A state agency may request a compliance waiver from administrative rule, statewide
standards or other board policy. The agency must clearly demonstrate to the department through
written justification any performance or cost advantages to be gained and that the overall
economic interests of the state are best served by granting the compliance waiver. The executive
director of the department will notify the board when requests for waivers are received.
Section 201.11 Procedure for Adoption of Information Resources Standards and Policies.
(a) Preparation. The department shall prepare proposals for information resources
standards and policies as authorized by the Information Resources Management Act.
Official information resources standards and policies may be embodied either in
administrative rule or the State Strategic Plan for Information Resources
Management.
(b) Advisory committees. The department may appoint advisory committees to provide
additional expertise to the department in the development or refinement of
information resources standards and policies.
(c) Public comments. The department will allow all interested persons reasonable
opportunity to submit data, views, or arguments, orally or in writing, concerning the
proposed information resources standards and policies, prior to adoption by the
Board.
(1) Notice and invitation for comment. The department will give a minimum of 30
days notice and invitation for comment in the Texas Register of its intended
action to adopt information resources standards and policies. Written comments
received after the end of that period will not be considered by the Board in its
deliberations. Written comments concerning proposed actions must be received
by the party named in the Texas Register prior to 5:00 p.m. on the expiration
day of the notice and comment period. The transmittal envelope must be clearly
marked "Formal Comment to Proposed Action Enclosed." Any written
comments received after 5:00 p.m. on the final day of the notice and comment
period will be returned to sender unopened.
(2) Hearings. An opportunity for separate public hearing on proposed information
resources standards and policies will be granted if requested within 10 days after
the close of the comment period by at least 25 persons, a governmental
subdivision or agency, or by an association having at least 25 members.
Multiple requests for public hearings will be consolidated; hearings requested
will be announced as open meetings in the Texas Register. Public hearings may
be conducted by staff; Board members may elect whether to attend. Public
testimony will also be accepted by the department at regularly scheduled Board
meetings in accordance with procedures specified by the Texas Open Meetings
Act. The Board reserves the right to limit the length of oral presentations in
public hearings.
(d) Adoption. The Board will adopt information resources standards and policies by a
majority vote. Publication and statewide dissemination by the department will
commence upon Board approval.
(e) Amendments. Amendments to the information resources standards and policies may
be adopted by the Board at any time, using these procedures, in response to
technological advancements, changes in legislation, practical experience, or new
issues relating to information resources management.
(f) Continuation of existing standards and policies. Existing information resources
standards and policies adopted by Board action prior to the date of final adoption of
this rule are deemed to have been subjected to sufficient public comment and will
continue in effect until amended without further required action by the department.
Section 201.13 Information Resource Standards
(a) Geographic Information Systems Standards.
(1) Applicability.
(A) All digital spatial data users and developers of new geographic
information systems in state agencies and universities must comply with
the technical standards specified in the Standards and Guidelines for
Geographic Information Systems in the State of Texas.
(B) An institution of higher education, as defined by the Education Code,
Section 61.003, will be exempted from these standards when geographic
information systems are acquired solely for instructional purposes.
(C) Currently operating systems which are structurally unable to comply are
not required to retrofit to these standards.
(2) Waivers.
(A) A waiver shall be granted to any state agency due to any order of a court of
competent jurisdiction when the ordered period of compliance is less than
90 days; or any act of exemption by the Texas Legislature.
(B) Letter applications for waivers will be made in writing to the department
by the agency information resources manager (IRM). Within 10 days after
initial receipt of the waiver request, the department will notify the
submitting state agency of all supporting information the department
requires to conduct its review. The date of receipt of the waiver
application is either the initial date of arrival of the request, or the date that
any supporting or other information if requested, is received. Review shall
commence on the date of receipt. The department will conduct its review
within 30 days after the date of its receipt, evaluate the applications, and
grant or deny these waiver requests based on an analysis of the particular
circumstances or environment. Consultation with the Geographic
Information Systems Standards Committee will be included in the waiver
process on an as needed basis, and the committee will review all waivers
at their semiannual meetings.
(C) The acquisition of software which cannot support these standards will not
be grounds for a waiver.
(3) Adoption by Reference. The Standards and Guidelines for Geographic
Information Systems in the State of Texas, herein adopted by reference, may be
obtained from the Department of Information Resources, P.O. Box 13564,
Austin, Texas 78711.
(4) Submittal procedures. The agency Information Resource Manager (IRM) will
certify that Geographic Information Systems development in the agency adheres
to the Standards and Guidelines for Geographic Information Systems in the
State of Texas.
(5) Review procedures.
(A) The certification will be reviewed by the department and the Geographic
Information Systems Standards Committee to determine compliance and
agency comprehension of the standards. Review procedures and any
subsequent on-site assessment will be consistent with Section 7 of the
Standards and Guidelines for Geographic Information Systems in the State
of Texas.
(B) The agencies may also request a peer review be performed at any time
during the year. Upon receiving such a request, the department will
schedule a review as soon as possible.
(b) Information security standards.
(1) Applicability. The following rule constitutes required minimum security
standards for the protection of automated information resources for agencies of
the state of Texas. The department requests each agency to complete
implementation of an information resources security program consistent with
these standards on or before September 1, 1997 in accordance with the
implementation schedule of subsection (12). Beginning with the agency
information resources strategic plan to be submitted on January 1, 1993,
agencies shall include in each biennial strategic plan for information resources
an overview of their current information security posture and their future plans
for completing development of a security program, consistent with these
standards and implementation schedule, over each current strategic planning
cycle. To assist in the interpretation and implementation of these standards, the
department has developed the Information Resources Security and Risk
Management Policy, Standards and Guidelines manual which is available on
request from the Department of Information Resources, P.O. Box 13564,
Austin, Texas 78711.
(2) Classification of information. The state's automated information files and
databases are essential and vital public resources which must be protected from
unauthorized modification, deletion or disclosure. Subject to executive
management review, agency program managers have responsibility for the
information assets utilized in carrying out the programs under their direction and
accordingly are responsible for classifying program information.
(A) For purposes of this subsection, two classifications of information are
defined which require special protective precautions:
(i) confidential information - information maintained by state agencies
that is exempt from disclosure under the provisions of the Texas
Open Records Act or other state or federal law; and
(ii) sensitive information - information maintained by state agencies
that requires special precautions, as determined by agency
standards and risk management decisions, to assure its accuracy
and integrity by utilizing error checking, verification procedures
and/or access control to protect it from unauthorized modification
or deletion.
(B) As defined in subparagraph (A)(ii) of this paragraph, sensitive information
may be either public or confidential and requires a higher than normal
assurance of accuracy and completeness. Likewise, confidential
information may also be considered sensitive, requiring special measures
to ensure its accuracy. Thus, the controlling factor for confidential
information is dissemination, while the controlling factor for sensitive
information is that of integrity.
(3) Policy. It is the policy of the State of Texas that:
(A) Automated information and information resources residing in the various
agencies of state government are strategic and vital assets belonging to the
people of Texas. These assets require a degree of protection commensurate
with their value. Measures shall be taken to protect these assets against
accidental or unauthorized disclosure, modification, or destruction, as well
as to assure the security, reliability, integrity and availability of
information.
(B) The protection of assets is a management responsibility.
(C) Access to state information resources must be strictly controlled. State law
requires that state owned information resources be used only for official
state purposes.
(D) Information which is sensitive or confidential must be protected from
unauthorized access or modification. Data which is essential to critical
state functions must be protected from loss, contamination, or destruction.
(E) Risks to information resources must be managed. The expense of security
safeguards must be appropriate to the value of the assets being protected,
considering value to both the state and a potential intruder.
(F) The integrity of data, its source, its destination, and processes applied to it
must be assured. Changes to data must be made only in authorized and
acceptable ways.
(G) In the event a disaster or catastrophe disables information processing and
related telecommunication functions, the ability to continue critical
governmental services must be assured. Information resources must be
available when needed.
(H) Security needs must be considered and addressed in all phases of
development or acquisition of new information processing systems.
(I) Security awareness and training of employees is one of the most effective
means of reducing vulnerability to errors and fraud and must be
continually emphasized and reinforced at all levels of management. All
individuals must be accountable for their actions relating to information
resources.
(J) Agency information security programs must be responsive and adaptable
to changing vulnerabilities and technologies affecting state information
resources.
(K) Agencies must ensure adequate separation of functions for tasks that are
susceptible to fraudulent or other unauthorized activity.
(4) Management and staff responsibilities.
(A) The responsibilities of a position with respect to security and risk
management shall be commensurate with its authority. Descriptions of
security roles and responsibilities for agency personnel shall be included in
written position descriptions and compiled in the agency security manual
developed and maintained by the information security function.
(B) Each agency head, or the information resources manager acting on
delegated authority, shall institute an information security function to
administer the agency information security program. It shall be the duty
and responsibility of this function to establish all procedures and practices
necessary to ensure the security of information assets against unauthorized
or accidental modification, destruction, or disclosure. The information
security function within each agency shall document and maintain an
up-to-date internal information security program. The agency security
program shall include written internal policies and procedures for the
protection of information resources, be an instrument implementing state
information security policies and standards, be applicable to all elements
of the agency and be signed by the information resources manager or the
agency head.
(C) The Information Resources Management Act makes it clear that
information and information resources residing in the various agencies of
state government are assets owned by the people of Texas. For the purpose
of information resources security and risk management, the concept of
owners, custodians and users of information resources, and their surrogate
responsibilities to the people of Texas, is utilized in the development of an
information security program. The effectiveness of the program depends to
a large extent on the correct identification of those surrogate owners,
custodians, and users of information. Owners, custodians, and users of
data, software, and other information resources shall be identified,
documented, and their responsibilities defined. All resources shall be
assigned an owner. In cases where data or software is aggregated for
purposes of ownership, the aggregation shall be at a level which assures
individual accountability. The following distinctions among owner,
custodian, and user responsibilities should guide determination of these
roles.
(i) Owner responsibilities. The owner of information resources is the
designated individual upon whom responsibility rests for carrying
out the program that uses the resources. That person is referred to
herein as a program manager. The owner, or program manager, is
responsible and authorized to: approve access and formally assign
custody of the asset; judge the asset's value; specify data control
requirements and convey them to users and custodians; and ensure
compliance with applicable controls. Ownership responsibilities
apply in the development of outsourcing contracts with private
firms or with other agencies. These contracts must specify
appropriate controls, based on risk assessment, to ensure protection
of the state's confidential or sensitive information files, databases
and software from unauthorized modification, deletion or
disclosure.
(ii) Custodian responsibilities. A custodian is the agent in charge of the
organizational unit providing technical facilities, data processing
and other support services to owners and users of automated
information. The custodian of information resources is assigned the
responsibility to: implement the controls specified by the owner;
provide physical and procedural safeguards for the information
resources within the facility; assist owners in evaluating the
cost-effectiveness of controls; administer access to the information
resources; and to make provisions for timely detection, reporting,
and analysis of unauthorized attempts to gain access to information
resources. Custodial responsibilities apply to all entities providing
outsourcing services to state agencies.
(iii) User responsibilities. The users of information resources have the
responsibility to: use the resource only for the purposes specified
by its owner; comply with controls established by the owner; and
prevent disclosure of confidential or sensitive information.
(D) The agency information security function acting on behalf of the agency
head and with cooperation from program and technical management, shall
assign information asset ownership and ownership responsibilities for all
information resources within the agency.
(E) Program managers, having been assigned information resource ownership,
shall assign custody of program assets to appropriate technical and data
center managers and ensure they are provided the appropriate direction to
implement the security controls and procedures that have been defined.
(F) Technical managers, assigned information resource custodianship, are
charged with executing the monitoring techniques and procedures for
detecting, reporting and investigating breaches in information asset
security.
(G) An internal audit of the information security function shall be performed
periodically, based on risk assessment, as directed by the agency head or
the information resources manager acting on delegated authority for risk
management decisions.
(5) Risk analysis.
(A) The information security function within each agency shall require a
comprehensive risk analysis of all information processing systems be
performed on a periodic basis as set by agency standards. Risk analysis
results shall be presented to the owner of the information resource for risk
management. Each step of the risk analysis process must be documented.
The degree of risk acceptance (i.e., the exposure remaining after
implementation of the recommended protective measures) must be
identified.
(B) A risk analysis report documenting the risk assessment must be submitted
to the agency head. The risk analysis process provides the basis for
preparing the agency's risk analysis report.
(C) All information resources determined by agency management to be
essential to the agency's critical mission and functions, the loss of which
would have an unacceptable impact, shall have a written and cost effective
contingency plan that will provide for the prompt and effective
continuation of critical state missions in the event of a disaster. The
contingency plan shall be tested and updated at least annually to assure
that it is valid and remains current.
(D) Data and software essential to the continued operation of critical agency
functions shall be backed up. The security controls over the backup
resources shall be as stringent as the protection required of the primary
resources.
(6) Personnel Practices.
(A) Each agency shall prepare a security manual that lists the agency's security
policies and procedures. All agency personnel shall be required to provide
written acknowledgment that they have received, read and understand the
security policies and procedures. The agency head, or the information
resources manager acting on delegated authority, shall determine how
often this written acknowledgment must be renewed.
(B) Each agency shall establish procedures for reviewing information resource
functions to determine which positions require special trust or
responsibilities.
(C) Agencies shall use non-disclosure agreements to document the acceptance
by employees and contractors of special information security requirements
as defined by agency standards and risk management decisions.
(D) Agencies shall provide an ongoing awareness and training program in
information security and in the protection of state information resources
for all personnel whose duties bring them into contact with confidential or
sensitive state information resources. Security training sessions for these
personnel shall be held at least annually. Further, awareness and training in
security shall not be limited to formal training sessions, but shall include
periodic briefings and continual reinforcement of the value of security
consciousness in all employees whose duties bring them into contact with
confidential or sensitive state information resources.
(E) State agencies shall take advantage of new employee orientation to
establish security awareness and inform new employees and contractors of
information security policies and procedures. If an employee leaves the
employment of any agency of the state, for whatever reason, all security
privileges shall be immediately revoked and the employee shall be
prevented from having any opportunity to access information.
(7) Physical security.
(A) Management reviews of physical security measures shall be conducted
annually, as well as whenever facilities or security procedures are
significantly modified.
(B) Physical access to central computer rooms shall be restricted to only
authorized personnel. Authorized visitors shall be recorded and
supervised.
(C) Employees and information resources shall be protected from
environmental hazards. Designated employees shall be trained to monitor
environmental control procedures and equipment and shall be trained in
desired response in case of emergencies or equipment problems.
(D) Confidential or sensitive information, when handled or processed by
terminals, communication switches, and network components outside the
central computer room, shall receive the level of protection necessary to
ensure its integrity and confidentiality. The required protection may be
achieved by physical or logical controls, or a mix thereof.
(E) Emergency procedures shall be developed and regularly tested.
(8) Information security.
(A) Authorized use and ownership.
(i) All information and telecommunication resources leased or owned
by the state and all time-sharing services billed to the state shall be
used only to conduct state business.
(ii) All computer software programs, applications, source code, object
code, and documentation shall be deemed to be a work made for
hire and is state property and shall be protected as such if
developed:
(I) by state employees in the course and scope of their
employment or with the use of state equipment, materials,
or other resources, with the exception of employees of
universities and other institutions of higher education,
provided such university or institution has an intellectual
property policy in place which addresses ownership rights
regarding software development; or
(II) by contract personnel acting under a contract with the state,
unless the contract under which the software or
documentation is developed specifically provides
otherwise; or
(III) with state funds.
(iii) All computer software programs, applications, and documentation
purchased for the use of the state is state property and shall be
protected as such.
(B) Confidentiality of data and systems.
(i) Confidential information shall be accessible only to personnel who
are authorized by the owner on a strict "need to know" basis in the
performance of their duties. Data containing any confidential
information shall be readily identifiable and treated as such in its
entirety.
(ii) When confidential or sensitive information from one agency is
received by another agency in connection with the transaction of official business, the receiving agency shall maintain the
confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing agency.
(C) Integrity. Controls shall be established to ensure the accuracy and
completeness of data. User management shall ensure that data comes from
the appropriate source for the intended use.
(D) Passwords.
(i) Except for public users of systems where such access is authorized,
or for situations where risk analysis demonstrates no need for
individual accountability of users, each user of a multiple-user
automated system shall be assigned a unique personal identifier or
user identification. User identification shall be authenticated before
the system may grant that user access to automated information.
(ii) A user's access authorization shall be removed from the system
when the user's employment is terminated or the user transfers to a
position where access to the system is no longer required.
(iii) Systems which use passwords shall conform to the federal standard
on password usage contained
in the Federal Information Processing
Standard Publication 112 (FIPS PUB 112), which specifies
minimum criteria and provides guidance for selecting additional
password security criteria, when appropriate. A current password
standard compliance document shall be maintained for each system
which uses passwords, specifying the criteria to be met for the ten
factors which address design, implementation, and use of access
control systems as contained in the FIPS PUB 112 standard.
(E) Auditability.
(i) Audit trails shall be maintained to provide accountability for all
accesses to confidential or sensitive information and software and
for all changes to automated security or access rules.
(ii) An auditable, continuous chain of custody shall record the transfer
of confidential or sensitive information.
(iii) A sufficiently complete history of transactions shall be maintained
for each session involving access to confidential or sensitive
information to permit an audit of the system by tracing the
activities of individuals through the system.
(iv) Automated systems which process confidential or sensitive
information must provide the means whereby authorized personnel
have the ability to audit and establish individual accountability for
any action that can potentially cause access to, generation of, or
effect the release of the information.
(F) Access controls. Controls shall ensure that legitimate users of the
computer cannot access stored software or data unless they have been
authorized to do so.
(G) Security breaches.
(i) Security breaches shall be promptly investigated.
(ii) If criminal action is suspected, the agency must contact the
appropriate local law enforcement and investigative authorities
immediately. Laws governing the admissibility of evidence are
very strict, and without professional advice the agency may be
jeopardizing possible legal actions.
(H) Systems development and testing.
(i) Test functions shall be kept either physically or logically separate
from production functions. Copies of production data shall not be
used for testing unless the data has been declassified or unless all
personnel involved in testing are otherwise authorized access to the
data.
(ii) Appropriate information security and audit controls shall be
incorporated into new systems. Each phase of systems acquisition
shall incorporate corresponding development or assurances of
security and auditability controls.
(iii) After a new system has been placed in operation, all program
changes shall be approved before implementation to determine
whether they have been authorized, tested, and documented.
(9) Authentication, data encryption, and key management.
(A) Systems shall implement authentication functions that are consistent with
the level of confidentiality or sensitivity of the data they contain and
process.
(B) It will not be a requirement at this time for agencies to use data encryption
techniques for storage and transmission of data. However, those agencies
who choose to employ data encryption shall adopt the data encryption
standard, also referred to as the DES algorithm, which is defined in the
Federal Information Processing Standard Publication 46-1 (FIPS PUB
46-1). It is highly recommended that electronic fund transfer (EFT)
systems use the data encryption standard (DES). For systems employing
encryption as described above, procedures shall be prescribed for secure
handling, distribution, storage, and construction of DES key variables used
for encryption and decryption. Protection of the key shall be at least as
stringent as the protection required for the information encrypted with the
key.
(10) Data communication systems.
(A) General network controls.
(i) Network resources participating in the access of confidential
information shall assume the confidentiality level of that
information for the duration of the session. Controls shall be
implemented commensurate with the highest risk.
(ii) All network components under state control must be identifiable
and restricted to their intended use.
(B) Distributed network access security. Owners of distributed information
resources served by distributed networks shall prescribe sufficient controls
to ensure that access to those resources is restricted to authorized users and
uses only. These controls shall selectively limit services based on:
(i) user identification and authentication (e.g., password, smart
card/token), or
(ii) designation of other users, including the public where authorized,
as a class (e.g., public access through dial-up or public switched
networks), for the duration of a session; or
(iii) physical access controls.
(C) Application security. Network access to an application containing
confidential or sensitive data, and data sharing between applications, shall
be as authorized by the application owners and shall require
authentication.
(D) Alternate procedures. If the agency utilizes a communication network to
process critical applications or functions, it shall, as part of its contingency
plan, provide for an alternate means of accomplishing its program
objectives in case the system or its communication network becomes
unavailable. Alternative procedures shall be established that enable agency
personnel to continue critical day-to-day governmental operations in spite
of the loss of the communication network.
(E) Dial-up access. For services other than those authorized for the public,
users of dial-up terminals shall be positively and uniquely identifiable and
their identity authenticated (e.g., by password) to the systems being
accessed.
(F) Warning statements. System identification screens shall include the
following warning statements:
(i) unauthorized use is prohibited;
(ii) usage may be subject to security testing and monitoring; and
(iii) abuse is subject to criminal prosecution.
(11) Personal computers and word processors. Personal computer systems and word
processors used to store, process and/or access confidential or sensitive data,
shall undergo risk analysis as required by the information security function. Risk
analysis results shall be presented to the owner of the information resources for
risk management. The degree of risk acceptance (i.e., the exposure remaining
after implementation of the recommended protective measures) must be
identified. The information security function must be prepared to demonstrate
that security precautions have been established to ensure data confidentiality and
the maintenance of information integrity.
(12) Implementation schedule. Implementation of this rule shall be in accordance
with the following schedule. Earlier implementation of any item would be
advantageous to the protection of state information resources.
(A) September 1, 1993 - Establish an information security function (reference
paragraph (4) of this subsection) to administer the agency information
security program which shall include:
(i) written internal policies and procedures for the protection of
information resources;
(ii) assignment of information asset ownership and custodianship and
the attendant responsibilities for all information resources within
the agency.
(B) September 1, 1993 - Implementation of all required personnel practices
(reference paragraph (6) of this subsection).
(C) September 1, 1994 - Completion of risk analysis (reference paragraph (5)
of this subsection) of all information resources (including mainframes,
minicomputers, personal computers, local area networks and distributed
processing systems) used to collect, record, process, store, retrieve, display
and transmit confidential or sensitive information, including:
(i) documentation of risk analysis results;
(ii) recommended protective measures;
(iii) the degree of risk acceptance after such measures would be
implemented;
(iv) a written disaster recovery plan.
(D) September 1, 1994 - Implementation of all physical security requirements
(reference paragraph (7) of this subsection):
(i) physical access controls;
(ii) identification of environmental hazards;
(iii) development of environmental control procedures;
(iv) emergency response training.
(E) September 1, 1995 - Implementation and testing of agency disaster
recovery plans (reference paragraph (5)(C) of this subsection).
(F) September 1, 1996 - Implementation of information resources protective
measures as identified by risk analysis including those for mainframes,
minicomputers, personal computers, local area networks and distributed
processing systems (reference paragraph (8) of this subsection):
(i) logical and/or physical access controls to all information resources
on a "need to know" basis;
(ii) user authentication (passwords);
(iii) data integrity controls;
(iv) audit trails;
(v) periodic internal audits;
(vi) documentation and investigation of security breaches.
(G) September 1, 1997 - All remaining requirements consistent with these
standards.
(H) Waivers. The executive director of the department is hereby delegated
authority by the board to grant a requesting state agency a compliance
waiver from any implementation date of the schedule in this paragraph.
Application for waiver will be made in writing to the department by the
agency information resources manager. The agency must clearly
demonstrate to the department through written justification that the overall
economic interests of the state in matters of information security are best
served by granting the compliance waiver and the requesting agency must
submit a new written implementation schedule. The department will act on
requests for waivers based on the agency's compliance with other
information security standards not affected by the waiver, the agency's
newly submitted implementation schedule, and the provision that the
executive director of the department will notify the board when requests
for waivers are received.
(c). Use of TEXAN Network.
(1) Applicability.
(A) All state agencies are to use the Texas Agency Network (TEX-AN) to the
fullest extent possible.
(B) Funds appropriated to state agencies as defined in Texas Civil Statutes,
Article 601b, Section 1.02(2), shall not be expended for the acquisition of
intercity telecommunications facilities or services until a determination has
been made by the Telecommunications Services Division of the General
Services Commission and the Department (DIR) that the agency
requirement for intercity telecommunications cannot be met by the
TEX-AN network.
(C) State agencies shall not enter into or renew contracts with carriers or other
providers of intercity telecommunication facilities or services without
obtaining waivers from the Telecommunications Services Division and the
DIR certifying that the requested intercity telecommunications
requirements cannot be provided at reasonable costs on TEX-AN network.
(2) Waivers.
(A) A waiver shall be granted to any state agency upon receipt of a written
request and determination of the Telecommunications Services Division of
the General Services Commission and the DIR that the action is most cost
effective to the entire State of Texas.
(B) Waivers will be granted for periods not to exceed one fiscal year from the
effective date of the waiver.
(C) Waivers will automatically expire upon the expiration date unless an
extension is approved by the Telecommunications Services Division and
the DIR.
(D) Contracts for services obtained under waiver shall not extend beyond the
expiration date of the waiver.
(3) Review Procedures.
(A) The department and the Telecommunications Services Division of the
General Services Commission will evaluate waiver requests for
consistency with the General Appropriations Act, other legislation, and the
priorities as described in the State Strategic Plan
for Information Resources Management, and for cost-effectiveness to the
entire State of Texas.
(B) The department will grant or deny waiver requests in writing no later than
30 working days after receipt of the request.
(d). Standard for Data Transport Networks for Computers.
(1) Definitions.
(A) For purposes of this section the word "network" will refer to all data
transport networks used primarily to interconnect computers and networks
of computers for the purpose of transporting data, allowing interoperation
of computer applications on more than one computer system, and
providing access to data.
(B) For purposes of this section the phrase "substantial change" is defined to
mean any change, reorganization, modification or reimplementation that
involves procurement of new or upgraded network hardware or software
for more than 50% of the affected computer systems.
(C) For purposes of this section "non-adjacent buildings" are defined as those
that are physically separated by property not owned by the State and where
there is no State owned right-of-way connecting the buildings.
(2) Standard. All networks that span more than one non-adjacent building, or
interconnect more than one agency must adhere to the following:
(A) If the network is in existence at the time this rule is adopted, the network
must become compliant with (B) below by August 31, 2001.
(B) All new networks, all extensions to existing networks and all networks
undergoing substantial change:
(i) must adhere to the TCP/IP standards as listed in RFC 1500 or its
most recent successor document; or
(ii) when products registered by the National Institutes of Standards
and Technology as adhering to the Federal GOSIP standards,
version 2, as specified in FIPS Publication 146-1, are more cost
effective, such products may be specified.
Section 201.15. Charges for Copies of Public Records.
(a) Definitions. The following words and terms, when used in this section, shall have
the following meanings, unless the context clearly indicates otherwise.
(1) Full cost - The sum of all direct costs plus a proportional share of overhead, or
indirect costs. Full cost should be determined in accordance with generally
accepted methodologies.
(2) Nonstandard-size copy - A copy of public information that is made available to
a requestor in any format other than a standard-size paper copy. Microfiche,
microfilm, diskettes, magnetic tapes, CD-ROM, and nonstandard-size paper
copies are examples of nonstandard-size copies.
(3) Readily available information - Information that already exists in printed form,
or information that is stored electronically and is ready to be printed or copied
without requiring any programming, or information that already exists on
microfiche or microfilm. Information that requires a substantial amount of time
to locate or prepare for release is not readily available information.
(4) Standard-size copy - A printed impression on one side of a piece of paper that
measures up to 8 by 14 inches. Each side of a piece of paper on which an
impression is made is counted as a single-copy. A piece of paper that is printed
on both sides is counted as two copies.
(b) The following is a summary of the charges for copies of public information on file in
the Department of Information Resources.
(1) Standard-size paper copy $.10 per page
(2) Nonstandard-size copy
(A) Diskette $1.00 each
(B) Computer magnetic tape $10.00 each
(C) VHS video cassette $2.50 each
(D) Audio cassette $1.00 each
(E) Paper copy $.50 each
(F) Other Actual cost
(3) Personnel charge $15.00 per hour
(4) Overhead charge 20% of personnel charge
(5) Microfiche or microfilm charge
(A) Paper copy $.10
(B) Fiche or film copy Actual cost
(6) Remote document retrieval charge Actual cost
(7) Computer resource charge
(A) Mainframe $17.50 per minute
(B) Midsize $3.38 per minute
(C) Client/Server $1.00 per minute
(D) PC or LAN $.50 per minute
(8) Programming time charge $26.00 per hour
(9) Miscellaneous supplies Actual cost
(10) Postage and shipping charge Actual cost
(11) Fax charge
(A) local $.10 per page
(B) long distance, same area code $.50 per page
(C) long distance, different area code $1.00 per page
(12) Other costs Actual cost
(c) The Department of Information Resources shall furnish public records without charge
or at a reduced charge if it is determined that waiver or reduction of the fees is in the
public interest.
Section 201.17. Advisory Committees.
(a) State Strategic Plan for Information Resources Management Advisory Committee.
(1) This advisory committee shall consist of at least 9 and not more than 24
members appointed by the Department Executive Director with the approval of
the Board. Members should have demonstrated the ability to think strategically
and to work in a consensus building, committee setting. The membership will
include at least:
(A) two information resources managers from Texas State agencies other than
a university system or institution of higher education as defined in
Education Code, Section 61.003;
(B) one representative from a State university system or institution of higher
education as defined in Education Code, Section 61.003;
(C) one resident of the State that is not currently employed by the State and is
not employed in the computing and/or telecommunications field;
(D) one representative from a local government organization in the State that
is knowledgeable about computing and/or telecommunications;
(E) two representatives from the computing and/or telecommunications
industry but whose company does not sell computing or
telecommunications services or products to the State;
(F) one representative from an organization that sells computing and/or
telecommunications services or products to the State;
(G) one representative from a Federal agency that is knowledgeable about
computing and/or telecommunications.
(2) This advisory committee shall be appointed after November 30 of every odd
numbered year for a term to expire on November 30 of the following odd
numbered year.
(3) This advisory committee shall:
(A) review and advise on the development of the State Strategic Plan for
Information Resources Management as it is prepared for publication
pursuant to the Information Resources Management Act, Tex. Gov't Code
Ann., Chapter 2054;
(B) meet at least once during its term;
(C) develop a strategic vision of what the future of computing and
telecommunications technology is for State government as a whole.
(4) The department may elect to provide professional facilitation for any meetings
the Advisory Committee may hold.
(5) The department may elect to have department staff present at Advisory
Committee meetings.
(6) The department will set the agenda of all Advisory Committee meetings.
(7) The department may reimburse committee members for travel expenses related
to attending committee meetings.
|