Information Security

The Information Security team supports Texas Woman's University by providing cybersecurity services, education and expertise to support confidentiality, integrity and availability for data across our campuses.

Announcements

November 28, 2023

Updates to TX-RAMP

The Texas Department of Information Resources (DIR) released version 3.0 of their TX-RAMP Manual. The publication goes into effect on 12/1/2023.

Noteworthy changes include the addition of a transitional grace period that enables state agencies to create and leverage a transition plan from a non-compliant solution to a compliant solution in the event a compliant solution’s TX-RAMP certification lapses or is revoked. The timeline for transition may not exceed 24 months from inception to execution. TWU is responsible for developing, documenting, and adhering to a transition plan that  meets the minimum criteria:

• Identification of Affected Services: Clearly list and describe the services affected by the lapse or revocation of certification.
• Timeline for Transition: Provide a realistic and achievable timeline for the migration to  a compliant solution, including key milestones and deadlines. The timeline for transition  may not exceed 24 months from planned inception to execution.
• Risk Assessment: Conduct a risk assessment to identify and mitigate potential security and operational risks during the transition.
• Selection of Compliant Solution: Detail the process for selecting a TX-RAMP compliant solution that meets the TWU's needs.
• Migration Strategy: Outline the methods and procedures for migrating data and operations to the new solution, ensuring data integrity and availability.
• Monitoring and Reporting: Establish ongoing monitoring and internal reporting  mechanisms to track progress and address any challenges or delays promptly.
• Contingency Planning: Include contingency measures to address unexpected issues or delays, ensuring uninterrupted service delivery.

The TWU Information Security team will review requests to continue using non-compliant cloud services and will work with the system owner to develop this plan. System owners should initiate the request by completing the TX-RAMP Transitional Grace Period form.

Other TX-RAMP Manual 3.0 revisions:

• State agency, DIR, and cloud service provider responsibilities are defined.
• State agencies are responsible for determining whether a cloud computing service is subject to TX-RAMP requirements and determining the minimum certification level of the cloud solution.
• DIR is responsible for assessing and certifying the cloud computing service. Cloud service providers are responsible for providing assessment information and responding to TX-RAMP inquiries.
• Cloud service providers must maintain TX-RAMP compliance requirements, notify the appropriate parties if the cloud computing service loses TX-RAMP certification, and notify customers of breaches to system security.

• A Fast Track Assessment process was introduced that allows cloud service providers to leverage existing DIR-approved third-party assessments or audit reports that provide evidence of security practices. Cloud service providers seeking the Fast Track process for a cloud service must complete the TX RAMP Fast Track Request Form with DIR.
• Additional details regarding provisional, Level 1 and Level 2 certification extension processes have been added.
• Additional clarification is given to cloud computing services that are out of scope.
• Cloud computer services operating on a cloud infrastructure/platform such as Amazon Web Services (AWS) do not inherit the underlying TX-RAMP certification from the cloud infrastructure provider.
• New and revised security controls are addressed. Cloud service providers must implement new or revised security controls within 18 months from the date the changes are adopted.
• Cloud service providers must now provide DIR with a Plan of Action and Milestones for each required security control that is deficient. DIR determines if the proposed solution addresses the failed control.
• The reporting of significant changes to cloud services is addressed with additional clarification and guidance. Cloud service providers must communicate significant changes to DIR within 30 days of the date the change was made, and DIR is responsible for completing an updated service certification review.

For any questions regarding TX-RAMP requirements, please contact D’Ann Jackson at sjackson47@twu.edu or (940) 898-3262.

Previous announcements

See previous announcements

Tools and resources

• Check if a link is malicious – https://urlscan.io/
• Current email scams – https://www.consumer.ftc.gov/features/scam-alerts
• Recognize and avoid phishing scams – https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

Page last updated 11:17 AM, November 15, 2024