Texas Administrative Code (TAC), Rule ยง202.70(2) requires the head of each state institution of higher education or his/her designated representative(s) to allocate resources for ongoing information security remediation, implementation, and compliance activities that reduce risk to a level acceptable to the institution head.


  • This Control applies to the University Vice President for Information Technology & Chief Information Officer (CIO) working in cooperation with university administrative management and the University CISO.


  • 1

    It is the responsibility of the University President or designee (i.e., CIO) to:

    • 1.1

      ensure that capital planning and investment requests include the resources needed to implement the information security program and document exceptions to this requirement.

    • 1.2

      employs a business case to record the resources required; and

    • 1.3

      ensures that information security resources are available for expenditure as planned.