2022-2026 State Strategic Plan
Accelerating the Next Generation of Technology in Texas
Goal 1: Secure IT Service Delivery
Texans entrust government with some of their most
sensitive and confidential information, and government
agencies bear the responsibility for ensuring that
information is not compromised.
As increasingly complex cyber threats continue to
target the public sector, agencies must minimize risks
to technology and evolve cybersecurity practices focusing on
the human element.
In addition, Texas government must continue to invest in
advanced tools for identifying, preventing, detecting, and
responding to information security and cyber threats.
Challenges
Cybersecurity threats range widely in
sophistication and scope. Increased reliance
on third parties creates supply chain risks
and the possibility that tools could be used
to gain unauthorized access to networks or
information.
Advances in technology give rise to new
classes of threats almost every day.
Challenges around the human element
of cybersecurity are prevalent and drive
the need for identity-based, location-independent solutions.
A nationwide shortage of skilled cybersecurity
professionals continues to hinder the public
sector’s ability to recruit and retain people
with specialized skills.
Cybersecurity risks are complex and
may occur during other disruptions. As a
result, there is an increasing need for regional
responses and integrated continuity planning.
Desired Outcomes
• Mature, risk-based security programs
that safeguard information, reduce
harm, decrease third-party risk, provide
continuous protection, and increase
resilience.
• A cybersecurity-aware culture that can
better identify and prevent incidents
by sharing threat information throughout
cyber communities.
• Sustainable resources to meet security
needs, including long-term investment in
cybersecurity tools, talent, and training.
• High levels of protection for private and
confidential information, reduced exposure
to cyberattacks, and regional approaches
to preparedness that build resilience.
Objectives
1. Reinforce risk-based security practices, including continuous prediction, prevention, detection, and response to cybersecurity threats.
The global pandemic changed the nature
of work and created the unique risks of a
hybrid workforce.
Agencies must consider the vulnerabilities
for remote workers, increased opportunities
for human error, and limitations for
monitoring virtual workspaces.
Agencies should explore a zero-trust model
as a long-term approach to reducing
vulnerabilities.
As cloud adoption accelerates, so do the
challenges of evaluating and monitoring
cloud products and services.
State law now requires agencies to
contract with cloud providers that
demonstrate compliance with the state’s
risk authorization and management
program, TX-RAMP.
The program will provide standardization
for security assessment, authorization, and
monitoring of cloud computing services
that process Texas government data.
As security risks shift, the public sector
must focus on user identity and access
management in addition to network-based
security measures.
Agencies may want to take advantage
of centralized identity and access
management solutions to reduce
duplication and implement risk-based
protections.
2. Form a resilience mindset and a vigilant organizational culture through cybersecurity education and training.
As the range of cybersecurity threats evolve, it is critical that agencies provide ongoing education and training to all employees and contractors. Agencies must reduce exposure and strengthen the first line of defense against phishing, social engineering, and other human-focused tactics used in cyberattacks.
Texas government must implement cybersecurity practices well-suited for the workforce of the future by building internal skills, cross-training staff, and adopting policies that support good cyber hygiene. Agencies should identify and develop the security skills employees need to support the agency’s mission, the types of technology it uses, and the data it creates and maintains.
3. Develop regional approaches to cybersecurity engagement and response.
When cybersecurity incidents, natural disasters, pandemics, or other events disrupt IT systems, a quick response is critical to the restoration of government operations and services. Agencies should participate in and support regional cybersecurity planning, training exercises, and responses to actual events.
A new state law authorized the establishment of regional cybersecurity working groups, volunteer incident response teams, and regional network security centers that will become cornerstones for these activities. Agency continuity plans should contemplate scenarios where cybersecurity incidents occur during emergencies or other disruptive events, and cybersecurity response exercises should include regional partners to prepare for complex disruptions.
4. Create scalable, integrated tactics for cybersecurity based on cost-effective cybersecurity tools.
Integrated approaches for cybersecurity and risk management are effective at helping agencies evaluate their current IT infrastructure and make informed decisions about which applications are too costly or high-risk to maintain. Agencies should apply multiple layers of security tools and strategies to heighten vigilance in protecting confidential and sensitive data.
Leveraging shared security services can help agencies make cost-effective investments in tools that help identify, prevent, detect, and respond to malicious activity. Examples of such tools include multi-factor authentication, endpoint detection and response, monitoring and reporting tools, breach and attack simulation tools, host intrusion protection systems, and disaster recovery tools.