On this page you can find links to Travis County technology policies, standards, and guidelines. Each document’s name appears below, along with its hyperlink and a short description of its purpose.
For guidance on information security & privacy, see the list of controls on the Information Security office’s page.
Document Categories
Policies
A policy is a set of rules, not instructions, that guide decisions and achieve specific outcomes. They help inform standards and guidelines. Policies are used when establishing an overarching direction or stance on specific matters.
While each policy may include individual roles and responsibilities, the Accountability & Responsibility section applies to all the policies listed below.
| Policy # | Name & Link | Description |
|---|---|---|
| N/A | Acceptable Use | Displays Chapter 110. Travis County Personnel Benefits Guidelines and Procedures Manual for All Travis County Employees. |
| 105 | Assigned Security Responsibility – HIPAA | Identifies the HIPAA security official who is responsible for the development and implementation of the required policies and procedures. |
| 110 | Audit Controls | Implements hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use sensitive information. |
| 115 | Business Associate Agreements – HIPAA | Requires satisfactory assurances that the business associate will appropriately safeguard all sensitive information in accordance with applicable regulations. |
| 120 | Change Management | Implements a change management process that enables the organization to manage change and reduce the risk associated with deploying change. |
| 125 | Continuity of Operations | Determines criticality of specific applications and data, establishes and implements procedures to enable business continuity for protecting sensitive information while operating in an emergency mode, and provides for data recovery. |
| 130 | Data Backup | Establishes and implements procedures to create and maintain sensitive information and ensure secure storage in the event of equipment failure or damage. |
| 135 | Data Breach Management | Assists employees in defining and identifying potential security breaches, minimizing the loss and destruction of data, mitigating weakness, and restoring impacted services. |
| 137 | Data Center and MDF/IDF Access Controls | Safeguards and limits physical access to Travis County’s information systems and facilities, ensures authorized access is allowed, and prevents tampering and theft. |
| 315 | Data Classification | Establishes a vocabulary to describe the data Travis County creates, receives, maintains, or transmits; quantifies the amount of protection that Travis County must apply to each type of data. |
| 226 | Data Loss Prevention | Establishes the principles by which Travis County will identify, detect, protect, and respond to the unauthorized disclosure of Protected Information. |
| 206 | Device & Media Controls, Reuse & Disposal | Outlines the receipt, movement, and removal of hardware and electronic media containing ePHI. |
| 150 | Documentation | Requires Travis County to create, make available, retain, and update documentation required by the HIPAA Security Rule. |
| 155 | Email Security | Protects the confidentiality and integrity of sensitive information that may be sent or received via email. |
| 160 | Encryption | Implements a security measure to encrypt sensitive information in transit whenever appropriate. |
| 166 | Identity & Access Control | Requires the creation of a unique name/number for identifying and tracking users and for authorizing, granting, validating, terminating, and documenting information access. |
| 175 | Information System Activity Review | Requires identification of critical systems that process sensitive information and implementation of procedures to regularly review the records of system activity. |
| 180 | Integrity | Protects sensitive information from improper alteration or destruction. |
| 185 | Mobile Devices | Addresses the protection of sensitive electronic information when it is stored, transferred, or accessed on mobile devices. |
| 186 | Multi-Factor Authentication | Defines the requirements for multi-factor authentication. |
| 190 | Network Security | Requires evaluation of the need for secure communication on all networks used to transmit sensitive information. |
| 200 | Password Management | Requires that workers create, regularly update, and secure passwords; requires evaluation of authentication mechanisms. |
| 300 | Payment Card Acceptance | Provides information to ensure compliance with Payment Card Brand Rules, which include Payment Card Industry Data Security Standards. |
| 205 | Policies & Procedures Evaluation | Requires regular evaluation of security policies and procedures. |
| 210 | Remote Access | Defines how Travis County controls remote access to its information systems and networks to prevent unauthorized use. |
| 215 | Risk Analysis | Requires an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information held by the organization. |
| 217 | Risk Assessment | Empowers Travis County to perform information security risk assessments to determine vulnerabilities and to initiate remediation. |
| 225 | Sanction | Requires disciplinary action (sanction) of workers who do not comply with policies for safeguarding sensitive information. |
| 230 | Secure Text Message | Requires that the risk of text messaging sensitive information is managed to safeguard the privacy and security of the information. |
| 245 | Security Incident Procedures | Requires Travis County to identify, respond to, and document security incidents and mitigate their harmful effects. |
| 308 | Social Media | Requires workers to use effective electronic communications consistent with Travis County’s beliefs and workforce standards. |
| 255 | Vulnerability Management | Defines the roles and responsibilities of ITS employees and requirements for notification, testing, and installation of security-related patches on devices. |
| 260 | Wireless Security | Requires secure operation of wireless networks to ensure the confidentiality, integrity, and availability of transmitted sensitive information. |
| 317 | DLP Insider Threat Policy | Requires implementation of security measures to reduce risks and vulnerabilities; requires compliance with regulations. |
| 320 | Information Security Program | Defines the Travis County Information Security Program along with its associated roles and responsibilities and to review the foundational disciplines that will appropriately protect the County’s Information Resources (IR). |
| 323 | Security Awareness and Training | Establishes the policy and standard operating procedures (SOP) adhering to the principles by which Travis County will address security awareness and training. |
| 324 | NIST System Authorization | Establishes the standards and procedures for obtaining and maintaining authorization to operate for the County's information systems. Authority To Operate (ATO) is a formal authorization by Travis County to operate an information system. The ATO process includes a comprehensive evaluation of the system's security posture and a determination of the system's risk to the company's information and operations. |
| 329 | Risk Management Policy | Requires implementation of security measures to reduce risks and vulnerabilities; requires compliance with regulations. |
Standards
A standard is a document that establishes uniform criteria, methods, processes, or practices. A standard defines mandatory technical or quality requirements, procedures, or criteria that ensure consistency.
| Name & Link | Description |
|---|---|
| Change Management Guide | Establishes standardized change management procedures that can be used for managing all changes on ITS-managed resources. |
| Encryption Standards | Requires the use of crytographic modules that meet FIPS standards; requires CJI protection via a crytographic mechanism; establishes passphrase management requirements; and outlines the process for registering to receive a public key certificate. |
| HIPAA Sec Officer Appt Letter | Designates the HIPAA Security Officer for Travis County. |
| HIPAA Sec Officer Job Desc | Details the goal, requirements, and responsibilities for the position of HIPAA Security Officer. |
| Log-In Monitoring Standards | Sets technical standards for log-in monitoring. |
| Password Management Standards | Sets password management standards. |
| Secure Wireless Access Point (AP) Standard | Establishes a standard for wireless access points that provide access to any portion of the Travis County infrastructure. |
| Technology Standards | Identifies the technical standards for information systems. |
| Unique User Identification Standards | Details standards for unique user identification. |
Guidelines
A guideline is a recommendation or best practice that is not mandatory but is suggested as an effective method of achieving something. A guideline offers best practices, suggested approaches, or methods that allow flexibility based on specific situations or preferences.
| Name & Link | Description |
|---|---|
| AI Guidelines | Aids in protecting the confidentiality, integrity, and availability of Travis County’s information technology resources and data. |
| PDF Guidelines | Provides PDF best practices. PDF management includes making files accessible and understanding the distinction between uploading PDFs and building a new webpage. |
