Get Started
Understanding TAC 202, Complete Guide

SaltyCloud Research Team

Updated Apr 1, 2024 Read Time 22 min


If you’re a state agency or higher education institution operating in Texas, then you’ve probably heard of TAC 202. But what exactly is TAC 202, and why is it important?

Put simply, TAC 202 establishes information security standards to protect sensitive data and maintain public trust. Organizations that fail to comply with TAC 202 could experience data breaches, unauthorized access, or misuse of sensitive information, all of which could have dire consequences.

This guide from SaltyCloud covers everything you need to know about TAC 202, including what it entails, why it’s important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.

The Basics

What is TAC 202?

Chapter 202 of the Texas Administrative Code (TAC 202) is an information security standard and requirement for Texas state agencies and higher education institutions that establishes minimum standards to protect sensitive data, maintain the confidentiality, integrity, and availability of information resources, and effectively manage risks

TAC 202 covers a wide range of information security topics, including:

  • Roles and responsibilities of agency heads, information security officers, and other key personnel
  • Risk assessment and management
  • Security controls and standards
  • Incident response and reporting
  • Business continuity and disaster recovery
  • Security awareness and training
  • Third-party and cloud service provider management

Who must comply with TAC 202?

This regulation applies to state agencies and higher education institutions in the State of Texas, as well as third-party service providers and contractors that work with these organizations and handle their data.

What data is in scope?

TAC 202 applies to all data managed by state agencies and institutions of higher education in Texas, including confidential information, personal identifying information (PII) as defined by the Texas Business and Commerce Code § 521.002(a)(1), sensitive personal information as defined by the Texas Business and Commerce Code § 521.002(a)(2), agency sensitive data, public data, nonconfidential information, and state-controlled data.

Although the law does not explicitly prescribe which data types must meet specific controls, it is generally understood that systems handling confidential data should implement at least a moderate baseline of security controls. Non-confidential data systems may start with lower baselines and work towards higher baselines over time.

Certain data types may also be subject to other regulations requiring adherence to specific control baselines in addition to TAC 202. For example, Federal Tax Information (FTI) and Criminal Justice Information Services (CJIS) data, which are designated as Controlled Unclassified Information (CUI), must comply with NIST 800-171 controls.

The Secure Controls Standard Catalog outlines the minimum controls that must be implemented across all Texas state agencies and higher education institutions, regardless of data classification. However, organizations should assess their data and systems to determine the appropriate level of protection required and implement additional controls as necessary.

TAC 202 Checklist

Getting started with TAC 202 might seem overwhelming. Fortunately, we put together this TAC 202 checklist to help you get started and stay accountable.

Step 1: Establish an information security program

Establishing a comprehensive information security program is a critical requirement for Texas state agencies and higher education institutions under TAC 202. The program should protect your organization’s information assets’ confidentiality, integrity, and availability.

Key components of an effective information security program include:

Assigning leadership and governance roles

Make sure that dedicated, qualified personnel can oversee and align information security practices with organizational goals and executive oversight.

Designate an Information Security Officer (ISO) or Chief Information Security Officer (CISO) with:

  • Explicit authority to manage information security requirements
  • Necessary qualifications (e.g., CISSP certification)
  • Sufficient experience in information security management
  • A deep understanding of your organization’s mission, processes, and risk tolerance.

Make sure the ISO reports directly to executive-level management to:

  • Give information security the right visibility and priority
  • Guarantee the ISO regular access to discuss security issues, risks, and initiatives with executive leadership

Review and approve the information security program annually by:

  • Involving executive leadership actively in the review process
  • Aligning the security program with organizational goals and risk management strategies
  • Considering changes in the threat landscape, regulatory requirements, and your organization’s risk profile.

Developing and implementing the program

Protect your organization’s information resources against threats.

Create, document, and implement an organization-wide information security program that:

  • Covers all aspects of information security, including policies, procedures, technical controls, and user awareness training)
  • Is tailored to your organization’s specific needs and risk profile

Include risk-based protections for all information and resources owned, leased, or under your organization’s custodianship, including those managed by third parties, by:

  • Implementing processes to assess and manage risks from external parties

Establish policies, controls, standards, and procedures based on risk assessments and the Security Control Standards Catalog, ensuring they:

  • Are clearly documented and communicated to all relevant personnel
  • Are regularly reviewed and updated
  • Cover essential security topics like access control, data classification, incident response, and business continuity

Ensure your information security program aligns with TAC 202 requirements and your organization’s specific information security risks, aiming to:

  • Meet or exceed TAC 202’s minimum requirements
  • Address your organization’s unique risks and security needs

Creating risk-based strategies and plans

Proactively identify and mitigate potential threats to critical information resources to ensure your organization’s security posture is resilient and adaptive.

Develop strategies to address risk for high-impact information resources by:

  • Understanding your organization’s critical assets, business processes, and risk tolerance
  • Prioritize the protection of systems and data crucial to your organization’s mission or reputation

Create risk-based plans for securing information systems and applications that:

  • Are informed by information security risk assessments
  • Outline specific mitigation measures for identified risks
  • Cover all phases of the system development lifecycle, including design, implementation, operation, and disposal

Implementing continuous improvement processes

Ensure your information security program remains effective and responsive to new challenges and changes in the security landscape.

Establish remediation processes for deficiencies and granting exceptions by:

  • Having a clear process for identifying and addressing security weaknesses and non-compliance issues.
  • Including provisions for granting exceptions when necessary, based on thorough risk analysis and appropriate compensating controls.

Regularly review and update your information security program to:

  • Address changes in technologies, threats, and business operations
  • Maintain agility and adaptability to the evolving security landscape
  • Conduct periodic security assessments and monitor industry trends and best practices
  • Incorporate lessons learned from security incidents and exercises

Step 2: Conduct risk management activities

Performing information security risk assessments

Understand and manage the threats to your organization’s information assets and systems through an information security risk management (ISRM) program

Conduct and document risk assessments of information and information systems by:

  • Performing regular assessments, at least biennially, for systems with confidential data and periodically for those with sensitive or public data
  • Using a methodology that evaluates the data’s value and sensitivity, the system’s criticality to the mission, and the potential impact of a security incident

Agencies and institutions have several options for conducting information security risk assessments, including external consultants or other internal auditing methods like interviews. However, self-assessment questionnaires (SAQs), also called control self-assessment (CSA), security questionnaires, or security assessment questionnaires, are a risk assessment tool that private and public organizations and their security teams use to assess a given target’s adherence to information security standards, controls, best practices, security policies, and regulatory requirements.

A GRC Assessment Platform like Isora makes it easy for information security & assurance teams to conduct and manage assessments across multiple units, assets, applications, or third-party vendors at scale using the prebuilt Texas Controls Catalog questionnaire.

Information security risk assessment management on Isora GRC

Rank risks and impacts and communicate results to the ISO to:

  • Rank risks using a consistent scale (e.g., low, moderate, high) based on likelihood and potential impact.
  • Inform the ISO of the assessment results to prioritize risk mitigation efforts and allocate resources effectively.

Making risk treatment decisions

Align your organization’s approach to handling risks with its risk tolerance decisions and ensure they are made at the correct level of authority.

Get approval for risk management decisions by:

  • Having the ISO, in coordination with the information owner, approve risk treatment for systems with low or moderate residual risk
  • Obtaining approval from the agency or institution head for systems with high residual risk to ensure that decisions align with your organization’s risk tolerance

Document and justify risk treatment decisions, including:

  • Acceptance, avoidance, mitigation, or transference of risks
  • Providing clear rationale for accepting risks and implementing compensating controls where appropriate
  • Considering discontinuation or modification of activities for risk avoidance if they expose the organization to unacceptable levels of risk
  • Prioritizing mitigation strategies based on control effectiveness and resource requirements
  • Carefully evaluating risk transference, such as through insurance or third-party service agreements, to ensure your organization’s interests are protected

Allocating resources for information security initiatives

Make sure that investments in security are strategically directed toward mitigating the most significant risks and protecting critical assets.

Allocate resources for ongoing information security activities based on risk management decisions by:

  • Prioritizing resource allocation, including personnel, budget, and technology, to address the highest risks and protect critical assets
  • Investing in security tools and services, training personnel, and implementing enhanced controls for high-risk systems

Regularly review and adjust resource allocation based on:

  • Changes to the risk landscape and the effectiveness of risk mitigation measures
  • The emergence of new threats and the evolution of your organization’s risk profile
  • Results of security audits, assessments, and incidents to ensure security investments remain aligned with pressing risks

Step 3: Define and assign roles and responsibilities

Set clear expectations about who will be responsible for what components of your information security program.

Agency/Institution Head

This is the highest-ranking executive in your organization who is responsible for overall strategic direction and decision-making. They should:

  • Thoroughly review the program
  • Make sure it aligns with organizational goals, addresses current and emerging risks, and complies with TAC 202 requirements
  • Provide leadership support and resources to implement the program

Information Security Officer

This senior-level employee is responsible for developing, implementing, and overseeing your organization’s information security program. They should:

  • Develop and maintain an information security plan
  • Provide guidance and assistance to agency/institution personnel
  • Ensure security requirements and risk mitigation plans are identified
  • Report to the agency/institution head on the effectiveness of the information security program.

Information Owners

These individuals or departments are responsible for creating, managing, and securing specific sets of information assets. They should:

  • Classify information according to established categories
  • Approve access to information resources and review access lists
  • Coordinate data security control requirements with the ISO
  • Perform risk assessments for systems containing confidential or sensitive data

Information Custodians

These are individuals or entities responsible for maintaining and securing information systems and assets on behalf of the information owner. They should:

  • Implement controls to protect information and information resources
  • Adhere to monitoring procedures for detecting, reporting, and investigating incidents
  • Ensure information recoverability based on risk management decisions


These individuals access and use your organization’s information resources to perform their job duties. They should:

  • Use information resources only for specified purposes
  • Comply with information security controls and policies
  • Formally acknowledge compliance with security policies and procedures

Step 4: Implement and manage security controls

The Texas DIR provides a comprehensive set of mandatory controls in the Security Control Standards Catalog, based on NIST SP 800-53 Rev. 5, that state agencies and higher education institutions must implement to protect their information systems and data.

Here are the key points to consider when implementing and managing security controls:

Implement all mandatory controls as defined in the catalog for all state agency and higher education information systems, starting with low baseline controls and maturing over time to moderate and high baselines.

Apply additional controls or control baselines based on the system’s risk assessment and data classification, especially for systems handling confidential or sensitive information.

Utilize the standards in the catalog to establish risk-based levels of information security, offering guidance on minimum requirements and risk-based controls for different types of data.

Prepare for biennial reviews of the information security program to ensure compliance with the Security Control Standards Catalog, conducted by individuals independent of the program.

Employ more stringent standards to address unique security requirements, ensuring they meet or exceed DIR standards and align with applicable laws, policies, and guidelines. Agencies and institutions can implement additional controls based on their specific needs and risk assessments.

Regularly monitor and assess the effectiveness of implemented security controls, updating them as needed to address changes in the system, risk environment, or legal and regulatory landscape.

Step 5: Provide training and raise awareness

Effective information security training and awareness programs ensure all personnel understand their roles and responsibilities in protecting your organization’s information assets. By providing regular training and promoting a culture of information security, state agencies and higher education institutions can reduce the risk of human error, increase compliance with security policies, and foster a more resilient security posture.

Administering an information security awareness education program.

Empower users with the knowledge to protect sensitive data and effectively adhere to your organization’s security policies and procedures.

Implement an ongoing information security awareness education program for all users, ensuring the program:

  • Educates users about current security threats and best practices for protecting sensitive data.
  • Informs users about your organization’s security policies and procedures.
  • Features engaging and relevant content tailored to the specific needs and roles of different user groups.

Incorporating information security into new employee onboarding

Ensure all new hires are immediately equipped with the knowledge and understanding necessary to protect organizational assets and adhere to security protocols.

Include information security training as a mandatory part of new employee onboarding, covering:

  • Your organization’s security policies, procedures, and expectations
  • Specific security requirements related to the employee’s role

Ensure new employees complete the training before accessing sensitive systems or data, and:

  • Implement a system to track training completion and enforce compliance

Provide new employees with your organization’s security policies and procedures, and require them to:

  • Sign an acknowledgment form confirming they have read, understood, and agree to follow these policies

Assign a mentor or point of contact within the information security team to:

  • Answer any questions new employees may have
  • Provide ongoing support as they familiarize themselves with your organization’s security practices

Delivering role-based training for personnel with elevated privileges

Ensure those with access to sensitive systems and data are thoroughly trained on advanced security concepts and the responsibilities of their roles.

Identify personnel with elevated privileges (e.g., system administrators, network engineers, security analysts, etc.) and:

  • Provide them with additional, role-specific training covering advanced security concepts, proper use of privileged access, and their unique risks and responsibilities

Ensure that role-based training is delivered by qualified instructors with relevant expertise and experience and:

  • Consider leveraging external training resources or certification programs from professional organizations like SANS or ISACA to improve internal training

Regularly update and refresh role-based training content to:

  • Keep pace with evolving threats, technologies, and industry best practices
  • Encourage continuous education and professional development among personnel with elevated privileges to maintain their skills and knowledge

Step 6: Manage third-party risks

State agencies and higher education institutions increasingly rely on third-party service providers, including cloud computing services, to support their operations and deliver services to constituents. While these relationships can provide significant benefits, they also introduce new security risks that must be carefully managed.

Organizations should implement a robust third-party security risk management (TPSRM) program that mitigates these risks. This program should include specific requirements for cloud service providers, such as TX-RAMP certification and ongoing compliance monitoring.

A comprehensive TPSRM program should include the following key components:

  • An inventory of all third-party relationships, including cloud service providers
  • Regular third-party security risk assessments
  • Policies and procedures for managing third-party security risks, including specific requirements for cloud computing services
  • Clear roles and responsibilities for ensuring that third-party security requirements are met

Confirming TX-RAMP certification for cloud computing service providers before contracting

Only engage with providers that meet Texas’ stringent security standards for cloud services.

Confirm the TX-RAMP certification of cloud service providers before entering or renewing contracts, as mandated for state agencies and higher education institutions.

Integrate TX-RAMP certifications into the vendor selection and contracting processes as part of your TPSRM program.

Document the TX-RAMP certification status of cloud service providers in your organization’s inventory of third-party relationships.

Consider TX-RAMP certification as a critical factor in third-party security risk assessments for cloud service providers.

Requiring vendors to maintain TX-RAMP compliance throughout the contract term

Make sure cloud providers continuously adhere to Texas’ security standards to protect sensitive data over the duration of your engagement.

Require cloud service providers to maintain TX-RAMP compliance throughout the contract term.

Incorporate processes within the TPSRM program for regularly monitoring and verifying ongoing TX-RAMP compliance of cloud service providers, including:

  • Requiring annual recertification or conducting independent audits

Update the inventory of third-party relationships as part of the TPSRM program to reflect any changes in cloud service providers’ TX-RAMP compliance status.

Address any non-compliance issues identified through ongoing monitoring promptly through the TPSRM program’s risk management and vendor management processes, which may involve:

  • Implementing additional security controls
  • Requiring remediation by the cloud service provider
  • Terminating the contract in severe cases

The survey experience for external third-party vendor contacts on Isora.

Step 7: Establish incident response and reporting procedures

Effective incident response and reporting procedures are critical for minimizing the impact of security incidents and ensuring that state agencies and higher education institutions can quickly detect, investigate, and recover from cyber attacks or data breaches. TAC 202 requires organizations to establish formal incident response plans and reporting processes to ensure a consistent and coordinated approach to incident management.

Developing an incident response plan

Ensure your organization is prepared to detect, respond to, and recover from security incidents effectively.

Develop a written incident response plan that acts as a roadmap for:

  • Detecting, responding to, and recovering from security incidents

Ensure the incident response plan aligns with your organization’s business continuity and disaster recovery strategies and:

  • Regularly review and update the plan to reflect changes in the threat landscape or operational environment

Include key components in the incident response plan, such as:

  • Identification of critical systems and data assets in a centralized inventory
  • Clear roles and responsibilities for incident response team members
  • Procedures for detecting and analyzing potential security incidents
  • Containment and eradication strategies to limit incidents’ scope and impact
  • Communication protocols for notifying stakeholders and reporting to relevant authorities
  • Recovery processes to restore affected systems and data to normal operations
  • Post-incident review and lessons learned to improve future incident response efforts

Establishing incident classification and prioritization criteria

Systematically assess security incidents based on their impact and severity, ensuring an appropriate response.

Establish clear criteria for classifying and prioritizing security incidents based on potential impact and severity, including:

  • The type and sensitivity of data involved (e.g., confidential, sensitive, or regulated information)
  • The criticality of affected systems or services to your organization’s mission
  • The scope and magnitude of the incident (e.g., number of systems impacted)
  • The likelihood of data loss, corruption, or unauthorized disclosure
  • The presence of indicators of sophisticated or targeted attacks

Prioritize incidents based on their classification and the urgency of the response required to:

  • Minimize potential harm to your organization or individuals

Reporting security incidents to appropriate authorities.

Ensure significant security incidents are promptly reported to the DIR and other relevant entities to facilitate a coordinated response and comply with legal obligations.

Promptly report significant security incidents to the DIR and other relevant authorities, in accordance with TAC 202 and applicable laws or regulations, including incidents that:

  • Propagate to other state systems
  • Result in unauthorized disclosure or modification of confidential information
  • Compromise the integrity or availability of critical systems or data
  • Involve suspected criminal activity

Report incidents to DIR within 48 hours of discovery using the prescribed notification format, including:

  • A description of the incident
  • The systems and data affected
  • The response actions taken
  • Any planned remediation or mitigation measures

Notify other stakeholders as required, such as:

  • Law enforcement, regulatory agencies, or affected individuals, in line with applicable breach notification laws or contractual obligations

Step 8: Maintain compliance and provide reports

State agencies and higher education institutions are responsible for maintaining compliance with TAC 202 and other applicable laws and regulations. Regular reporting and communication with oversight bodies and stakeholders are essential for demonstrating the effectiveness of the organization’s information security program and identifying areas for improvement.

Providing annual reports

Enable your ISO to communicate the effectiveness of your information security program and compliance efforts to leadership.

The ISO must report annually to the agency or institution head on:

  • The effectiveness of the information security program
  • Compliance with TAC 202

The annual report should include:

  • An assessment of the current state of the information security program, including the status of key initiatives and projects
  • A summary of significant security incidents or breaches during the reporting period and the actions taken to mitigate them
  • An evaluation of the organization’s compliance with TAC 202 and other applicable laws and regulations, including any identified gaps or deficiencies
  • Recommendations for improving the information security program and addressing identified risks or compliance issues

Ensure the annual report is presented to the agency or institution head and other senior leaders to:

  • Confirm that information security remains a top priority
  • Ensure adequate resources and support are provided to the ISO and the security team

Submitting a biennial information security plan is a key requirement

Provide a forward-looking and strategic document to the DIR that details a roadmap for your information security program in alignment with state and federal regulations.

Submit a Biennial Information Security Plan to the DIR, including:

  • A comprehensive overview of your organization’s information security program
  • The current state of the program and its alignment with TAC 202 and other applicable laws and regulations
  • Identified risks and vulnerabilities, along with plans for addressing them
  • Proposed security initiatives and projects for the upcoming biennium
  • Resource requirements and budget estimates for implementing the plan

Develop the plan in collaboration with key stakeholders, such as:

  • Business owners, IT leadership, and the ISO

Review and approve the plan by the agency or institution head before submission to DIR, ensuring:

  • Alignment with your organization’s strategic objectives and compliance requirements

DIR may provide feedback or require additional information to:

  • Ensure the plan meets the requirements of TAC 202
  • Support the state’s overall cybersecurity goals and priorities

Completing and submitting information security and data maturity assessments every two years

Evaluate and report on the robustness of your information security programs and data management practices to DIR.

Complete and submit information security and data maturity assessments to DIR every two years, focusing on:

  • Evaluating your organization’s compliance with TAC 202 and the effectiveness of its information security program
  • Assessing your organization’s practices for managing and protecting sensitive or confidential data

The information security assessment should include:

  • The current state of security controls and practices
  • Identified vulnerabilities or weaknesses in your security posture
  • Plans for remediating or mitigating identified risks

The data maturity assessment should review:

  • Data classification and inventory processes
  • Data protection controls and technologies
  • Data lifecycle management practices
  • Compliance with applicable data privacy and security regulations

Conduct assessments via qualified and objective third-party assessors or internal audit teams and:

  • Submit results to the DIR’s SPECTRIM portal using standardized templates or reporting formats

DIR may use the assessment results to:

  • Identify common trends or challenges across state agencies and institutions
  • Provide targeted guidance or support for improving information security and data management practices

The role of TAC 202 compliance software

TAC 202 compliance software should contain a range of features and functionalities to simplify, streamline, and automate complying with TAC 202 information security standards for state agencies and higher education institutions.

Ultimately, this software should help your organization manage its information security program effectively and efficiently. The ideal TAC 202 software should include:

  • Risk assessment and management tools to identify, evaluate, and prioritize risks for informed decision-making about risk treatment and resource allocation.
  • Security control standards implementation features to help align security controls with TAC 202 requirements, like mapping controls to specific standards and tracking the implementation status.
  • Third-party security risk management capabilities to assess and manage the security risks associated with third-party service providers, like cloud computing services, and ensure compliance with TX-RAMP.
  • Compliance reporting and documentation tools to create and submit required compliance reports (like the Biennial Information Security Plan and the information security and data maturity assessments), and to streamline reporting processes for consistency and accuracy.

Isora is a GRC Assessment Platform that empowers everyone to own risk together with user-friendly and flexible tools. With Isora, teams can stay agile and responsive to growing changes, fostering a resilient organizational culture. Dozens of small and large infosec teams across Texas agencies and institutions of higher education trust Isora to help them manage their TAC 202 compliance efforts and streamline their overall information security risk management (ISRM), application security risk management (ASRM), and third-party security risk management (TPSRM) programs.

Assessment scorecards and reports in Isora GRC

Manage risk together
Streamline your GRC assessments
Meet security requirements more efficiently with Isora, the GRC Assessment Platform powered by collaboration
Learn More


Complying with TAC 202 is a critical responsibility for Texas state agencies and institutions of higher education. It ensures the protection of sensitive data, maintains public trust, and demonstrates a commitment to cybersecurity best practices.

By following the requirements outlined in TAC 202 and implementing a comprehensive information security program, organizations can effectively manage risks, detect and respond to incidents, and foster a culture of security awareness.

To recap, the key elements of a successful TAC 202 compliance strategy include:

  • Establishing strong leadership and governance, with the agency or institution head’s active involvement and the designation of a qualified Information Security Officer (ISO)
  • Conducting thorough information security risk assessments and implementing appropriate security controls based on the organization’s unique risk profile and data sensitivity
  • Developing and maintaining policies, procedures, and plans that align with TAC 202 requirements and industry best practices, including incident response, business continuity, and disaster recovery
  • Providing regular training and awareness programs to ensure that all personnel understand their roles and responsibilities in protecting the organization’s information assets
  • Managing third-party security risks, particularly for cloud computing services, through implementing a robust TPSRM program and adherence to TX-RAMP certification requirements
  • Establishing effective incident response and reporting procedures to minimize the impact of security incidents and ensure timely notification to relevant authorities and stakeholders
  • Maintaining ongoing compliance through regular assessments, audits, and reporting, and continuously improving the information security program based on lessons learned and emerging threats

State agencies and higher education institutions can leverage specialized TAC 202 compliance software, such as Isora GRC, to streamline and automate many of these compliance activities. These tools provide a centralized platform for managing IT inventories, conducting risk self-assessments, and compliance reporting, enabling organizations to efficiently and effectively meet their TAC 202 obligations.

By staying informed about the evolving regulatory landscape in Texas, adopting a proactive and risk-based approach to information security, and fostering a culture of shared responsibility and continuous improvement, Texas state agencies and institutions of higher education can successfully navigate the challenges of TAC 202 compliance to secure the Lone Star State inside and out.

Other Relevant Content

This guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling