The Texas Medical Board (Board) should strengthen its information security governance to perform steps that will
assist the Board in identifying significant cybersecurity risks to its systems, people, assets, data, and capabilities.
Specifically, the Board should:
- Define and classify the types of data it manages;
- Prioritize which information technology (IT) assets are most critical to its operations; and
- Perform a risk assessment of its information and information systems.
In addition, while the Board performed other key activities such as establishing information security policies and procedures,
it should improve its documentation of those activities to further strengthen its ability to identify and manage cybersecurity risks.
For example, the Board should regularly review its policies and procedures for needed updates and document whether services provided by a third-party vendor meet security needs.
Jump to Chapter 2