The DFPS Office of Information Security (OIS) takes defending our organization, its data, system, and reputation from cyber criminals seriously as part of the DFPS mission to protect the unprotected. The duty of the DFPS Office of Information Security, as required by state law, is to protect the confidentiality, integrity, availability, and accountability of the Agency’s information technology resources for a safe and secure computing environment.
Working with DFPS
Contractors and partners who work with the Department of Family and Protective Services must adhere to the following cybersecurity requirements:
The DFPS Office of Information Security provides secure means for our partners to report incidents, phishing attempts, malware, and vulnerabilities directly to the Security Team.
What is a Security Incident?
A security incident is any attempted or actual unauthorized access, use, disclosure, modification, or destruction of information. This includes interference with information technology operation and violation of DFPS policy, state laws or regulations.
Examples of security incidents include:
- Computer or information technology (IT) system breach
- Unauthorized access to, or use of, systems, software, or data
- Unauthorized changes to systems, software, or data
- Loss or theft of equipment storing DFPS data
- Denial of service attacks
- Interference with the intended use of IT resources
- Compromised user accounts
What Do We Need from You?
Report actual or suspected security incidents as early as possible so that DFPS can limit the damage and cost of recovery.
Some incidents must be reported to DFPS Office of Information Security within 24-hours of discovery, like incidents that include social security administration data or criminal history data supplied by DFPS.
Include specific details regarding the system breach, vulnerability, or compromise of your information system, and we will respond with a plan for further containment and mitigation.
How Do You Report a Security Incident?
You may report an incident online, by email, or by telephone.
- Online: Complete the security incident form
- Email: infosec@dfps.texas.gov
- DFPS Customer Service Center: 1-877-642-4777
Cybersecurity incident notifications will be treated as confidential under Texas Government Code 552.139, Confidentiality of Government Information Related to Security or Infrastructure Issues for Computers.
To mitigate cybersecurity threats and risks in state government contracting, the 86th Legislature passed House Bill 3834, which requires contractors and their subcontractors, officers, or employees who have access to state computer systems or databases to complete cybersecurity training through Department of Information Resources (DIR). Contractors are required to adhere to cybersecurity training requirements for the term of their contract, including any renewal periods, and certify that required personnel and subcontractors have completed the training.
DIR certified cybersecurity training is required when the contractor's personnel and subcontractors have access to any DFPS information systems, networks, or resources.
To obtain a list of DIR certified trainings, visit the DIR Website.
Note: DFPS contracted employees who augment fulltime staff will satisfy cybersecurity training requirements through training with the DFPS Office of Information Security.
Certification of Cybersecurity Training
Contractors must complete and submit DFPS Cybersecurity Training Certification (form 4530) to attest that identified personnel and subcontractors who have access to the DFPS systems receive required cybersecurity training within the certification period.
Contractors must maintain documentation that includes:
- Individuals who are required to take the training
- Documentation of the completed training
- Name of the entity who performed the training
- Title of the cybersecurity course
All personnel who access the Vendor's Information Resources must complete cybersecurity awareness training prior to accessing Criminal Justice Information (CJI) within the first week of hire and before accessing DFPS information systems, and thereafter on an annual basis by June 30th of each calendar year. Contractors must submit the DFPS Cybersecurity Training Certification to the contract manager. The certification must be signed by your:
- Contract signatory (or designee) or
- Human resources director
After the DFPS Cybersecurity Training Certification is submitted, contract staff must upload the certification within 30 days of receipt into SCOR using the Cybersecurity Training dropdown option in the document library module.
Cybersecurity training documentation, as listed above, must be reviewed during scheduled administrative contract monitoring activities.
Data & System Security Requirements
All DFPS contracts have the following standard data and system security requirements throughout the duration of the contract:
DFPS Contractor Data and System Security Requirements
Contractors must:
- Comply with the requirements as outlined in the document.
- Periodically check for any updates made to the requirements and comply with any updates.
- Periodically provide evidence of meeting the requirements.
Information Security and Privacy Controls Catalog
The DFPS Information Security and Privacy Controls Catalog provides guidance for implementing best practices in security controls. The Catalog includes requirements derived from state authority, including the Texas Department of Information Resources and state legislation, as well as Agency-specific requirements as determined by the Chief Information Security Officer in consideration of the Agency’s environment and security posture.
Center for Internet Security (CIS) Security Controls
The Center for Internet Security (CIS) is one of the top leaders in developing guidelines for protecting people, organizations, and governments from cyber threats in our continually evolving digital environment.
The CIS Controls operate as an overarching framework for individuals, corporations, and governments alike, and are comprised of 18 Critical Security Controls. Much like the NIST Cybersecurity Framework, CIS critical security controls are based on risk assessment best practices and contain guidelines to provide the appropriate maintenance, monitoring, and analysis required to secure an organization. Having its roots in risk management, the implementation of these controls is scalable for any size organization, by utilizing the respective implementation levels.
For information on CIS Controls and how to easily incorporate them into your business, refer to the DFPS External Partners CIS Security Controls document.
Secure Email
Our job is to protect the unprotected. We use email encryption to protect your personal information and to protect our clients' well-being, safety, and privacy. Secure email is encrypted with the equivalence of an AES-256 key. Each message is signed by the sender to ensure authenticity and data security of the message.
Visit the DFPS Email Encryption page for information on how to read secure messages.
Need help? Contact DFPS Encryption Support.
File sharing
DFPS Box.com Instance
Do you need to send or receive large files in a secure manner or is your attachment too large for email? Request access to DFPS Box.com to quickly securely share and receive data.
Get Started
- Request access by filling out a SPARC
- Navigate to https://txdfpsworkspace.box.com
- Click ‘Continue’
- Enter your organizational Single Sign-On credentials when prompted
Attend a training session to learn more about Box features and functionality:
Box Benefits
With Box, you will enjoy many of the features you are used to accessing in Moveit, plus a range of additional functionality designed to protect our content and help you streamline the way you work.
- Upload, create, edit and save large files
- Share content securely with external parties, even if they don't have a Box account - eliminating the need for email attachments
- Manage permission settings for your content
- Track who has viewed your content and when, with access stats for all content
Note: While Box.com has a full range of capabilities. DFPS will utilize this application exclusively as a secure File Transfer Protocol (FTP). Data uploaded will only be retained for 7 days and external users will have 7 days to retrieve uploaded data.
External User Information
Sending Files to DFPS
You can now submit files to our team via Box.com File Requests, which provide a secure and user-friendly upload experience. We will provide you with a unique link whenever a file request is needed. Click the link and follow the on-screen instructions. No Box account is required to upload files. However, creating a free Box account is entirely up to you and will not be managed by DFPS.
Receiving Files From DFPS
When we share files with you, you’ll receive a secure link via email from Box.com. You can preview or download the files directly from your browser. In most cases, you will not need a Box account to access the shared content.
Training & Support
To help you get started with Box.com, we recommend reviewing the following resources:
How to Upload Files via File Request
To upload files to Box via File Request as an external user, you'll need a “File Request” link from the Box owner. This link will allow you to upload files to a specific folder without requiring a Box account or login.
Note: You may need to send an email to the DFPS recipient requesting that they send you the “File Request” link
Here's how it works:
- Receive the File Request Link: The Box user who created the File Request will provide you with a unique link.
- Open the Link: Click the link to access the File Request form.
- Upload Files: You'll see a drag-and-drop area or a button to select files from your computer.
- Submit: Once you've uploaded the files, you'll click a submit button to finalize the upload.
Important Considerations
No Box Account Required
If you have any questions or require personalized support, please don't hesitate to contact us at the Office of Information Security (OIS) at itsecur@dfps.texas.gov. Include “Box” in the subject line.
FAQ
What is Box?
Box is the enterprise-approved cloud content management and file-sharing platform used to securely store, share, and collaborate on documents and other files.
Who is eligible for a Box account?
Box accounts are available to authorized employees based on business need and role requirements.
How do I access Box?
Step 1: Navigate to https://txdfpsworkspace.app.box.com/
Step 2: Log in using your DFPS email address and password
How often do I need to log in to keep my Box account active?
Users must log in to Box at least once per month to maintain an active account.
Accounts that are inactive for more than 30 days will be automatically deactivated.
What happens if my Box account becomes inactive?
If an account is inactive and deactivated:
- The user will lose access to Box content.
- Shared folders and permissions may be removed.
- A SPARC request for restated access will be required
How do I request access to Box?
If you need access to Box, you must fill out a SPARC and request Box.
How do I regain access if I previously lost my Box account?
If you previously had Box access and lost it due to inactivity or another reason, you must submit a new access request through SPARC to have your account restored.
Can my Box access be revoked?
Yes. Box access may be revoked due to:
- Extended inactivity
- Role or employment status changes
- Policy or compliance requirements
- Security or risk concerns
Is Box monitored or audited?
Yes. Box usage may be monitored and audited to ensure compliance with enterprise security, legal, and data governance requirements.
What types of data can I store in Box?
Box may only be used to share data approved under enterprise data classification and security policies. Refer to the Accept Use Agreement (AUA) policy OP-2132 DFPS Acceptable Use Agreement (AUA) for guidance. DFPS instance of Box is for the sharing and transferring of data.
What is the retention policy of data hosted on Box?
Data will only be retained for 7 days. After the 7 day period all uploaded data will be automatically deleted. We cannot extend this retention period. Data may be reuploaded and reshared at any time.
Where can I get help with Box issues?
For training on how to utilize Box:
Step 1: Watch the user guide video
Step 2: Navigate to Box University
- Log in
- Select “Getting Started with Box”
For technical issues, access problems, or questions:
Step 1: Review training resources related to Box
Step 2: Email infosec@dfps.texas.gov
Questions?
For questions about Box, please contact the Office of Information Security (OIS) itsecur@dfps.texas.gov. Include the word “Box” in the subject field of your email, or reference support.box.com.
Resources
Instagram