DIR provides a number of  Information Security services specifically targeted to Texas state agencies, local governments and educational entities. 

Texas Government Code [TGC 2059.102(c)(d)] requires State agencies to use the security services provided through the Network and Security Operations Center (NSOC) "to the fullest extent possible." Prior to procuring any network security services, state agencies must first seek a determination from DIR whether the NSOC can meet agency network security services needs at a comparable cost.

State agencies should submit the following form to DIR prior to procuring non-NSOC related network security services, including, but not limited to, penetration testing or other vulnerability assessments:

NSOC Security Service Determination Form – PDF (81 KB).  Search Security Products and Services on DIR's ICT Co-op Contracts.

DIR offers the following core security services designed to identify and assess IT-related vulnerabilities:

Service	Description	Cost
CPT	Controlled Penetration Testing (CPT) employs targeted network surveying, port scanning, service probing, vulnerability scanning, and where applicable, attempting known exploits against vulnerabilities identified.  DIR utilizes commercially available software, freeware, shareware, and custom scripts to perform a thorough and comprehensive external assessment of the network.  A custom report identifies and rates vulnerabilities discovered and describes successful exploits.  The report also provides recommendations on how to remediate or mitigate those vulnerabilities.	No direct cost to state agencies; Costs to education and other government entities not to exceed $15,000.
WAVS	Web Application Vulnerability Scan (WAVS) rates an agency's web application security against industry-standardized vulnerabilities, including Open Web Application Security Project (OWASP) Top 10, SANS Top 20, and Web Application Security Consortium (WASC) standards.	No direct cost to state agencies and universities.
ISAAC	Information Security Assessment, Awareness and Compliance (ISAAC) system is a web-based, online tool that consists of several modules to assist state agencies and universities in assessing the security posture of their information systems and to  measure or achieve compliance with information security standards.	No direct cost to state agencies and universities.
SIRS	Security Incident Reporting System (SIRS) is a web-based tool used to collect data as stated in the Texas Administrative Code (TAC) Subchapter B 202.26(d) (state agencies) and TAC Subchapter C 202.76(d) (institutions of higher education).  Reports are due no later than the 9th calendar day of the month.	No direct cost to state agencies and universities.
SIM(MSS)	DIR provides external monitoring and alerting through AT&T under the TEX-AN 2000 Master Agreement as a Managed Security Service (MSS).  The Security Information Management (SIM) tool provides 24/7 monitoring, alerting, and reporting of malicious traffic based on inputs from agency-designated, external facing network components (e.g. firewalls) and intrusion detection and prevention system logs.	No direct cost to state agencies and universities for external monitoring services.
Disk Sanitization	DIR-owned devices that securely erase all data on hard drives for reuse (including IDE, SCSI, SATA and laptop drives) or degaussing for hard drives that won't be reused and destroyed.	Available for use by state agencies and university staff.
Wireless	Testing includes Perimeter  Discovery Survey - authorized/unauthorized wireless access points; Internal Discovery Survey - confirmation of wireless access points from internal client facility(ies); identification and analysis of wireless access point configuration; encryption used on wireless access points; signal leakage and physical security of authorized wireless access points.	Costs to be determined based on level of engagement services.
ActOnline	Self-paced, online Cyber Security Training sponsored by the U.S. Department of Homeland Security.  No cost to U.S. citizens.  Courses include: Information Security Basics, Information Security for Everyone, Business Information Continuity, Secure Software and Network Assurance.  Certificates issued upon completion of each course.	No direct cost to state agencies and universities.