Level 2 IRE training

What is an IRE?

Information Resource Employees (IRE) are university employees performing administrative, security, governance, or compliance activities on information technology systems. These types of employees generally have an occupational category of  "Information Technology" per the Texas State Auditor's Office. However, many system administrators, information resource owners, and technical services providers are Level 2 IREs, even though they are not IT division employees.

Training Schedule

If you know you will need Level 2 IRE training and you want to take it with the ISO then go to our full training schedule on the Signup scheduling tool and register using your NetID.

The Texas Cybersecurity Act

In fiscal year 2016, the State of Texas invested more than $3.4 billion annually in information resources and telecommunications to support government functions serving the needs of its citizens.1 These strategic technology assets must be managed as valuable resources.

The nature of information technology (IT) is one of rapid advancement and an ever-changing landscape. Consequently, those who manage the state’s IT investment must embrace continuous learning to provide effective solutions, support business objectives, and plan for future needs.

The Texas Cybersecurity Act directs the Texas Department of Information Resources (DIR) to establish mandatory continuing education guidelines for cybersecurity training that must be completed by all Information Resources Employees (IREs) of state agencies and institutions of higher education.

IREs are free to select whatever educational activities that best suit their specific needs and expertise. The guidelines can be fulfilled by participating in training classes, conferences, webinars, and other educational activities.

IRE Continuing Professional Educations Credits

Category Description Qualifying Percentage
Attending a qualified educational event such as a conference, seminar, or training class
Qualifying Percentage
May be used to satisfy up to 100% of an IRE’s yearly hours
Presenting at qualified educational events
Qualifying Percentage
May be used to satisfy up to 33% of an IRE’s yearly hours
Certifications may be used to satisfy the yearly guidance.
Qualifying Percentage
Certification must be reviewed and approved to qualify

About Education Credits

Throughout the year, IREs participate in qualified educational activities that support cyber security and earn continuing professional education credits (CPE). While many types of professional activities enhance an IRE’s experience and aid learning, those that can be counted for IRE credit are listed here.

IRE Classification table

IRE Level 1
All IREs (most employees)
1 hour per fiscal year
IRE Level 2
IREs with administrative privileges or responsibilities
3 hours per fiscal year
IRE Level 3
Information security or cybersecurity staff
6 hours per fiscal year

About IRE Classifications

DIR has classifies IREs into levels based on their position duties. Continuing education guidelines grow the more an employee’s responsibilities grow. This table presents the IRE Classification Levels and the yearly hours of continuing education required for each level.

Who is not a Level 2

Any employee who deals with sensitive or confidential information is not, by default, a Level 2 IRE. The primary distinguishing factor between a Level 1 IRE (all staff and faculty) and a Level 2 IRE is whether or not an employee has administrative access to an IT system. While what is considered and IT system could be very broad, depending on the system, the administrators of those systems (i.e., those who can elevate privileges for users or can change global setting on a system) will be the primary candidates for Level 2 training.

View the full DIR guideline packet by viewing the following link:

Information Resource Employees - Continuing Education Guidelines


Expand All Content
  • Qualified Educational Events*

  • Measuring Continuing Professional Education

    • One unit of IRE continuing professional education (CPE) equals one contact hour. The term contact hour is defined as a 60-minute interval in which interactive learning takes place as part of a structured educational or training experience.

      The terms CPE unit, CPE hour, IRE CPE, or CPE refer to 60 minutes of continuing education credit - these terms are used interchangeably in these guidelines. Additionally, the terms contact hours and clock hours are common generic terms indicating 60 minutes of continuing education.

      Note that each education session must be at least half an hour (or half of one credit) in duration to be counted.

    • IREs should retain proof of participation for each educational activity.

      Examples of attendee documentation may include a certificate of completion, statement by the sponsoring body, or copy of registration confirmation with actual course materials.

      Examples of documentation as a presenter may include the event program or agenda, correspondence with the sponsoring body, copies of the material presented.

      There is no reporting requirement defined for these guidelines, however, DIR highly recommends that IREs save their documentation.

    • Most of the suggested educational activities will provide the necessary hours to meet the requirements set out by DIR, but it's always good to review and remember that each education session must be at least thirty minutes in duration and meet the minimum education standards.

      For a detailed explanation, please view the linked .pdf below to see how to calculate your credit hours based on each category.

      Measuring Continuing Education - Calculate CPEs

  • Rules and Restrictions

      • IREs must complete the minimum number of CPE hours specified during each fiscal year
      • An IRE transferring from one agency to another as the IRE may transfer his/her CPE records/hours.
      • For self-paced educational activities that meet all other CPE requirements, the creator or sponsor of the activity should establish a standard number of contact hours based upon the average completion time. The IRE may count stated contact hours or the actual completion time, whichever is less, toward IRE credit.
      • Programs delivered via distance learning technologies maybe considered for inclusion as long as (1) they provide for participant interaction/understanding and (2) there is an objective means of verifying program completion.
      • CPEs earned and utilized for the maintenance of industry recognized cybersecurity certifications may count toward an IRE’s CPE hours. These CPEs may include activities which are not considered eligible under these guidelines but are considered eligible by the issuer of the IRE’s certification.
    • Interactivity is a useful component of qualified events. Typically, the more interactive, the more learning that occurs. The amount of interactivity varies significantly among different situations.

      Examples of interaction and levels of interactivity include:

      • A seminar may include group exercises as well as other class interactions.
      • While listening to a keynote at a large conference, interaction may be limited to the opportunity to ask questions and discuss the topic with peers.
      • Participants of a live webinar can usually submit questions, vote on polls, indicate yes/no, and perhaps chat.
      • Self-paced online learning modules often have pop-up questions and quizzes—simply reading onscreen text and pressing a NEXT button does not qualify.
      • Passive activities, such as watching a video or webinar recording may not always qualify. A report developed by the IRE may suffice to show a knowledge transfer occurred to the IRE, and may be necessary to demonstrate understanding.

Information Security Glossary

The information security glossary is a searchable and filterable glossary of terms and definitions we use in all aspects of our work. Familiarize yourself with this terminology to deepen your understanding of information security at Texas State University.