|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to a biennial audit by the Department of Information |
|
Resources of state agency information technology infrastructure. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. The heading to Section 2054.068, Government |
|
Code, is amended to read as follows: |
|
Sec. 2054.068. INFORMATION TECHNOLOGY INFRASTRUCTURE AUDIT |
|
AND REPORT. |
|
SECTION 2. Sections 2054.068(b), (c), (d), and (e), |
|
Government Code, are amended to read as follows: |
|
(b) The department shall conduct a biennial audit of |
|
[collect from each state agency information on] the status and |
|
condition of each state [the] agency's information technology |
|
infrastructure, including a review of [information regarding]: |
|
(1) the agency's: |
|
(A) information security program, including any |
|
information technology security measures used by the agency; |
|
(B) hardware, including [(2)] an inventory of the |
|
agency's servers, mainframes, cloud services, and other |
|
information technology equipment; |
|
(C) [(3) identification of] vendors that operate |
|
and manage the agency's information technology infrastructure; |
|
(D) software and licenses, including: |
|
(i) purchase date and cost; |
|
(ii) license length; |
|
(iii) date of last use; and |
|
(iv) the purpose of the software or |
|
license; |
|
(E) information technology governance policies; |
|
(F) cloud services; |
|
(G) vendor-managed services; |
|
(H) support services and the cost of those |
|
services; |
|
(I) network systems; |
|
(J) digital data storage systems and security |
|
measures; |
|
(K) future information technology projects; and |
|
(L) information technology needs; |
|
(2) any information technology issues reported by the |
|
public; and |
|
(3) [(4)] any additional related issue [information |
|
requested by] the department considers necessary. |
|
(c) A state agency shall provide to the department: |
|
(1) [the] information related to the subjects |
|
described [required] by Subsection (b) [to the department] |
|
according to a schedule determined by the department; and |
|
(2) access to the state agency's information |
|
technology infrastructure. |
|
(d) Not later than December 1 [November 15] of each |
|
even-numbered year, the department shall submit to the governor, |
|
chair of the house appropriations committee, chair of the senate |
|
finance committee, speaker of the house of representatives, |
|
lieutenant governor, and staff of the Legislative Budget Board a |
|
consolidated report on the audits conducted [of the information |
|
submitted by state agencies] under Subsection (b). |
|
(e) The consolidated report required by Subsection (d) must |
|
include: |
|
(1) [include] an analysis and assessment of each state |
|
agency's security and operational risks; [and] |
|
(2) for a state agency found to be at higher security |
|
and operational risks, [include] a detailed analysis of agency |
|
efforts to address the risks and related vulnerabilities; |
|
(3) the information submitted by state agencies under |
|
Subsection (c); |
|
(4) the department's recommendations relating to the |
|
state agency's information technology infrastructure; and |
|
(5) a ranking of each state agency based on the |
|
efficacy and ease of use of the agency's information technology |
|
infrastructure. |
|
SECTION 3. This Act takes effect September 1, 2023. |