|
|
|
|
AN ACT
|
|
relating to information technology security practices of state |
|
agencies. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 411.081(i), Government Code, is amended |
|
to read as follows: |
|
(i) A criminal justice agency may disclose criminal history |
|
record information that is the subject of an order of nondisclosure |
|
to the following noncriminal justice agencies or entities only: |
|
(1) the State Board for Educator Certification; |
|
(2) a school district, charter school, private school, |
|
regional education service center, commercial transportation |
|
company, or education shared service arrangement; |
|
(3) the Texas Medical Board; |
|
(4) the Texas School for the Blind and Visually |
|
Impaired; |
|
(5) the Board of Law Examiners; |
|
(6) the State Bar of Texas; |
|
(7) a district court regarding a petition for name |
|
change under Subchapter B, Chapter 45, Family Code; |
|
(8) the Texas School for the Deaf; |
|
(9) the Department of Family and Protective Services; |
|
(10) the Texas Youth Commission; |
|
(11) the Department of Assistive and Rehabilitative |
|
Services; |
|
(12) the Department of State Health Services, a local |
|
mental health service, a local mental retardation authority, or a |
|
community center providing services to persons with mental illness |
|
or retardation; |
|
(13) the Texas Private Security Board; |
|
(14) a municipal or volunteer fire department; |
|
(15) the Texas Board of Nursing; |
|
(16) a safe house providing shelter to children in |
|
harmful situations; |
|
(17) a public or nonprofit hospital or hospital |
|
district; |
|
(18) the Texas Juvenile Probation Commission; |
|
(19) the securities commissioner, the banking |
|
commissioner, the savings and mortgage lending commissioner, or the |
|
credit union commissioner; |
|
(20) the Texas State Board of Public Accountancy; |
|
(21) the Texas Department of Licensing and Regulation; |
|
(22) the Health and Human Services Commission; |
|
(23) the Department of Aging and Disability Services; |
|
[and] |
|
(24) the Texas Education Agency; and |
|
(25) the Department of Information Resources but only |
|
regarding an employee, applicant for employment, contractor, |
|
subcontractor, intern, or volunteer who provides network security |
|
services under Chapter 2059 to: |
|
(A) the Department of Information Resources; or |
|
(B) a contractor or subcontractor of the |
|
Department of Information Resources. |
|
SECTION 2. Subchapter F, Chapter 411, Government Code, is |
|
amended by adding Section 411.1404 to read as follows: |
|
Sec. 411.1404. ACCESS TO CRIMINAL HISTORY RECORD |
|
INFORMATION: DEPARTMENT OF INFORMATION RESOURCES. (a) The |
|
Department of Information Resources is entitled to obtain from the |
|
department or the identification division of the Federal Bureau of |
|
Investigation the criminal history record information maintained |
|
by the department or division that relates to a person who is an |
|
employee, applicant for employment, contractor, subcontractor, |
|
intern, or other volunteer with the Department of Information |
|
Resources or with a contractor or subcontractor for the Department |
|
of Information Resources. |
|
(b) Criminal history record information obtained by the |
|
Department of Information Resources under this section may not be |
|
released or disclosed except: |
|
(1) by court order; or |
|
(2) with the consent of the person who is the subject |
|
of the information. |
|
(c) The Department of Information Resources shall destroy |
|
criminal history record information obtained under this section |
|
that relates to a person after the information is used to make an |
|
employment decision or to take a personnel action relating to the |
|
person who is the subject of the information. |
|
(d) The Department of Information Resources may not obtain |
|
criminal history record information under this section unless the |
|
Department of Information Resources first adopts policies and |
|
procedures that provide that evidence of a criminal conviction or |
|
other relevant information obtained from the criminal history |
|
record information does not automatically disqualify an individual |
|
from employment. The policies and procedures adopted under this |
|
subsection must provide that the hiring official will determine, on |
|
a case-by-case basis, whether the individual is qualified for |
|
employment based on factors that include: |
|
(1) the specific duties of the position; |
|
(2) the number of offenses committed by the |
|
individual; |
|
(3) the nature and seriousness of each offense; |
|
(4) the length of time between the offense and the |
|
employment decision; |
|
(5) the efforts by the individual at rehabilitation; |
|
and |
|
(6) the accuracy of the information on the |
|
individual's employment application. |
|
SECTION 3. Subchapter D, Chapter 551, Government Code, is |
|
amended by adding Section 551.089 to read as follows: |
|
Sec. 551.089. DEPARTMENT OF INFORMATION RESOURCES. This |
|
chapter does not require the governing board of the Department of |
|
Information Resources to conduct an open meeting to deliberate: |
|
(1) security assessments or deployments relating to |
|
information resources technology; |
|
(2) network security information as described by |
|
Section 2059.055(b); or |
|
(3) the deployment, or specific occasions for |
|
implementation, of security personnel, critical infrastructure, or |
|
security devices. |
|
SECTION 4. Section 552.139, Government Code, is amended to |
|
read as follows: |
|
Sec. 552.139. EXCEPTION: GOVERNMENT INFORMATION RELATED TO |
|
SECURITY OR INFRASTRUCTURE ISSUES FOR COMPUTERS. (a) Information |
|
is excepted from the requirements of Section 552.021 if it is |
|
information that relates to computer network security, to |
|
restricted information under Section 2059.055, or to the design, |
|
operation, or defense of a computer network. |
|
(b) The following information is confidential: |
|
(1) a computer network vulnerability report; and |
|
(2) any other assessment of the extent to which data |
|
processing operations, a computer, [or] a computer program, |
|
network, system, or system interface, or software of a governmental |
|
body or of a contractor of a governmental body is vulnerable to |
|
unauthorized access or harm, including an assessment of the extent |
|
to which the governmental body's or contractor's electronically |
|
stored information containing sensitive or critical information is |
|
vulnerable to alteration, damage, [or] erasure, or inappropriate |
|
use. |
|
(c) Notwithstanding the confidential nature of the |
|
information described in this section, the information may be |
|
disclosed to a bidder if the governmental body determines that |
|
providing the information is necessary for the bidder to provide an |
|
accurate bid. A disclosure under this subsection is not a voluntary |
|
disclosure for purposes of Section 552.007. |
|
SECTION 5. Sections 2054.077(b), (d), and (e), Government |
|
Code, are amended to read as follows: |
|
(b) The information resources manager of a state agency may |
|
prepare or have prepared a report, including an executive summary |
|
of the findings of the report, assessing the extent to which a |
|
computer, a computer program, a computer network, a computer |
|
system, an interface to a computer system, computer software, or |
|
data processing of the agency or of a contractor of the agency is |
|
vulnerable to unauthorized access or harm, including the extent to |
|
which the agency's or contractor's electronically stored |
|
information is vulnerable to alteration, damage, [or] erasure, or |
|
inappropriate use. |
|
(d) The [On request, the] information resources manager |
|
shall provide an electronic [a] copy of the vulnerability report on |
|
its completion to: |
|
(1) the department; |
|
(2) the state auditor; [and] |
|
(3) the agency's executive director; and |
|
(4) any other information technology security |
|
oversight group specifically authorized by the legislature to |
|
receive the report. |
|
(e) Separate from the executive summary described by |
|
Subsection (b), a [A] state agency whose information resources |
|
manager has prepared or has had prepared a vulnerability report |
|
shall prepare a summary of the report that does not contain any |
|
information the release of which might compromise the security of |
|
the state agency's or state agency contractor's computers, computer |
|
programs, computer networks, computer systems, computer software, |
|
data processing, or electronically stored information. The summary |
|
is available to the public on request. |
|
SECTION 6. Section 2054.100(b), Government Code, is amended |
|
to read as follows: |
|
(b) The plan must describe the agency's current and proposed |
|
projects for the biennium, including how the projects will: |
|
(1) benefit individuals in this state and benefit the |
|
state as a whole; |
|
(2) use, to the fullest extent, technology owned or |
|
adapted by other state agencies; |
|
(3) employ, to the fullest extent, the department's |
|
information technology standards, including Internet-based |
|
technology standards; |
|
(4) expand, to the fullest extent, to serve residents |
|
of this state or to serve other state agencies; |
|
(5) develop on time and on budget; |
|
(6) produce quantifiable returns on investment; and |
|
(7) meet any other criteria developed by the |
|
department or the quality assurance team. |
|
SECTION 7. Subchapter B, Chapter 2059, Government Code, is |
|
amended by adding Section 2059.060 to read as follows: |
|
Sec. 2059.060. VULNERABILITY TESTING OF NETWORK HARDWARE |
|
AND SOFTWARE. (a) The department shall adopt rules requiring, in |
|
state agency contracts for network hardware and software, a |
|
statement by the vendor certifying that the network hardware or |
|
software, as applicable, has undergone independent certification |
|
testing for known and relevant vulnerabilities. |
|
(b) Rules adopted under Subsection (a) may: |
|
(1) provide for vendor exemptions; and |
|
(2) establish certification standards for testing |
|
network hardware and software for known and relevant |
|
vulnerabilities. |
|
(c) Unless otherwise provided by rule, the required |
|
certification testing must be conducted under maximum load |
|
conditions in accordance with published performance claims of a |
|
hardware or software manufacturer, as applicable. |
|
SECTION 8. (a) The Department of Information Resources |
|
shall adopt the rules required by Section 2059.060, Government |
|
Code, as added by this Act, not later than September 1, 2010. |
|
(b) The change in law made by Section 2059.060, Government |
|
Code, as added by this Act, applies only to a contract entered into |
|
on or after December 1, 2010. |
|
SECTION 9. This Act takes effect September 1, 2009. |
|
|
|
______________________________ |
______________________________ |
|
President of the Senate |
Speaker of the House |
|
|
|
I certify that H.B. No. 1830 was passed by the House on April |
|
2, 2009, by the following vote: Yeas 144, Nays 0, 1 present, not |
|
voting; and that the House concurred in Senate amendments to H.B. |
|
No. 1830 on May 14, 2009, by the following vote: Yeas 142, Nays 0, |
|
1 present, not voting. |
|
|
|
______________________________ |
|
Chief Clerk of the House |
|
|
I certify that H.B. No. 1830 was passed by the Senate, with |
|
amendments, on May 7, 2009, by the following vote: Yeas 31, Nays 0. |
|
|
|
______________________________ |
|
Secretary of the Senate |
|
APPROVED: __________________ |
|
Date |
|
|
|
__________________ |
|
Governor |