|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to information technology security practices of state |
|
agencies. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 411.081(i), Government Code, is amended |
|
to read as follows: |
|
(i) A criminal justice agency may disclose criminal history |
|
record information that is the subject of an order of nondisclosure |
|
to the following noncriminal justice agencies or entities only: |
|
(1) the State Board for Educator Certification; |
|
(2) a school district, charter school, private school, |
|
regional education service center, commercial transportation |
|
company, or education shared service arrangement; |
|
(3) the Texas Medical Board; |
|
(4) the Texas School for the Blind and Visually |
|
Impaired; |
|
(5) the Board of Law Examiners; |
|
(6) the State Bar of Texas; |
|
(7) a district court regarding a petition for name |
|
change under Subchapter B, Chapter 45, Family Code; |
|
(8) the Texas School for the Deaf; |
|
(9) the Department of Family and Protective Services; |
|
(10) the Texas Youth Commission; |
|
(11) the Department of Assistive and Rehabilitative |
|
Services; |
|
(12) the Department of State Health Services, a local |
|
mental health service, a local mental retardation authority, or a |
|
community center providing services to persons with mental illness |
|
or retardation; |
|
(13) the Texas Private Security Board; |
|
(14) a municipal or volunteer fire department; |
|
(15) the Texas Board of Nursing; |
|
(16) a safe house providing shelter to children in |
|
harmful situations; |
|
(17) a public or nonprofit hospital or hospital |
|
district; |
|
(18) the Texas Juvenile Probation Commission; |
|
(19) the securities commissioner, the banking |
|
commissioner, the savings and mortgage lending commissioner, or the |
|
credit union commissioner; |
|
(20) the Texas State Board of Public Accountancy; |
|
(21) the Texas Department of Licensing and Regulation; |
|
(22) the Health and Human Services Commission; |
|
(23) the Department of Aging and Disability Services; |
|
[and] |
|
(24) the Texas Education Agency; and |
|
(25) the Department of Information Resources. |
|
SECTION 2. Subchapter F, Chapter 411, Government Code, is |
|
amended by adding Section 411.1404 to read as follows: |
|
Sec. 411.1404. ACCESS TO CRIMINAL HISTORY RECORD |
|
INFORMATION: DEPARTMENT OF INFORMATION RESOURCES. (a) The |
|
Department of Information Resources is entitled to obtain from the |
|
department or another appropriate law enforcement agency the |
|
criminal history record information maintained by the department or |
|
other law enforcement agency that relates to: |
|
(1) a person who is an employee or applicant for |
|
employment with the Department of Information Resources; |
|
(2) a person who may perform services for the |
|
Department of Information Resources; or |
|
(3) a person who is an employee or subcontractor, or an |
|
applicant to be an employee or subcontractor, of a contractor that |
|
provides services to the Department of Information Resources. |
|
(b) Criminal history record information obtained by the |
|
Department of Information Resources under Subsection (a) may be |
|
used only to evaluate: |
|
(1) an employee or applicant for employment with the |
|
Department of Information Resources; |
|
(2) a person who may perform services for the |
|
Department of Information Resources; or |
|
(3) a person who is an employee or subcontractor, or an |
|
applicant to be an employee or subcontractor, of a contractor that |
|
provides services to the Department of Information Resources. |
|
(c) Criminal history record information obtained by the |
|
Department of Information Resources under this section may not be |
|
released or disclosed to any person or agency except on court order |
|
or with the consent of the person who is the subject of the |
|
information. |
|
(d) The Department of Information Resources shall destroy |
|
the criminal history record information obtained under this section |
|
after the information is used for the purposes authorized by this |
|
section. |
|
SECTION 3. Subchapter D, Chapter 551, Government Code, is |
|
amended by adding Section 551.089 to read as follows: |
|
Sec. 551.089. DEPARTMENT OF INFORMATION RESOURCES. This |
|
chapter does not require the governing board of the Department of |
|
Information Resources to conduct an open meeting to deliberate: |
|
(1) security assessments or deployments relating to |
|
information resources technology; |
|
(2) network security information as described by |
|
Section 2059.055(b); or |
|
(3) the deployment, or specific occasions for |
|
implementation, of security personnel, critical infrastructure, or |
|
security devices. |
|
SECTION 4. Section 552.139, Government Code, is amended to |
|
read as follows: |
|
Sec. 552.139. EXCEPTION: GOVERNMENT INFORMATION RELATED TO |
|
SECURITY OR INFRASTRUCTURE ISSUES FOR COMPUTERS. (a) Information |
|
is excepted from the requirements of Section 552.021 if it is |
|
information that relates to computer network security, to |
|
restricted information under Section 2059.055, or to the design, |
|
operation, or defense of a computer network. |
|
(b) The following information is confidential: |
|
(1) a computer network vulnerability report; and |
|
(2) any other assessment of the extent to which data |
|
processing operations, a computer, [or] a computer program, |
|
network, system, or system interface, or software of a governmental |
|
body or of a contractor of a governmental body is vulnerable to |
|
unauthorized access or harm, including an assessment of the extent |
|
to which the governmental body's or contractor's electronically |
|
stored information containing sensitive or critical information is |
|
vulnerable to alteration, damage, [or] erasure, or inappropriate |
|
use. |
|
(c) Notwithstanding the confidential nature of the |
|
information described in this section, the information may be |
|
disclosed to a bidder if the governmental body determines that |
|
providing the information is necessary for the bidder to provide an |
|
accurate bid. A disclosure under this subsection is not a voluntary |
|
disclosure for purposes of Section 552.007. |
|
SECTION 5. Sections 2054.077(b), (d), and (e), Government |
|
Code, are amended to read as follows: |
|
(b) The information resources manager of a state agency may |
|
prepare or have prepared a report, including an executive summary |
|
of the findings of the report, assessing the extent to which a |
|
computer, a computer program, a computer network, a computer |
|
system, an interface to a computer system, computer software, or |
|
data processing of the agency or of a contractor of the agency is |
|
vulnerable to unauthorized access or harm, including the extent to |
|
which the agency's or contractor's electronically stored |
|
information containing sensitive or critical information is |
|
vulnerable to alteration, damage, [or] erasure, or inappropriate |
|
use. |
|
(d) The [On request, the] information resources manager |
|
shall provide an electronic [a] copy of the vulnerability report on |
|
its completion to: |
|
(1) the department; |
|
(2) the state auditor; [and] |
|
(3) the agency's executive director; and |
|
(4) any other information technology security |
|
oversight group specifically authorized by the legislature to |
|
receive the report. |
|
(e) Separate from the executive summary described by |
|
Subsection (b), a [A] state agency whose information resources |
|
manager has prepared or has had prepared a vulnerability report |
|
shall prepare a summary of the report that does not contain any |
|
information the release of which might compromise the security of |
|
the state agency's or state agency contractor's computers, computer |
|
programs, computer networks, computer systems, computer software, |
|
data processing, or electronically stored information. The summary |
|
is available to the public on request. |
|
SECTION 6. This Act takes effect September 1, 2009. |