This website will be unavailable from Friday, April 26, 2024 at 6:00 p.m. through Monday, April 29, 2024 at 7:00 a.m. due to data center maintenance.

BILL ANALYSIS

 

 

Senate Research Center

S.B. 532

 

By: Nelson

 

Finance

 

2/24/2017

 

As Filed

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

S.B. 532 promotes cybersecurity and cost saving within state agencies by requiring an assessment of information technology risks and encouraging agencies to explore cloud computing innovations.

 

As proposed, S.B. 532 amends current law relating to reports on and purchase of information technology by state agencies.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Section 552.139(b), Government Code, by adding Subdivision (4) to provide that information collected, assembled, or maintained by or for� a governmental entity to prevent, detect, or investigate security incidents is confidential.

 

SECTION 2. Amends Subchapter C, Chapter 2054, Government Code, by adding Section 2054.068, as follows:

 

Sec. 2054.068. INFORMATION TECHNOLOGY INFRASTRUCTURE REPORT.� (a) Defines "information technology."

 

(b) Requires the Department of Information Resources (DIR) to collect certain information from each state agency on the status and condition of the agency's information technology infrastructure.

 

(c) Requires a state agency to provide the required information to DIR according to a schedule determined by DIR.

 

(d) Requires DIR, not later than August 31 of each even-numbered year, to submit to the governor, chair of the house appropriations committee, chair of the senate finance committee, speaker of the house of representatives, lieutenant governor, and staff of the Legislative Budge Board a consolidated report of the information submitted by state agencies.

 

(e) Requires the required consolidated report to include an analysis and assessment of each state agency's security and operational risks and, for a state agency found to be at higher security and operational risks, to include a detailed analysis of the requirements for the agency to address the risks and related vulnerabilities and the cost estimates to implement those requirements.

 

(f) Authorizes DIR to exempt from the reporting requirements a state agency that has consolidated some or all of the agency's information technology infrastructure to the statewide technology centers established by DIR or a state agency that presents good cause for an exemption.

 

(g) Provides that the consolidated report, with the exception of information that is confidential under Chapter 552 (Public Information), including Section 552.139 (Exception: Confidentiality of Government Information Related to Security or Infrastructure Issues for Computers), or other state or federal law, is public information and requires that the report be released or made available to the public upon request. Authorizes a governmental body, as defined by Section 552.003 (Definitions), Government Code, to withhold certain confidential information that is contained in a released consolidated report without the necessity of requesting a decision from the attorney general under Subchapter G (Attorney General Decisions), Chapter 552, Government Code.

 

(h) Provides that this section does not apply to an institution of higher education or university system� as defined by Section 61.003 (Definitions), Education Code.

 

SECTION 3. Amends Section 2054.0965(a), Government Code, by requiring a state agency, not later than March 31 of each even-numbered year, rather than December 1 of each odd-numbered year, to complete a review of operational aspects of the agency's information resources deployment following instructions developed by DIR.

 

SECTION 4. Amends Section 2157.007, Government Code, by amending Subsection (b) and adding Subsection (e), as follows:

 

(b) Requires a state agency, rather than authorizes a state agency, to consider cloud computing service options, including any cost savings associated with purchasing those service options from a commercial cloud computing service provider or a statewide technology center established by DIR, when making purchases for a major information resources project under Section 2054.118 (Major Information Resources Project).

 

(e) Requires DIR using existing resources, not later than August 1 of each even-numbered year, to submit a report to the governor, lieutenant governor, and speaker of the house of representatives on state agencies' use of cloud computing service options. Requires the report to include use cases that provided cost savings and other benefits, including security enhancements. Requires a state agency to cooperate with DIR in the creation of the report by providing timely and accurate information and any assistance required by DIR.

 

SECTION 5. Effective date: September 1, 2017.