| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the requirements for and approval of a state agency's |
|
|
information security plan. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 2054.133, Government Code, is amended by |
|
|
adding Subsections (b-1), (b-2), (b-3), and (b-4) to read as |
|
|
follows: |
|
|
(b-1) The executive head and chief information security |
|
|
officer of each state agency shall annually review and approve in |
|
|
writing the agency's information security plan and strategies for |
|
|
addressing the agency's information resources systems that are at |
|
|
highest risk for security breaches. If a state agency does not have |
|
|
a chief information security officer, the highest ranking |
|
|
information security employee for the agency shall review and |
|
|
approve the plan and strategies. The executive head retains full |
|
|
responsibility for the agency's information security and any risks |
|
|
to that security. |
|
|
(b-2) Before submitting to the Legislative Budget Board a |
|
|
legislative appropriation request for a state fiscal biennium, a |
|
|
state agency must file with the board the written approval required |
|
|
under Subsection (b-1) for each year of the current state fiscal |
|
|
biennium. |
|
|
(b-3) Each state agency shall include in the agency's |
|
|
information security plan the actions the agency is taking to |
|
|
incorporate into the plan the core functions of "identify, protect, |
|
|
detect, respond, and recover" as recommended in the "Framework for |
|
|
Improving Critical Infrastructure Cybersecurity" of the United |
|
|
States Department of Commerce National Institute of Standards and |
|
|
Technology. The agency shall, at a minimum, identify any |
|
|
information the agency requires individuals to provide to the |
|
|
agency or the agency retains that is not necessary for the agency's |
|
|
operations. The agency may incorporate the core functions over a |
|
|
period of years. |
|
|
(b-4) A state agency's information security plan must |
|
|
include appropriate privacy and security standards that, at a |
|
|
minimum, require a vendor who offers cloud computing services or |
|
|
other software, applications, online services, or information |
|
|
technology solutions to any state agency to demonstrate that data |
|
|
provided by the state to the vendor will be maintained in compliance |
|
|
with all applicable state and federal laws and rules. |
|
|
SECTION 2. Section 2054.133, Government Code, as amended by |
|
|
this Act, applies only to an information security plan submitted on |
|
|
or after the effective date of this Act. |
|
|
SECTION 3. This Act takes effect September 1, 2017. |