|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to state agency information security plans, information |
|
technology employees, and online and mobile applications. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 2054.133(c), Government Code, is amended |
|
to read as follows: |
|
(c) Not later than October 15 of each even-numbered year, |
|
each state agency shall submit a copy of the agency's information |
|
security plan to the department. Subject to available resources, |
|
the department shall select a portion of the submitted security |
|
plans to be audited by the department in accordance with department |
|
rules. |
|
SECTION 2. Subchapter F, Chapter 2054, Government Code, is |
|
amended by adding Section 2054.136 to read as follows: |
|
Sec. 2054.136. INDEPENDENT INFORMATION SECURITY OFFICER. |
|
Each state agency in the executive branch of state government that |
|
has on staff a chief information security officer or information |
|
security officer shall ensure that within the agency's |
|
organizational structure the officer is independent from and not |
|
subordinate to the agency's information technology operations. |
|
SECTION 3. Subchapter N-1, Chapter 2054, Government Code, |
|
is amended by adding Section 2054.516 to read as follows: |
|
Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE |
|
APPLICATIONS. (a) Each state agency implementing an Internet |
|
website or mobile application that processes any personally |
|
identifiable or confidential information must: |
|
(1) submit a data security plan to the department |
|
before beta testing the website or application; and |
|
(2) before deploying the website or application: |
|
(A) subject the website or application to a |
|
vulnerability and penetration test conducted by an independent |
|
third party; and |
|
(B) address any vulnerability identified under |
|
Paragraph (A). |
|
(b) The data security plan required under Subsection (a)(1) |
|
must include: |
|
(1) data flow diagrams to show the location of |
|
information in use, in transit, and not in use; |
|
(2) data storage locations; |
|
(3) data interaction with online or mobile devices; |
|
(4) security of data transfer; |
|
(5) security measures for the online or mobile |
|
application; and |
|
(6) a description of any action taken by the agency to |
|
remediate any vulnerability identified by an independent third |
|
party under Subsection (a)(2). |
|
(c) The department shall review each data security plan |
|
submitted under Subsection (a) and make any recommendations for |
|
changes to the plan to the state agency as soon as practicable after |
|
the department reviews the plan. |
|
SECTION 4. As soon as practicable after the effective date |
|
of this Act, the Department of Information Resources shall adopt |
|
the rules necessary to implement Section 2054.133(c), Government |
|
Code, as amended by this Act. |
|
SECTION 5. This Act takes effect September 1, 2017. |