85(R) SB 1910 - Enrolled version



	S.B. No. 1910




	AN ACT
	relating to state agency information security plans, information
	technology employees, and online and mobile applications.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1. Subchapter C, Chapter 2054, Government Code, is
	amended by adding Sections 2054.0591 and 2054.0592 to read as
	follows:
	Sec. 2054.0591. CYBERSECURITY REPORT. (a) Not later than
	November 15 of each even-numbered year, the department shall submit
	to the governor, the lieutenant governor, the speaker of the house
	of representatives, and the standing committee of each house of the
	legislature with primary jurisdiction over state government
	operations a report identifying preventive and recovery efforts the
	state can undertake to improve cybersecurity in this state. The
	report must include:
	(1) an assessment of the resources available to
	address the operational and financial impacts of a cybersecurity
	event;
	(2) a review of existing statutes regarding
	cybersecurity and information resources technologies;
	(3) recommendations for legislative action to
	increase the state's cybersecurity and protect against adverse
	impacts from a cybersecurity event;
	(4) an evaluation of the costs and benefits of
	cybersecurity insurance; and
	(5) an evaluation of tertiary disaster recovery
	options.
	(b) The department or a recipient of a report under this
	section may redact or withhold information confidential under
	Chapter 552, including Section 552.139, or other state or federal
	law that is contained in the report in response to a request under
	Chapter 552 without the necessity of requesting a decision from the
	attorney general under Subchapter G, Chapter 552.
	Sec. 2054.0592. CYBERSECURITY EMERGENCY FUNDING. If a
	cybersecurity event creates a need for emergency funding, the
	department may request that the governor or Legislative Budget
	Board make a proposal under Chapter 317 to provide funding to manage
	the operational and financial impacts from the cybersecurity event.
	SECTION 2. Subchapter F, Chapter 2054, Government Code, is
	amended by adding Section 2054.1184 to read as follows:
	Sec. 2054.1184. ASSESSMENT OF MAJOR INFORMATION RESOURCES
	PROJECT. (a) A state agency proposing to spend appropriated funds
	for a major information resources project must first conduct an
	execution capability assessment to:
	(1) determine the agency's capability for implementing
	the project;
	(2) reduce the agency's financial risk in implementing
	the project; and
	(3) increase the probability of the agency's
	successful implementation of the project.
	(b) A state agency shall submit to the department, the
	quality assurance team established under Section 2054.158, and the
	Legislative Budget Board a detailed report that identifies the
	agency's organizational strengths and any weaknesses that will be
	addressed before the agency initially spends appropriated funds for
	a major information resources project.
	(c) A state agency may contract with an independent third
	party to conduct the assessment under Subsection (a) and prepare
	the report described by Subsection (b).
	SECTION 3. Section 2054.133(c), Government Code, is amended
	to read as follows:
	(c) Not later than October 15 of each even-numbered year,
	each state agency shall submit a copy of the agency's information
	security plan to the department. Subject to available resources,
	the department may select a portion of the submitted security plans
	to be assessed by the department in accordance with department
	rules.
	SECTION 4. Subchapter F, Chapter 2054, Government Code, is
	amended by adding Section 2054.136 to read as follows:
	Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER.
	Each state agency shall designate an information security officer
	who:
	(1) reports to the agency's executive-level
	management;
	(2) has authority over information security for the
	entire agency;
	(3) possesses the training and experience required to
	perform the duties required by department rules; and
	(4) to the extent feasible, has information security
	duties as the officer's primary duties.
	SECTION 5. Subchapter N-1, Chapter 2054, Government Code,
	is amended by adding Sections 2054.516 and 2054.517 to read as
	follows:
	Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE
	APPLICATIONS. (a) Each state agency, other than an institution of
	higher education subject to Section 2054.517, implementing an
	Internet website or mobile application that processes any sensitive
	personally identifiable or confidential information must:
	(1) submit a biennial data security plan to the
	department not later than October 15 of each even-numbered year, to
	establish planned beta testing for websites or applications; and
	(2) subject the website or application to a
	vulnerability and penetration test and address any vulnerability
	identified in the test.
	(b) The department shall review each data security plan
	submitted under Subsection (a) and make any recommendations for
	changes to the plan to the state agency as soon as practicable after
	the department reviews the plan.
	Sec. 2054.517. DATA SECURITY PROCEDURES FOR ONLINE AND
	MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a) Each
	institution of higher education, as defined by Section 61.003,
	Education Code, shall adopt and implement a policy for Internet
	website and mobile application security procedures that complies
	with this section.
	(b) Before deploying an Internet website or mobile
	application that processes confidential information for an
	institution of higher education, the developer of the website or
	application for the institution must submit to the institution's
	information security officer the information required under
	policies adopted by the institution to protect the privacy of
	individuals by preserving the confidentiality of information
	processed by the website or application. At a minimum, the
	institution's policies must require the developer to submit
	information describing:
	(1) the architecture of the website or application;
	(2) the authentication mechanism for the website or
	application; and
	(3) the administrator-level access to data included in
	the website or application.
	(c) Before deploying an Internet website or mobile
	application described by Subsection (b), an institution of higher
	education must subject the website or application to a
	vulnerability and penetration test conducted internally or by an
	independent third party.
	(d) Each institution of higher education shall submit to the
	department the policies adopted as required by Subsection (b). The
	department shall review the policies and make recommendations for
	appropriate changes.
	SECTION 6. As soon as practicable after the effective date
	of this Act, the Department of Information Resources shall adopt
	the rules necessary to implement Section 2054.133(c), Government
	Code, as amended by this Act.
	SECTION 7. This Act takes effect September 1, 2017.





	______________________________	______________________________
	President of the Senate	Speaker of the House

	I hereby certify that S.B. No. 1910 passed the Senate on
	May 4, 2017, by the following vote: Yeas 31, Nays 0; and that the
	Senate concurred in House amendments on May 26, 2017, by the
	following vote: Yeas 31, Nays 0.


	______________________________
	Secretary of the Senate

	I hereby certify that S.B. No. 1910 passed the House, with
	amendments, on May 22, 2017, by the following vote: Yeas 144,
	Nays 0, one present not voting.


	______________________________
	Chief Clerk of the House



	Approved:

	______________________________
	Date


	______________________________
	Governor