TO:	Honorable Dan Patrick, Lieutenant Governor, Senate
FROM:	Ursula Parks, Director, Legislative Budget Board
IN RE:	SB1910 by Zaffirini (Relating to state agency information security plans, information technology employees, and online and mobile applications.), As Passed 2nd House

The bill would amend Chapter 2054, Government Code, to authorize the Department of Information Resources (DIR) to select a portion of the security plans submitted to DIR under Section 2054.133 to be assessed by DIR, subject to available resources. The bill would require each state agency to designate an information security officer within the agency.

The bill would require each state agency implementing an Internet website or mobile application that processes any personally identifiable or confidential information to submit a biennial data security plan to DIR; to subject the website or application to a vulnerability and penetration test; and to address any vulnerability identified. The bill would require DIR to review and make recommendations for changes to the plan.

The bill would require institutions of higher education to adopt and implement a policy for internet website and mobile application security procedures. The bill would require the institutions to subject the websites or applications which would process confidential information to a vulnerability and penetration test prior to the deployments.

The bill would require DIR to submit to certain leadership and committees of the Legislature a biennial report identifying preventive and recovery efforts the state can undertake to improve cybersecurity in this state.  If a cybersecurity event creates the need for emergency funding, the bill would authorize DIR to request that the Governor or Legislative Budget Board make a proposal under Chapter 317, related to state budget execution, to provide funding to manage the impacts from the cybersecurity event.

The bill would require agencies to assess their capability to execute major information resource projects before spending funds on such projects. Assessments of an agency's strengths and weaknesses in executing such projects would be submitted to the Department of Information Resources, the Quality Assurance Team, and the Legislative Budget Board.

The bill sets forth certain requirements all agencies would be required to follow relating to information technology security. The costs cannot be determined because the impact would be contingent on factors such as an agency's existing information technology infrastructure, current practices, and the number of full-time equivalent (FTE) positions currently supporting related services.
 
Agencies indicated various costs to implement requirements for data security plans and for vulnerability and penetration tests before online and mobile applications are deployed. The Office of the Attorney General indicates that six applications would be tested annually for a total of $90,000 each fiscal year out of General Revenue and Federal Funds. The General Land Office indicated a total of $84,000 for each fiscal year in General Revenue for contractor costs due to longer project implementation timelines, testing requirements, resolution of test issues and training. Additionally, the Texas A&M University System estimates there would be a cost to implement the testing requirements. Other agencies, such as the Office of the Governor, Board of Nursing, and Department of Licensing and Regulation indicate that costs could be absorbed within existing resources.

This analysis assumes that agencies which do not currently employ an information security officer could designate a current employee to meet the provisions of Section 2054.136, as added by the bill.

DIR indicates that their costs to implement the bills provisions cold be absorbed within existing resources.

Local Government Impact

No fiscal implication to units of local government is anticipated.