Honorable Kelly Hancock, Chair, Senate Committee on Business & Commerce
FROM:
Ursula Parks, Director, Legislative Budget Board
IN RE:
SB1910 by Zaffirini (Relating to state agency information security plans, information technology employees, and online and mobile applications.), As Introduced
The statewide fiscal implications of the bill cannot be determined at this time, but is expected to result in a cost to the State. These costs primarily relate to provisions of the bill that would require DIR to audit agency information security plans and requirements for agencies to contract with an independent third party to perform vulnerability and penetration tests before deploying certain website or mobile applications.
The bill would amend Chapter 2054, Government Code, to require the Department of Information Resources (DIR) to select a portion of the security plans submitted to DIR under Section 2054.133 to be audited by DIR. The bill would require that each state agency in the executive branch that has on staff a chief information security officer to ensure that the officer is independent from and not subordinate to the agency's information technology operations.
The bill would require each state agency implementing an Internet website or mobile application that processes any personally identifiable or confidential information to submit a data security plan to DIR and to subject the website or application to a vulnerability and penetration test conducted by an independent third party and address any vulnerability identified. The bill would specify the information to be included in the data security plan and would require DIR to review and make recommendations for changes to the plan.
The bill sets forth certain requirements all agencies would be required to follow relating to information technology security. The costs cannot be determined because the impact would be contingent on factors such as an agency's existing information technology infrastructure, current practices, and the number of full-time equivalent (FTE) positions currently supporting related services.
DIR indicates a cost of $900,000 annually, from the Clearing Fund (Other Funds) to perform audits for an estimated 15 security plans annually at a cost of $60,000 per audit.
Agencies indicated various costs to implement requirements for data security plans and for vulnerability and penetration tests conducted by an independent third party before online and mobile applications are deployed. The Office of the Attorney General indicates that six applications would be tested annually for a total of $90,000 each fiscal year out of General Revenue and Federal Funds. The General Land Office indicated a total of $84,000 for each fiscal year in General Revenue for contractor costs due to longer project implementation timelines, testing requirements, resolution of test issues and training. Additionally, the University of Texas System indicated annual costs of $9,052,867 to $9,267,468 primarily for testing requirements. Other agencies, such as the Office of the Governor, Board of Nursing, and Health and Human Services Commission indicated that costs could be absorbed within existing resources.
Local Government Impact
No fiscal implication to units of local government is anticipated.
Source Agencies:
300 Trusteed Programs Within the Office of the Governor, 302 Office of the Attorney General, 305 General Land Office and Veterans' Land Board, 312 Securities Board, 313 Department of Information Resources, 452 Department of Licensing and Regulation, 507 Texas Board of Nursing, 529 Health and Human Services Commission, 582 Commission on Environmental Quality, 608 Department of Motor Vehicles, 644 Juvenile Justice Department, 710 Texas A&M University System Administrative and General Offices, 720 The University of Texas System Administration