|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to the requirement that state agency employees complete |
|
cybersecurity awareness training. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Subchapter N-1, Chapter 2054, Government Code, |
|
is amended by adding Section 2054.5175 to read as follows: |
|
Sec. 2054.5175. CYBERSECURITY AWARENESS TRAINING. (a) |
|
This section applies only to a state agency that is a department, |
|
commission, board, office, or other agency in the executive branch |
|
of state government. This section does not apply to an institution |
|
of higher education, as defined by Section 61.003, Education Code. |
|
(b) Each state agency shall require all employees of the |
|
agency who have access to the agency's network or online systems, |
|
including electronic mail or Internet access, to complete training |
|
on cybersecurity awareness. The training must: |
|
(1) be designed, administered, and maintained by a |
|
third-party vendor based in this state that: |
|
(A) has offered professional security awareness |
|
training in this state for at least three years; and |
|
(B) has provided security awareness training to |
|
at least 100,000 people; |
|
(2) run on a web-based learning management system; |
|
(3) include industry standards of content for |
|
cybersecurity training; |
|
(4) be capable of training at least 100,000 people; |
|
(5) incorporate a management console allowing the |
|
entering of the employee's first name, last name, electronic mail |
|
address, state agency employer, and division in which the employee |
|
is employed; |
|
(6) track the progress of an employee in completing |
|
the training; |
|
(7) generate reports, including reports that display |
|
the progress in completing the training of: |
|
(A) each division of a state agency; |
|
(B) each state agency as a whole; and |
|
(C) the entire state workforce; |
|
(8) provide a flexible number of training licenses to |
|
accommodate an unknown number of employees being trained each year; |
|
(9) be regularly updated to include training about new |
|
cybersecurity threats; |
|
(10) have the ability to include content in addition |
|
to cybersecurity awareness training, including training on human |
|
resources policies and sexual harassment prevention; |
|
(11) have the ability to display an image of the state |
|
seal or a state agency's seal or logo; |
|
(12) have the ability to create groups and allow |
|
employees to be assigned to the groups; |
|
(13) have the ability to assign training requirements |
|
to specific groups of employees; and |
|
(14) have the ability to send electronic mail |
|
notifications that are customizable to employees enrolled in the |
|
training. |
|
SECTION 2. This Act takes effect September 1, 2019. |