88R12618 CXP-D
 
  By: Lujan H.B. No. 3217
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to a biennial audit by the Department of Information
  Resources of state agency information technology infrastructure.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  The heading to Section 2054.068, Government
  Code, is amended to read as follows:
         Sec. 2054.068.  INFORMATION TECHNOLOGY INFRASTRUCTURE AUDIT
  AND REPORT.
         SECTION 2.  Sections 2054.068(b), (c), (d), and (e),
  Government Code, are amended to read as follows:
         (b)  The department shall conduct a biennial audit of
  [collect from each state agency information on] the status and
  condition of each state [the] agency's information technology
  infrastructure, including a review of [information regarding]:
               (1)  the agency's:
                     (A)  information security program, including any
  information technology security measures used by the agency;
                     (B)  hardware, including [(2)] an inventory of the
  agency's servers, mainframes, cloud services, and other
  information technology equipment;
                     (C)  [(3) identification of] vendors that operate
  and manage the agency's information technology infrastructure;
                     (D)  software and licenses, including:
                           (i)  purchase date and cost;
                           (ii)  license length;
                           (iii)  date of last use; and
                           (iv)  the purpose of the software or
  license;
                     (E)  information technology governance policies;
                     (F)  cloud services;
                     (G)  vendor-managed services;
                     (H)  support services and the cost of those
  services;
                     (I)  network systems;
                     (J)  digital data storage systems and security
  measures;
                     (K)  future information technology projects; and
                     (L)  information technology needs;
               (2)  any information technology issues reported by the
  public; and
               (3) [(4)]  any additional related issue [information
  requested by] the department considers necessary.
         (c)  A state agency shall provide to the department:
               (1)  [the] information related to the subjects
  described [required] by Subsection (b) [to the department]
  according to a schedule determined by the department; and
               (2)  access to the state agency's information
  technology infrastructure.
         (d)  Not later than December 1 [November 15] of each
  even-numbered year, the department shall submit to the governor,
  chair of the house appropriations committee, chair of the senate
  finance committee, speaker of the house of representatives,
  lieutenant governor, and staff of the Legislative Budget Board a
  consolidated report on the audits conducted [of the information
  submitted by state agencies] under Subsection (b).
         (e)  The consolidated report required by Subsection (d) must
  include:
               (1)  [include] an analysis and assessment of each state
  agency's security and operational risks; [and]
               (2)  for a state agency found to be at higher security
  and operational risks, [include] a detailed analysis of agency
  efforts to address the risks and related vulnerabilities;
               (3)  the information submitted by state agencies under
  Subsection (c);
               (4)  the department's recommendations relating to the
  state agency's information technology infrastructure; and
               (5)  a ranking of each state agency based on the
  efficacy and ease of use of the agency's information technology
  infrastructure.
         SECTION 3.  This Act takes effect September 1, 2023.