Bill Text: CA AB670 | 2015-2016 | Regular Session | Chaptered
Bill Title: Information technology security.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2015-10-06 - Chaptered by Secretary of State - Chapter 518, Statutes of 2015. [AB670 Detail]
Download: California-2015-AB670-Chaptered.html
BILL NUMBER: AB 670 CHAPTERED
BILL TEXT
CHAPTER 518
FILED WITH SECRETARY OF STATE OCTOBER 6, 2015
APPROVED BY GOVERNOR OCTOBER 6, 2015
PASSED THE SENATE SEPTEMBER 8, 2015
PASSED THE ASSEMBLY SEPTEMBER 9, 2015
AMENDED IN SENATE SEPTEMBER 3, 2015
AMENDED IN SENATE JUNE 23, 2015
AMENDED IN SENATE JUNE 15, 2015
AMENDED IN ASSEMBLY APRIL 6, 2015
INTRODUCED BY Assembly Member Irwin
FEBRUARY 25, 2015
An act to amend Section 11549.3 of the Government Code, relating
to technology.
LEGISLATIVE COUNSEL'S DIGEST
AB 670, Irwin. Information technology security.
(1) Existing law establishes, within the Government Operations
Agency, the Department of Technology under the supervision of the
Director of Technology, who is also known as the State Chief
Information Officer. The department is generally responsible for the
approval and oversight of information technology projects by, among
other things, consulting with state agencies during initial project
planning to ensure that project proposals are based on well-defined
programmatic needs.
Existing law establishes, within the department, the Office of
Information Security under the supervision of the Chief of the Office
of Information Security. Existing law sets forth the authority of
the office, including, but not limited to, the authority to conduct,
or require to be conducted, an independent security assessment of any
state agency, department, or office, the cost of which is to be
funded by the state agency, department, or office being assessed.
This bill would additionally require the office, in consultation
with the Office of Emergency Services, to require no fewer than 35
independent security assessments of state entities each year and
determine basic standards of services to be performed as part of an
independent security assessment. The bill would require the state
agency, department, or office being assessed to fund the costs of its
independent security assessment. The bill would require the office
and the Office of Emergency Services to receive the complete results
of an independent security assessment. The bill would prohibit,
during the process of conducting an independent security assessment,
the disclosure of information and records concerning the independent
security assessment, except that the information and records would be
authorized to be transmitted to state employees and state
contractors with specific duties relating to the independent security
assessment. The bill would require the disclosure of the results of
a completed independent security assessment under state law.
This bill would require the office, in consultation with the
Office of Emergency Services, to rank state entities on an
information security risk index, as specified. The bill would require
the office to report to the Department of Technology and the Office
of Emergency Services any state entity found noncompliant with
information security requirements. The bill would further require the
office to notify the Office of Emergency Services, Department of the
California Highway Patrol, and the Department of Justice of any
criminal or alleged criminal cyber activity affecting any state
entity or critical infrastructure of state government. The bill would
authorize the office to conduct or require to be conducted an audit
of information security to ensure program compliance, the cost of
which to be funded by the state agency, department, or office being
audited.
This bill would authorize the Military Department to perform an
independent security assessment as described above.
This bill would require state entities, as defined, rather than
certain information security officers, to comply with policies and
procedures issued by the office. The bill would also make technical,
nonsubstantive changes.
(2) Existing law requires that a statute that limits the public's
right of access to the meetings of public bodies or the writings of
public officials and agencies be adopted with findings to demonstrate
the interest protected by the limitation and the need for protecting
that interest.
This bill would limit access to information and records of an
ongoing independent security assessment and would make findings to
demonstrate the interest protected by the limitation and the need for
protecting that interest.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 11549.3 of the Government Code is amended to
read:
11549.3. (a) The chief shall establish an information security
program. The program responsibilities include, but are not limited
to, all of the following:
(1) The creation, updating, and publishing of information security
and privacy policies, standards, and procedures for state agencies
in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies to effectively
manage security and risk for both of the following:
(A) Information technology, which includes, but is not limited to,
all electronic technology systems and services, automated
information handling, system design and analysis, conversion of data,
computer programming, information storage and retrieval,
telecommunications, requisite system controls, simulation, electronic
commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical,
confidential, sensitive, or personal, as defined and published by the
office.
(3) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies for the
collection, tracking, and reporting of information regarding security
and privacy incidents.
(4) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies in the
development, maintenance, testing, and filing of each state agency's
disaster recovery plan.
(5) Coordination of the activities of state agency information
security officers, for purposes of integrating statewide security
initiatives and ensuring compliance with information security and
privacy policies and standards.
(6) Promotion and enhancement of the state agencies' risk
management and privacy programs through education, awareness,
collaboration, and consultation.
(7) Representing the state before the federal government, other
state agencies, local government entities, and private industry on
issues that have statewide impact on information security and
privacy.
(b) All state entities defined in Section 11546.1 shall implement
the policies and procedures issued by the office, including, but not
limited to, performing both of the following duties:
(1) Comply with the information security and privacy policies,
standards, and procedures issued pursuant to this chapter by the
office.
(2) Comply with filing requirements and incident notification by
providing timely information and reports as required by the office.
(c) (1) The office may conduct, or require to be conducted, an
independent security assessment of every state agency, department, or
office. The cost of the independent security assessment shall be
funded by the state agency, department, or office being assessed.
(2) In addition to the independent security assessments authorized
by paragraph (1), the office, in consultation with the Office of
Emergency Services, shall perform all the following duties:
(A) Annually require no fewer than thirty-five (35) state entities
to perform an independent security assessment, the cost of which
shall be funded by the state agency, department, or office being
assessed.
(B) Determine criteria and rank state entities based on an
information security risk index that may include, but not be limited
to, analysis of the relative amount of the following factors within
state agencies:
(i) Personally identifiable information protected by law.
(ii) Health information protected by law.
(iii) Confidential financial data.
(iv) Self-certification of compliance and indicators of unreported
noncompliance with security provisions in the following areas:
(I) Information asset management.
(II) Risk management.
(III) Information security program management.
(IV) Information security incident management.
(V) Technology recovery planning.
(C) Determine the basic standards of services to be performed as
part of independent security assessments required by this
subdivision.
(3) The Military Department may perform an independent security
assessment of any state agency, department, or office, the cost of
which shall be funded by the state agency, department, or office
being assessed.
(d) State agencies and entities required to conduct or receive an
independent security assessment pursuant to subdivision (c) shall
transmit the complete results of that assessment and recommendations
for mitigating system vulnerabilities, if any, to the office and the
Office of Emergency Services.
(e) The office shall report to the Department of Technology and
the Office of Emergency Services any state entity found to be
noncompliant with information security program requirements.
(f) (1) Notwithstanding any other law, during the process of
conducting an independent security assessment pursuant to subdivision
(c), information and records concerning the independent security
assessment are confidential and shall not be disclosed, except that
the information and records may be transmitted to state employees and
state contractors who have been approved as necessary to receive the
information and records to perform that independent security
assessment, subsequent remediation activity, or monitoring of
remediation activity.
(2) The results of a completed independent security assessment
performed pursuant to subdivision (c), and any related information
shall be subject to all disclosure and confidentiality provisions
pursuant to any state law, including, but not limited to, the
California Public Records Act (Chapter 3.5 (commencing with Section
6250) of Division 7 of Title 1), including, but not limited to,
Section 6254.19.
(g) The office may conduct or require to be conducted an audit of
information security to ensure program compliance, the cost of which
shall be funded by the state agency, department, or office being
audited.
(h) The office shall notify the Office of Emergency Services,
Department of the California Highway Patrol, and the Department of
Justice regarding any criminal or alleged criminal cyber activity
affecting any state entity or critical infrastructure of state
government.
SEC. 2. The Legislature finds and declares that Section 1 of this
act, which amends Section 11549.3 of the Government Code, imposes a
limitation on the public's right of access to the meetings of public
bodies or the writings of public officials and agencies within the
meaning of Section 3 of Article I of the California Constitution.
Pursuant to that constitutional provision, the Legislature makes the
following findings to demonstrate the interest protected by this
limitation and the need for protecting that interest:
The state has a very strong interest in protecting its information
technology systems from intrusion, because those systems contain
confidential information and play a critical role in the performance
of the duties of state government. Thus, information regarding the
specific vulnerabilities of those systems must be protected to
preclude use of that information to facilitate attacks on those
systems.
