Bill Text: TX HB1604 | 2017-2018 | 85th Legislature | Comm Sub


Bill Title: Relating to the requirements for and approval of a state agency's information security plan.

Spectrum: Bipartisan Bill

Status: (Introduced - Dead) 2017-05-05 - Committee report sent to Calendars [HB1604 Detail]

Download: Texas-2017-HB1604-Comm_Sub.html
  85R23797 YDB-D
 
  By: Blanco, Elkins, Capriglione, H.B. No. 1604
      Gonzales of Williamson, Lucio III
 
  Substitute the following for H.B. No. 1604:
 
  By:  Elkins C.S.H.B. No. 1604
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the requirements for and approval of a state agency's
  information security plan.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 2054.133, Government Code, is amended by
  adding Subsections (b-1), (b-2), (b-3), and (b-4) to read as
  follows:
         (b-1)  The executive head and chief information security
  officer of each state agency shall annually review and approve in
  writing the agency's information security plan and strategies for
  addressing the agency's information resources systems that are at
  highest risk for security breaches.  If a state agency does not have
  a chief information security officer, the highest ranking
  information security employee for the agency shall review and
  approve the plan and strategies.  The executive head retains full
  responsibility for the agency's information security and any risks
  to that security.
         (b-2)  Before submitting to the Legislative Budget Board a
  legislative appropriation request for a state fiscal biennium, a
  state agency must file with the board the written approval required
  under Subsection (b-1) for each year of the current state fiscal
  biennium.
         (b-3)  Each state agency shall include in the agency's
  information security plan the actions the agency is taking to
  incorporate into the plan the core functions of "identify, protect,
  detect, respond, and recover" as recommended in the "Framework for
  Improving Critical Infrastructure Cybersecurity" of the United
  States Department of Commerce National Institute of Standards and
  Technology. The agency shall, at a minimum, identify any
  information the agency requires individuals to provide to the
  agency or the agency retains that is not necessary for the agency's
  operations. The agency may incorporate the core functions over a
  period of years.
         (b-4)  A state agency's information security plan must
  include appropriate privacy and security standards that, at a
  minimum, require a vendor who offers cloud computing services or
  other software, applications, online services, or information
  technology solutions to any state agency to demonstrate that data
  provided by the state to the vendor will be maintained in compliance
  with all applicable state and federal laws and rules.
         SECTION 2.  Section 2054.133, Government Code, as amended by
  this Act, applies only to an information security plan submitted on
  or after the effective date of this Act.
         SECTION 3.  This Act takes effect September 1, 2017.
feedback