Bill Text: TX SB1910 | 2017-2018 | 85th Legislature | Engrossed
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to state agency information security plans, information technology employees, and online and mobile applications.
Spectrum: Bipartisan Bill
Status: (Passed) 2017-06-15 - Effective on 9/1/17 [SB1910 Detail]
Download: Texas-2017-SB1910-Engrossed.html
Bill Title: Relating to state agency information security plans, information technology employees, and online and mobile applications.
Spectrum: Bipartisan Bill
Status: (Passed) 2017-06-15 - Effective on 9/1/17 [SB1910 Detail]
Download: Texas-2017-SB1910-Engrossed.html
By: Zaffirini | S.B. No. 1910 |
|
||
|
||
relating to state agency information security plans, information | ||
technology employees, and online and mobile applications. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Section 2054.133(c), Government Code, is amended | ||
to read as follows: | ||
(c) Not later than October 15 of each even-numbered year, | ||
each state agency shall submit a copy of the agency's information | ||
security plan to the department. Subject to available resources, | ||
the department shall select a portion of the submitted security | ||
plans to be audited by the department in accordance with department | ||
rules. | ||
SECTION 2. Subchapter F, Chapter 2054, Government Code, is | ||
amended by adding Section 2054.136 to read as follows: | ||
Sec. 2054.136. INDEPENDENT INFORMATION SECURITY OFFICER. | ||
Each state agency in the executive branch of state government that | ||
has on staff a chief information security officer or information | ||
security officer shall ensure that within the agency's | ||
organizational structure the officer is independent from and not | ||
subordinate to the agency's information technology operations. | ||
SECTION 3. Subchapter N-1, Chapter 2054, Government Code, | ||
is amended by adding Section 2054.516 to read as follows: | ||
Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE | ||
APPLICATIONS. (a) Each state agency implementing an Internet | ||
website or mobile application that processes any personally | ||
identifiable or confidential information must: | ||
(1) submit a data security plan to the department | ||
before beta testing the website or application; and | ||
(2) before deploying the website or application: | ||
(A) subject the website or application to a | ||
vulnerability and penetration test conducted by an independent | ||
third party; and | ||
(B) address any vulnerability identified under | ||
Paragraph (A). | ||
(b) The data security plan required under Subsection (a)(1) | ||
must include: | ||
(1) data flow diagrams to show the location of | ||
information in use, in transit, and not in use; | ||
(2) data storage locations; | ||
(3) data interaction with online or mobile devices; | ||
(4) security of data transfer; | ||
(5) security measures for the online or mobile | ||
application; and | ||
(6) a description of any action taken by the agency to | ||
remediate any vulnerability identified by an independent third | ||
party under Subsection (a)(2). | ||
(c) The department shall review each data security plan | ||
submitted under Subsection (a) and make any recommendations for | ||
changes to the plan to the state agency as soon as practicable after | ||
the department reviews the plan. | ||
SECTION 4. As soon as practicable after the effective date | ||
of this Act, the Department of Information Resources shall adopt | ||
the rules necessary to implement Section 2054.133(c), Government | ||
Code, as amended by this Act. | ||
SECTION 5. This Act takes effect September 1, 2017. |