Bill Text: TX SB535 | 2023-2024 | 88th Legislature | Introduced
Bill Title: Relating to state agency information technology infrastructure and information security assessments.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2023-02-17 - Referred to Business & Commerce [SB535 Detail]
Download: Texas-2023-SB535-Introduced.html
88R6276 YDB-D | ||
By: Paxton | S.B. No. 535 |
|
||
|
||
relating to state agency information technology infrastructure and | ||
information security assessments. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. The heading to Section 2054.068, Government | ||
Code, is amended to read as follows: | ||
Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY | ||
INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT. | ||
SECTION 2. Section 2054.068, Government Code, is amended by | ||
amending Subsections (b), (c), and (d) and adding Subsections | ||
(c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as | ||
follows: | ||
(b) The department shall collect from each state agency | ||
information on the status and condition of the agency's information | ||
technology infrastructure, including [ |
||
(1) information on the agency's information security | ||
program; | ||
(2) an inventory of the agency's servers, mainframes, | ||
cloud services, and other information technology equipment; | ||
(3) identification information for [ |
||
operate and manage the agency's information technology | ||
infrastructure; [ |
||
(4) the information security assessment required by | ||
Section 2054.515; and | ||
(5) any additional related information requested by | ||
the department. | ||
(c) A state agency shall provide the information required by | ||
Subsection (b) to the department not later than August 31 of each | ||
even-numbered year [ |
||
(c-1) The department shall assign to each state agency that | ||
is not required to participate in a statewide technology center | ||
established under Subchapter L one of the following information | ||
security ratings based on the agency's information security risk | ||
profile: | ||
(1) above average; | ||
(2) average; or | ||
(3) below average. | ||
(c-2) In assigning an information security rating to a state | ||
agency under Subsection (c-1), the department shall consider: | ||
(1) the information the agency provides under | ||
Subsection (b); | ||
(2) the agency's comprehensive information security | ||
risk position relative to the agency's risk environment; and | ||
(3) any additional document or information the | ||
department requests from the agency. | ||
(c-3) The department: | ||
(1) shall develop options and make recommendations for | ||
improvements in the information security maturity of any state | ||
agency assigned an information security risk rating of below | ||
average under Subsection (c-1); and | ||
(2) may assist any state agency in determining whether | ||
additional security measures would increase the agency's | ||
information security maturity. | ||
(c-4) The department may audit the information security and | ||
technology of any state agency assigned an information security | ||
risk rating under Subsection (c-1) or contract with a vendor to | ||
perform the audit. The department shall make available on request | ||
by any person listed in Subsection (d) the results of an audit | ||
conducted under this subsection. | ||
(d) Not later than November 15 of each even-numbered year, | ||
the department shall submit to the governor, chair of the house | ||
appropriations committee, chair of the senate finance committee, | ||
speaker of the house of representatives, lieutenant governor, and | ||
staff of the Legislative Budget Board: | ||
(1) a consolidated report of the information submitted | ||
by state agencies under Subsection (b); and | ||
(2) any department recommendations relevant to and | ||
necessary for improving this state's information technology | ||
infrastructure and information security. | ||
(e-1) The department shall compile a summary of the | ||
consolidated report required under Subsection (d) and make the | ||
summary available to the public. The summary may not disclose any | ||
confidential information. | ||
(e-2) The consolidated report required under Subsection (d) | ||
and all information a state submits to substantiate or otherwise | ||
related to the report are confidential and not subject to | ||
disclosure under Chapter 552. The agency or department may redact | ||
or withhold information as confidential under Chapter 552 without | ||
requesting a decision from the attorney general under Subchapter G, | ||
Chapter 552. | ||
(e-3) Following review of the consolidated report, the | ||
Joint Oversight Committee on Investment in Information Technology | ||
Improvement and Modernization Projects established under Section | ||
2054.578 may recommend that the legislature, through a concurrent | ||
resolution approved by a majority of the members of each house of | ||
the legislature, direct the department to select for participation | ||
in a statewide technology center established under Subchapter L any | ||
state agency assigned an information security rating under | ||
Subsection (c-1). The department shall notify each selected state | ||
agency of the agency's selection as required by Section 2054.385. | ||
The department is not required to conduct the cost and requirements | ||
analysis under Section 2054.384 for a state agency selected for | ||
participation under this subsection. This subsection expires | ||
September 1, 2027. | ||
SECTION 3. The heading to Section 2054.515, Government | ||
Code, is amended to read as follows: | ||
Sec. 2054.515. STATE AGENCY INFORMATION SECURITY | ||
ASSESSMENT [ |
||
SECTION 4. Sections 2054.515(a), (c), and (d), Government | ||
Code, are amended to read as follows: | ||
(a) At least once every two years, each state agency shall | ||
conduct an information security assessment of the agency's[ |
||
[ |
||
digital data storage systems, digital data security measures, and | ||
information resources vulnerabilities[ |
||
[ |
||
(c) Each state agency shall complete the information | ||
security assessment in consultation with the [ |
||
the vendor the department selects and submit the assessment to the | ||
department in accordance with Section 2054.068(b) [ |
||
(d) All [ |
||
information security assessment is [ |
||
and not subject to disclosure under Chapter 552. The state agency | ||
or department may redact or withhold the information as | ||
confidential under Chapter 552 without requesting a decision from | ||
the attorney general under Subchapter G, Chapter 552. | ||
SECTION 5. The following provisions are repealed: | ||
(1) Section 2054.068(f), Government Code; and | ||
(2) Section 2054.515(b), Government Code, as amended | ||
by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th | ||
Legislature, Regular Session, 2021. | ||
SECTION 6. This Act takes effect September 1, 2023. |