104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 SB1542 Introduced 2/4/2025, by Sen. Ram Villivalam SYNOPSIS AS INTRODUCED: 20 ILCS 1370/1-520 ILCS 1370/1-1020 ILCS 1370/1-1520 ILCS 1370/1-2520 ILCS 1370/1-75 rep.20 ILCS 1375/5-520 ILCS 1375/5-1520 ILCS 1375/5-2520 ILCS 1375/5-35 new Amends the Department of Innovation and Technology Act. Repeals the definition of "client agency" and makes changes in the definitions of "dedicated unit", "State agency", and "transferring agency". Replaces references to "transferring agency" with references to "transferred agency". Makes changes in provisions concerning the powers and duties of the Department of Innovation and Technology, including changes in the scope of services provided by the Department and in the classes of persons to whom those services are to be provided. Authorizes the Department to charge fees for service to all State agencies under the jurisdiction of the Governor (rather than only client agencies). Repeals from the Department of Innovation and Technology Act and adds to the Illinois Information Security Improvement Act a provision requiring the principal executive officer of specified units of local government to designate a local official or employee as the primary point of contact for local cybersecurity issues. Requires the name and contact information for the specified individual to be provided to the Statewide Chief Information Security Officer. Further amends the Illinois Information Security Improvement Act. Makes changes concerning the duties of the Office of the Statewide Chief Information Security Officer and the Secretary of Innovation and Technology. Changes the definition of "State agency". LRB104 09812 BDA 19879 b A BILL FOR 104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 SB1542 Introduced 2/4/2025, by Sen. Ram Villivalam SYNOPSIS AS INTRODUCED: 20 ILCS 1370/1-520 ILCS 1370/1-1020 ILCS 1370/1-1520 ILCS 1370/1-2520 ILCS 1370/1-75 rep.20 ILCS 1375/5-520 ILCS 1375/5-1520 ILCS 1375/5-2520 ILCS 1375/5-35 new 20 ILCS 1370/1-5 20 ILCS 1370/1-10 20 ILCS 1370/1-15 20 ILCS 1370/1-25 20 ILCS 1370/1-75 rep. 20 ILCS 1375/5-5 20 ILCS 1375/5-15 20 ILCS 1375/5-25 20 ILCS 1375/5-35 new Amends the Department of Innovation and Technology Act. Repeals the definition of "client agency" and makes changes in the definitions of "dedicated unit", "State agency", and "transferring agency". Replaces references to "transferring agency" with references to "transferred agency". Makes changes in provisions concerning the powers and duties of the Department of Innovation and Technology, including changes in the scope of services provided by the Department and in the classes of persons to whom those services are to be provided. Authorizes the Department to charge fees for service to all State agencies under the jurisdiction of the Governor (rather than only client agencies). Repeals from the Department of Innovation and Technology Act and adds to the Illinois Information Security Improvement Act a provision requiring the principal executive officer of specified units of local government to designate a local official or employee as the primary point of contact for local cybersecurity issues. Requires the name and contact information for the specified individual to be provided to the Statewide Chief Information Security Officer. Further amends the Illinois Information Security Improvement Act. Makes changes concerning the duties of the Office of the Statewide Chief Information Security Officer and the Secretary of Innovation and Technology. Changes the definition of "State agency". LRB104 09812 BDA 19879 b LRB104 09812 BDA 19879 b A BILL FOR
104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 SB1542 Introduced 2/4/2025, by Sen. Ram Villivalam SYNOPSIS AS INTRODUCED:
20 ILCS 1370/1-520 ILCS 1370/1-1020 ILCS 1370/1-1520 ILCS 1370/1-2520 ILCS 1370/1-75 rep.20 ILCS 1375/5-520 ILCS 1375/5-1520 ILCS 1375/5-2520 ILCS 1375/5-35 new 20 ILCS 1370/1-5 20 ILCS 1370/1-10 20 ILCS 1370/1-15 20 ILCS 1370/1-25 20 ILCS 1370/1-75 rep. 20 ILCS 1375/5-5 20 ILCS 1375/5-15 20 ILCS 1375/5-25 20 ILCS 1375/5-35 new
20 ILCS 1370/1-5
20 ILCS 1370/1-10
20 ILCS 1370/1-15
20 ILCS 1370/1-25
20 ILCS 1370/1-75 rep.
20 ILCS 1375/5-5
20 ILCS 1375/5-15
20 ILCS 1375/5-25
20 ILCS 1375/5-35 new
Amends the Department of Innovation and Technology Act. Repeals the definition of "client agency" and makes changes in the definitions of "dedicated unit", "State agency", and "transferring agency". Replaces references to "transferring agency" with references to "transferred agency". Makes changes in provisions concerning the powers and duties of the Department of Innovation and Technology, including changes in the scope of services provided by the Department and in the classes of persons to whom those services are to be provided. Authorizes the Department to charge fees for service to all State agencies under the jurisdiction of the Governor (rather than only client agencies). Repeals from the Department of Innovation and Technology Act and adds to the Illinois Information Security Improvement Act a provision requiring the principal executive officer of specified units of local government to designate a local official or employee as the primary point of contact for local cybersecurity issues. Requires the name and contact information for the specified individual to be provided to the Statewide Chief Information Security Officer. Further amends the Illinois Information Security Improvement Act. Makes changes concerning the duties of the Office of the Statewide Chief Information Security Officer and the Secretary of Innovation and Technology. Changes the definition of "State agency".
LRB104 09812 BDA 19879 b LRB104 09812 BDA 19879 b
LRB104 09812 BDA 19879 b
A BILL FOR
SB1542LRB104 09812 BDA 19879 b SB1542 LRB104 09812 BDA 19879 b
SB1542 LRB104 09812 BDA 19879 b
1 AN ACT concerning State government.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Section 5. The Department of Innovation and Technology Act
5 is amended by changing Sections 1-5, 1-10, 1-15, and 1-25 as
6 follows:
7 (20 ILCS 1370/1-5)
8 Sec. 1-5. Definitions. In this Act:
9 "Client agency" means each transferring agency, or its
10 successor, and any other public agency to which the Department
11 provides service to the extent specified in an interagency
12 agreement with the public agency.
13 "Dedicated unit" means the dedicated bureau, division,
14 office, or other unit within a transferred transferring agency
15 that is responsible for the information technology functions
16 of the transferred transferring agency.
17 "Department" means the Department of Innovation and
18 Technology.
19 "Information technology" means technology,
20 infrastructure, equipment, systems, software, networks, and
21 processes used to create, send, receive, and store electronic
22 or digital information, including, without limitation,
23 computer systems and telecommunication services and systems.
104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026 SB1542 Introduced 2/4/2025, by Sen. Ram Villivalam SYNOPSIS AS INTRODUCED:
20 ILCS 1370/1-520 ILCS 1370/1-1020 ILCS 1370/1-1520 ILCS 1370/1-2520 ILCS 1370/1-75 rep.20 ILCS 1375/5-520 ILCS 1375/5-1520 ILCS 1375/5-2520 ILCS 1375/5-35 new 20 ILCS 1370/1-5 20 ILCS 1370/1-10 20 ILCS 1370/1-15 20 ILCS 1370/1-25 20 ILCS 1370/1-75 rep. 20 ILCS 1375/5-5 20 ILCS 1375/5-15 20 ILCS 1375/5-25 20 ILCS 1375/5-35 new
20 ILCS 1370/1-5
20 ILCS 1370/1-10
20 ILCS 1370/1-15
20 ILCS 1370/1-25
20 ILCS 1370/1-75 rep.
20 ILCS 1375/5-5
20 ILCS 1375/5-15
20 ILCS 1375/5-25
20 ILCS 1375/5-35 new
Amends the Department of Innovation and Technology Act. Repeals the definition of "client agency" and makes changes in the definitions of "dedicated unit", "State agency", and "transferring agency". Replaces references to "transferring agency" with references to "transferred agency". Makes changes in provisions concerning the powers and duties of the Department of Innovation and Technology, including changes in the scope of services provided by the Department and in the classes of persons to whom those services are to be provided. Authorizes the Department to charge fees for service to all State agencies under the jurisdiction of the Governor (rather than only client agencies). Repeals from the Department of Innovation and Technology Act and adds to the Illinois Information Security Improvement Act a provision requiring the principal executive officer of specified units of local government to designate a local official or employee as the primary point of contact for local cybersecurity issues. Requires the name and contact information for the specified individual to be provided to the Statewide Chief Information Security Officer. Further amends the Illinois Information Security Improvement Act. Makes changes concerning the duties of the Office of the Statewide Chief Information Security Officer and the Secretary of Innovation and Technology. Changes the definition of "State agency".
LRB104 09812 BDA 19879 b LRB104 09812 BDA 19879 b
LRB104 09812 BDA 19879 b
A BILL FOR
20 ILCS 1370/1-5
20 ILCS 1370/1-10
20 ILCS 1370/1-15
20 ILCS 1370/1-25
20 ILCS 1370/1-75 rep.
20 ILCS 1375/5-5
20 ILCS 1375/5-15
20 ILCS 1375/5-25
20 ILCS 1375/5-35 new
LRB104 09812 BDA 19879 b
SB1542 LRB104 09812 BDA 19879 b
SB1542- 2 -LRB104 09812 BDA 19879 b SB1542 - 2 - LRB104 09812 BDA 19879 b
SB1542 - 2 - LRB104 09812 BDA 19879 b
1 "Information technology" shall be construed broadly to
2 incorporate future technologies that change or supplant those
3 in effect as of the effective date of this Act.
4 "Information technology functions" means the development,
5 procurement, installation, retention, maintenance, operation,
6 possession, storage, and related functions of all information
7 technology.
8 "Secretary" means the Secretary of Innovation and
9 Technology.
10 "State agency" means each State agency, department, board,
11 and commission under the jurisdiction of the Governor to which
12 the Department provides services.
13 "Transferred Transferring agency" means the Department on
14 Aging; the Departments of Agriculture, Central Management
15 Services, Children and Family Services, Commerce and Economic
16 Opportunity, Corrections, Employment Security, Financial and
17 Professional Regulation, Healthcare and Family Services, Human
18 Rights, Human Services, Insurance, Juvenile Justice, Labor,
19 Lottery, Military Affairs, Natural Resources, Public Health,
20 Revenue, Transportation, and Veterans' Affairs; the Illinois
21 State Police; the Capital Development Board; the Deaf and Hard
22 of Hearing Commission; the Environmental Protection Agency;
23 the Governor's Office of Management and Budget; the
24 Guardianship and Advocacy Commission; the Abraham Lincoln
25 Presidential Library and Museum; the Illinois Arts Council;
26 the Illinois Council on Developmental Disabilities; the
SB1542 - 2 - LRB104 09812 BDA 19879 b
SB1542- 3 -LRB104 09812 BDA 19879 b SB1542 - 3 - LRB104 09812 BDA 19879 b
SB1542 - 3 - LRB104 09812 BDA 19879 b
1 Illinois Emergency Management Agency; the Illinois Gaming
2 Board; the Illinois Liquor Control Commission; the Office of
3 the State Fire Marshal; the Prisoner Review Board; and the
4 Department of Early Childhood.
5 (Source: P.A. 102-376, eff. 1-1-22; 102-538, eff. 8-20-21;
6 102-813, eff. 5-13-22; 102-870, eff. 1-1-23; 103-588, eff.
7 6-5-24.)
8 (20 ILCS 1370/1-10)
9 Sec. 1-10. Transfer of functions. On and after March 25,
10 2016 (the effective date of Executive Order 2016-001):
11 (a) (Blank).
12 (b) (Blank).
13 (c) The personnel of each transferred transferring agency
14 designated by the Governor are transferred to the Department.
15 The status and rights of the employees and the State of
16 Illinois or its transferred transferring agencies under the
17 Personnel Code, the Illinois Public Labor Relations Act, and
18 applicable collective bargaining agreements or under any
19 pension, retirement, or annuity plan shall not be affected by
20 this Act. Under the direction of the Governor, the Secretary,
21 in consultation with the transferred transferring agencies and
22 labor organizations representing the affected employees, shall
23 identify each position and employee who is engaged in the
24 performance of functions transferred to the Department, or
25 engaged in the administration of a law the administration of
SB1542 - 3 - LRB104 09812 BDA 19879 b
SB1542- 4 -LRB104 09812 BDA 19879 b SB1542 - 4 - LRB104 09812 BDA 19879 b
SB1542 - 4 - LRB104 09812 BDA 19879 b
1 which is transferred to the Department, to be transferred to
2 the Department. An employee engaged primarily in providing
3 administrative support for information technology functions
4 may be considered engaged in the performance of functions
5 transferred to the Department.
6 (d) All books, records, papers, documents, property (real
7 and personal), contracts, causes of action, and pending
8 business pertaining to the powers, duties, rights, and
9 responsibilities relating to dedicated units and information
10 technology functions transferred under this Act to the
11 Department, including, but not limited to, material in
12 electronic or magnetic format and necessary computer hardware
13 and software, shall be transferred to the Department.
14 (e) All unexpended appropriations and balances and other
15 funds available for use relating to dedicated units and
16 information technology functions transferred under this Act
17 shall be transferred for use by the Department at the
18 direction of the Governor. Unexpended balances so transferred
19 shall be expended only for the purpose for which the
20 appropriations were originally made.
21 (f) The powers, duties, rights, and responsibilities
22 relating to dedicated units and information technology
23 functions transferred by this Act shall be vested in and shall
24 be exercised by the Department.
25 (g) Whenever reports or notices are now required to be
26 made or given or papers or documents furnished or served by any
SB1542 - 4 - LRB104 09812 BDA 19879 b
SB1542- 5 -LRB104 09812 BDA 19879 b SB1542 - 5 - LRB104 09812 BDA 19879 b
SB1542 - 5 - LRB104 09812 BDA 19879 b
1 person to or upon each dedicated unit in connection with any of
2 the powers, duties, rights, and responsibilities relating to
3 information technology functions transferred by this Act, the
4 same shall be made, given, furnished, or served in the same
5 manner to or upon the Department.
6 (h) This Act does not affect any act done, ratified, or
7 canceled or any right occurring or established or any action
8 or proceeding had or commenced in an administrative, civil, or
9 criminal cause by each dedicated unit relating to information
10 technology functions before the transfer of responsibilities
11 under this Act; such actions or proceedings may be prosecuted
12 and continued by the Department.
13 (i) (Blank).
14 (j) (Blank).
15 (Source: P.A. 102-376, eff. 1-1-22.)
16 (20 ILCS 1370/1-15)
17 Sec. 1-15. Powers and duties.
18 (a) The head officer of the Department is the Secretary,
19 who shall be the chief information officer for the State and
20 the steward of State data with respect to those transferred
21 agencies under the jurisdiction of the Governor. The Secretary
22 shall be appointed by the Governor, with the advice and
23 consent of the Senate. The Department may employ or retain
24 other persons to assist in the discharge of its functions,
25 subject to the Personnel Code.
SB1542 - 5 - LRB104 09812 BDA 19879 b
SB1542- 6 -LRB104 09812 BDA 19879 b SB1542 - 6 - LRB104 09812 BDA 19879 b
SB1542 - 6 - LRB104 09812 BDA 19879 b
1 (b) The Department shall promote best-in-class innovation
2 and technology to transferred client agencies to foster
3 collaboration among client agencies, empower client agencies
4 to provide better service to residents of Illinois, and
5 maximize the value of taxpayer resources. The Department shall
6 be responsible for information technology functions on behalf
7 of transferred client agencies.
8 (c) When requested and when in the best interest of the
9 State, the The Department may shall provide for and assist
10 with coordinate information technology for non-transferred
11 State agencies, and, when requested and when in the best
12 interests of the State, for State constitutional offices,
13 units of federal or local governments, and public and
14 not-for-profit institutions of primary, secondary, and higher
15 education, or other parties not associated with State
16 government. The Department shall establish charges for
17 information technology for State agencies, and, when
18 requested, for State constitutional offices, units of federal
19 or local government, and public and not-for-profit
20 institutions of primary, secondary, or higher education and
21 for use by other parties not associated with State government
22 for any services requested or provided. Entities charged for
23 these services shall make payment to the Department. The
24 Department may instruct all State agencies to report their
25 usage of information technology regularly to the Department in
26 the manner the Secretary may prescribe.
SB1542 - 6 - LRB104 09812 BDA 19879 b
SB1542- 7 -LRB104 09812 BDA 19879 b SB1542 - 7 - LRB104 09812 BDA 19879 b
SB1542 - 7 - LRB104 09812 BDA 19879 b
1 (d) The Department shall establish principles develop and
2 implement standards for the protection of , policies, and
3 procedures to protect the security and interoperability of
4 State data with respect to State those agencies under the
5 jurisdiction of the Governor, including in particular data
6 that are confidential, sensitive, or protected from disclosure
7 by privacy or other laws, while recognizing and balancing the
8 need for collaboration and public transparency.
9 (e) The Department shall be responsible for providing the
10 Governor with timely, comprehensive, and meaningful
11 information pertinent to the formulation and execution of
12 fiscal policy. In performing this responsibility, the
13 Department shall have the power to do the following:
14 (1) Control the procurement, retention, installation,
15 maintenance, and operation, as specified by the
16 Department, of information technology equipment used by
17 State client agencies in such a manner as to achieve
18 maximum economy and provide appropriate assistance in the
19 development of information suitable for management
20 analysis.
21 (2) Establish principles and standards for the
22 implementation of information technology-related
23 reporting by State client agencies and priorities for
24 completion of research by those agencies in accordance
25 with the requirements for management analysis specified by
26 the Department. State agencies shall work with the
SB1542 - 7 - LRB104 09812 BDA 19879 b
SB1542- 8 -LRB104 09812 BDA 19879 b SB1542 - 8 - LRB104 09812 BDA 19879 b
SB1542 - 8 - LRB104 09812 BDA 19879 b
1 Department to follow the principles and standards
2 developed by the Department.
3 (3) Establish charges for information technology and
4 related services requested by transferred client agencies
5 and rendered by the Department. The Department is likewise
6 empowered to establish prices or charges for all
7 information technology reports purchased by State agencies
8 and governmental entities individuals not connected with
9 State government using the Department's services.
10 (4) Instruct all State client agencies to report
11 regularly to the Department, in the manner the Department
12 may prescribe, their usage of information technology, the
13 cost incurred, the information produced, and the
14 procedures followed in obtaining the information. All
15 State client agencies shall request from the Department
16 assistance and consultation in securing any necessary
17 information technology to support their requirements.
18 (5) Examine the accounts and information
19 technology-related data of any organization, body, or
20 agency receiving appropriations from the General Assembly,
21 except for a State constitutional office, the Office of
22 the Executive Inspector General, or any office of the
23 legislative or judicial branches of State government. For
24 a State constitutional office, the Office of the Executive
25 Inspector General, or any office of the legislative or
26 judicial branches of State government, the Department
SB1542 - 8 - LRB104 09812 BDA 19879 b
SB1542- 9 -LRB104 09812 BDA 19879 b SB1542 - 9 - LRB104 09812 BDA 19879 b
SB1542 - 9 - LRB104 09812 BDA 19879 b
1 shall have the power to examine the accounts and
2 information technology-related data of the State
3 constitutional office, the Office of the Executive
4 Inspector General, or any office of the legislative or
5 judicial branches of State government when requested by
6 those offices.
7 (6) Install and operate a modern information
8 technology system for State agencies using equipment
9 adequate to satisfy the requirements for analysis and
10 review as specified by the Department. Expenditures for
11 information technology and related services rendered shall
12 be reimbursed by the recipients. The reimbursement shall
13 be determined by the Department as amounts sufficient to
14 reimburse the Technology Management Revolving Fund for
15 expenditures incurred in rendering the services.
16 (f) In addition to the other powers and duties listed in
17 subsection (e), the Department shall analyze the present and
18 future aims, needs, and requirements of information
19 technology, research, and planning for State agencies in order
20 to provide for the formulation of overall policy relative to
21 the use of information technology and related equipment by the
22 State of Illinois. In making this analysis, the Department
23 shall formulate a master plan for information technology,
24 using information technology most advantageously, and advising
25 whether information technology should be leased or purchased
26 by the State. The Department shall prepare and submit interim
SB1542 - 9 - LRB104 09812 BDA 19879 b
SB1542- 10 -LRB104 09812 BDA 19879 b SB1542 - 10 - LRB104 09812 BDA 19879 b
SB1542 - 10 - LRB104 09812 BDA 19879 b
1 reports of meaningful developments and proposals for
2 legislation to the Governor on or before January 30 each year.
3 The Department shall engage in a continuing analysis and
4 evaluation of the master plan so developed, and it shall be the
5 responsibility of the Department to recommend from time to
6 time any needed amendments and modifications of any master
7 plan enacted by the General Assembly.
8 (g) The Department may make information technology and the
9 use of information technology available to units of local
10 government, elected State officials, State educational
11 institutions, the judicial branch, the legislative branch, and
12 all other governmental units of the State requesting them. The
13 Department shall establish prices and charges for the
14 information technology so furnished and for the use of the
15 information technology. The prices and charges shall be
16 sufficient to reimburse the cost of furnishing the services
17 and use of information technology.
18 (h) The Department may establish principles and standards
19 to provide consistency in the operation and use of information
20 technology by State agencies. State agencies shall work with
21 the Department to follow the principles and standards
22 developed by the Department.
23 (i) The Department may adopt rules under the Illinois
24 Administrative Procedure Act necessary to carry out its
25 responsibilities under this Act.
26 (Source: P.A. 102-376, eff. 1-1-22.)
SB1542 - 10 - LRB104 09812 BDA 19879 b
SB1542- 11 -LRB104 09812 BDA 19879 b SB1542 - 11 - LRB104 09812 BDA 19879 b
SB1542 - 11 - LRB104 09812 BDA 19879 b
1 (20 ILCS 1370/1-25)
2 Sec. 1-25. Charges for services; non-State funding. The
3 Department may establish charges for services rendered by the
4 Department to State client agencies from funds provided
5 directly to the State client agency by appropriation or
6 otherwise. In establishing charges, the Department shall
7 consult with State client agencies to make charges transparent
8 and clear and seek to minimize or avoid charges for costs for
9 which the Department has other funding sources available.
10 State Client agencies shall continue to apply for and
11 otherwise seek federal funds and other capital and operational
12 resources for technology for which the agencies are eligible
13 and, subject to compliance with applicable laws, regulations,
14 and grant terms, make those funds available for use by the
15 Department.
16 (Source: P.A. 102-870, eff. 1-1-23.)
17 (20 ILCS 1370/1-75 rep.)
18 Section 10. The Department of Innovation and Technology
19 Act is amended by repealing Section 1-75.
20 Section 15. The Illinois Information Security Improvement
21 Act is amended by changing Sections 5-5, 5-15, and 5-25 and by
22 adding Section 5-35 as follows:
SB1542 - 11 - LRB104 09812 BDA 19879 b
SB1542- 12 -LRB104 09812 BDA 19879 b SB1542 - 12 - LRB104 09812 BDA 19879 b
SB1542 - 12 - LRB104 09812 BDA 19879 b
1 (20 ILCS 1375/5-5)
2 Sec. 5-5. Definitions. As used in this Act:
3 "Critical information system" means any information system
4 (including any telecommunications system) used or operated by
5 a State agency or by a contractor of a State agency or other
6 organization or entity on behalf of a State agency: that
7 contains health insurance information, medical information, or
8 personal information as defined in the Personal Information
9 Protection Act; where the unauthorized disclosure,
10 modification, destruction of information in the information
11 system could be expected to have a serious, severe, or
12 catastrophic adverse effect on State agency operations,
13 assets, or individuals; or where the disruption of access to
14 or use of the information or information system could be
15 expected to have a serious, severe, or catastrophic adverse
16 effect on State operations, assets, or individuals.
17 "Department" means the Department of Innovation and
18 Technology.
19 "Information security" means protecting information and
20 information systems from unauthorized access, use, disclosure,
21 disruption, modification, or destruction in order to provide:
22 integrity, which means guarding against improper information
23 modification or destruction, and includes ensuring information
24 non-repudiation and authenticity; confidentiality, which means
25 preserving authorized restrictions on access and disclosure,
26 including means for protecting personal privacy and
SB1542 - 12 - LRB104 09812 BDA 19879 b
SB1542- 13 -LRB104 09812 BDA 19879 b SB1542 - 13 - LRB104 09812 BDA 19879 b
SB1542 - 13 - LRB104 09812 BDA 19879 b
1 proprietary information; and availability, which means
2 ensuring timely and reliable access to and use of information.
3 "Incident" means an occurrence that: actually or
4 imminently jeopardizes, without lawful authority, the
5 confidentiality, integrity, or availability of information or
6 an information system; or constitutes a violation or imminent
7 threat of violation of law, security policies, security
8 procedures, or acceptable use policies or standard security
9 practices.
10 "Information system" means a discrete set of information
11 resources organized for the collection, processing,
12 maintenance, use, sharing, dissemination, or disposition of
13 information created or maintained by or for the State of
14 Illinois.
15 "Office" means the Office of the Statewide Chief
16 Information Security Officer.
17 "Secretary" means the Secretary of Innovation and
18 Technology.
19 "Security controls" means the management, operational, and
20 technical controls (including safeguards and countermeasures)
21 for an information system that protect the confidentiality,
22 integrity, and availability of the system and its information.
23 "State agency" means any State agency, department, board,
24 and commission under the jurisdiction of the Governor to which
25 the Department provides services.
26 (Source: P.A. 100-611, eff. 7-20-18.)
SB1542 - 13 - LRB104 09812 BDA 19879 b
SB1542- 14 -LRB104 09812 BDA 19879 b SB1542 - 14 - LRB104 09812 BDA 19879 b
SB1542 - 14 - LRB104 09812 BDA 19879 b
1 (20 ILCS 1375/5-15)
2 Sec. 5-15. Office of the Statewide Chief Information
3 Security Officer.
4 (a) The Office of the Statewide Chief Information Security
5 Officer is established within the Department of Innovation and
6 Technology. The Office is directly subordinate to the
7 Secretary of Innovation and Technology.
8 (b) The Office shall:
9 (1) serve as the strategic planning, facilitation, and
10 coordination office for information technology security in
11 this State and as the lead and central coordinating entity
12 to guide and oversee the information security functions of
13 State agencies;
14 (2) provide information security services to support
15 the secure delivery of State agency services that utilize
16 information systems and to assist State agencies with
17 fulfilling their responsibilities under this Act;
18 (3) conduct information and cybersecurity strategic,
19 operational, and resource planning and facilitating an
20 effective enterprise information security architecture
21 capable of protecting the State;
22 (4) identify information security risks to each State
23 agency, to third-party providers, and to key supply chain
24 partners, including an assessment of the extent to which
25 information resources or processes are vulnerable to
SB1542 - 14 - LRB104 09812 BDA 19879 b
SB1542- 15 -LRB104 09812 BDA 19879 b SB1542 - 15 - LRB104 09812 BDA 19879 b
SB1542 - 15 - LRB104 09812 BDA 19879 b
1 unauthorized access or harm, including the extent to which
2 the State agency's or contractor's electronically stored
3 information is vulnerable to unauthorized access, use,
4 disclosure, disruption, modification, or destruction, and
5 recommend risk mitigation strategies, methods, and
6 procedures to reduce those risks. These assessments shall
7 also include, but not be limited to, assessments of
8 information systems, computers, printers, software,
9 computer networks, interfaces to computer systems, mobile
10 and peripheral device sensors, and other devices or
11 systems which access the State's network, computer
12 software, and information processing or operational
13 procedures of the State agency or of a contractor of the
14 State agency.
15 (5) manage the response to information security and
16 information security incidents involving State agency
17 State of Illinois information systems and ensure the
18 completeness of information system security plans for
19 critical information systems;
20 (6) conduct pre-deployment information security
21 assessments for critical information systems and submit
22 findings and recommendations to the Secretary and State
23 agency heads;
24 (7) develop and conduct targeted operational
25 evaluations, including threat and vulnerability
26 assessments on State agency information systems;
SB1542 - 15 - LRB104 09812 BDA 19879 b
SB1542- 16 -LRB104 09812 BDA 19879 b SB1542 - 16 - LRB104 09812 BDA 19879 b
SB1542 - 16 - LRB104 09812 BDA 19879 b
1 (8) monitor and report compliance of each State
2 agency's compliance agency with State information security
3 policies, standards, and procedures;
4 (9) coordinate statewide information security
5 awareness and training programs; and
6 (10) develop and execute other strategies as necessary
7 to protect State agency's this State's information
8 technology infrastructure and the data stored on or
9 transmitted by such infrastructure.
10 (c) The Office may temporarily suspend operation of an
11 information system or information technology infrastructure
12 that is owned, leased, outsourced, or shared by one or more
13 State agencies in order to isolate the source of, or stop the
14 spread of, an information security breach or other similar
15 information security incident. State agencies shall comply
16 with directives to temporarily discontinue or suspend
17 operations of information systems or information technology
18 infrastructure.
19 (Source: P.A. 100-611, eff. 7-20-18.)
20 (20 ILCS 1375/5-25)
21 Sec. 5-25. Responsibilities.
22 (a) The Secretary shall:
23 (1) appoint a Statewide Chief Information Security
24 Officer pursuant to Section 5-20;
25 (2) provide the Office with the staffing and resources
SB1542 - 16 - LRB104 09812 BDA 19879 b
SB1542- 17 -LRB104 09812 BDA 19879 b SB1542 - 17 - LRB104 09812 BDA 19879 b
SB1542 - 17 - LRB104 09812 BDA 19879 b
1 deemed necessary by the Secretary to fulfill the
2 responsibilities of the Office;
3 (3) oversee statewide information security policies
4 and practices for State agencies, including:
5 (A) directing and overseeing the development,
6 implementation, and communication of statewide
7 information security policies, standards, and
8 guidelines;
9 (B) overseeing the education of State agency
10 personnel regarding the requirement to identify and
11 provide information security protections commensurate
12 with the risk and magnitude of the harm resulting from
13 the unauthorized access, use, disclosure, disruption,
14 modification, or destruction of information in a
15 critical information system;
16 (C) overseeing the development and implementation
17 of a statewide information security risk management
18 program;
19 (D) overseeing State agency compliance with the
20 requirements of this Section;
21 (E) coordinating Information Security policies and
22 practices with related information and personnel
23 resources management policies and procedures; and
24 (F) providing an effective and efficient process
25 to assist State agencies with complying with the
26 requirements of this Act; and
SB1542 - 17 - LRB104 09812 BDA 19879 b
SB1542- 18 -LRB104 09812 BDA 19879 b SB1542 - 18 - LRB104 09812 BDA 19879 b
SB1542 - 18 - LRB104 09812 BDA 19879 b
1 (4) subject to appropriation, establish a
2 cybersecurity liaison program to advise and assist units
3 of local government in identifying cyber threats,
4 performing risk assessments, sharing best practices, and
5 responding to cyber incidents.
6 (b) The Statewide Chief Information Security Officer
7 shall:
8 (1) serve as the head of the Office and ensure the
9 execution of the responsibilities of the Office as set
10 forth in subsection (c) of Section 5-15, the Statewide
11 Chief Information Security Officer shall also oversee
12 State agency personnel with significant responsibilities
13 for information security and ensure a competent workforce
14 that keeps pace with the changing information security
15 environment;
16 (2) develop and recommend information security
17 policies, standards, procedures, and guidelines to the
18 Secretary for statewide adoption and monitor compliance
19 with these policies, standards, guidelines, and procedures
20 through periodic testing;
21 (3) develop and maintain risk-based, cost-effective
22 information security programs and control techniques to
23 address all applicable security and compliance
24 requirements throughout the life cycle of State agency
25 information systems;
26 (4) establish the procedures, processes, and
SB1542 - 18 - LRB104 09812 BDA 19879 b
SB1542- 19 -LRB104 09812 BDA 19879 b SB1542 - 19 - LRB104 09812 BDA 19879 b
SB1542 - 19 - LRB104 09812 BDA 19879 b
1 technologies for State agencies to rapidly and effectively
2 identify threats, risks, and vulnerabilities to State
3 information systems, and ensure the prioritization of the
4 remediation of vulnerabilities that pose risk to the
5 State;
6 (5) develop and implement capabilities and procedures
7 for detecting, reporting, and responding to information
8 security incidents;
9 (6) establish and direct a statewide information
10 security risk management program to identify information
11 security risks in State agencies and deploy risk
12 mitigation strategies, processes, and procedures;
13 (7) establish the State's capability to sufficiently
14 protect the security of data through effective information
15 system security planning, secure system development,
16 acquisition, and deployment, the application of protective
17 technologies and information system certification,
18 accreditation, and assessments;
19 (8) ensure that State agency personnel, including
20 contractors, are appropriately screened and receive
21 information security awareness training;
22 (9) convene meetings with State agency heads and other
23 State officials to help ensure:
24 (A) the ongoing communication of risk and risk
25 reduction strategies,
26 (B) effective implementation of information
SB1542 - 19 - LRB104 09812 BDA 19879 b
SB1542- 20 -LRB104 09812 BDA 19879 b SB1542 - 20 - LRB104 09812 BDA 19879 b
SB1542 - 20 - LRB104 09812 BDA 19879 b
1 security policies and practices, and
2 (C) the incorporation of and compliance with
3 information security policies, standards, and
4 guidelines into the policies and procedures of the
5 State agencies;
6 (10) provide operational and technical assistance to
7 State agencies in implementing policies, principles,
8 standards, and guidelines on information security,
9 including implementation of standards promulgated under
10 subparagraph (A) of paragraph (3) of subsection (a) of
11 this Section, and provide assistance and effective and
12 efficient means for State agencies to comply with the
13 State agency requirements under this Act;
14 (11) in coordination and consultation with the
15 Secretary and the Governor's Office of Management and
16 Budget, review State agency budget requests related to
17 Information Security systems and provide recommendations
18 to the Governor's Office of Management and Budget;
19 (12) ensure the preparation and maintenance of plans
20 and procedures to provide cyber resilience and continuity
21 of operations for critical information systems that
22 support the operations of the State; and
23 (13) take such other actions as the Secretary may
24 direct.
25 (Source: P.A. 101-81, eff. 7-12-19; 102-753, eff. 1-1-23.)
SB1542 - 20 - LRB104 09812 BDA 19879 b
SB1542- 21 -LRB104 09812 BDA 19879 b SB1542 - 21 - LRB104 09812 BDA 19879 b
SB1542 - 21 - LRB104 09812 BDA 19879 b
SB1542 - 21 - LRB104 09812 BDA 19879 b