| 1 | 1 | | By: Zaffirini S.B. No. 1597 |
|---|
| 2 | 2 | | (Smithee) |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to the development of state agency information security |
|---|
| 8 | 8 | | plans. |
|---|
| 9 | 9 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 10 | 10 | | SECTION 1. Subchapter F, Chapter 2054, Government Code, is |
|---|
| 11 | 11 | | amended by adding Section 2054.133 to read as follows: |
|---|
| 12 | 12 | | Sec. 2054.133. INFORMATION SECURITY PLAN. (a) Each state |
|---|
| 13 | 13 | | agency shall develop, and periodically update, an information |
|---|
| 14 | 14 | | security plan for protecting the security of the agency's |
|---|
| 15 | 15 | | information. |
|---|
| 16 | 16 | | (b) In developing the plan, the state agency shall: |
|---|
| 17 | 17 | | (1) consider any vulnerability report prepared under |
|---|
| 18 | 18 | | Section 2054.077 for the agency; |
|---|
| 19 | 19 | | (2) incorporate the network security services |
|---|
| 20 | 20 | | provided by the department to the agency under Chapter 2059; |
|---|
| 21 | 21 | | (3) identify and define the responsibilities of agency |
|---|
| 22 | 22 | | staff who produce, access, use, or serve as custodians of the |
|---|
| 23 | 23 | | agency's information; |
|---|
| 24 | 24 | | (4) identify risk management and other measures taken |
|---|
| 25 | 25 | | to protect the agency's information from unauthorized access, |
|---|
| 26 | 26 | | disclosure, modification, or destruction; |
|---|
| 27 | 27 | | (5) include: |
|---|
| 28 | 28 | | (A) the best practices for information security |
|---|
| 29 | 29 | | developed by the department; or |
|---|
| 30 | 30 | | (B) a written explanation of why the best |
|---|
| 31 | 31 | | practices are not sufficient for the agency's security; and |
|---|
| 32 | 32 | | (6) omit from any written copies of the plan |
|---|
| 33 | 33 | | information that could expose vulnerabilities in the agency's |
|---|
| 34 | 34 | | network or online systems. |
|---|
| 35 | 35 | | (c) Not later than October 15 of each even-numbered year, |
|---|
| 36 | 36 | | each state agency shall submit a copy of the agency's information |
|---|
| 37 | 37 | | security plan to the department. |
|---|
| 38 | 38 | | (d) Each state agency's information security plan is |
|---|
| 39 | 39 | | confidential and exempt from disclosure under Chapter 552. |
|---|
| 40 | 40 | | SECTION 2. Not later than October 15, 2014, each state |
|---|
| 41 | 41 | | agency shall develop and submit the information security plan |
|---|
| 42 | 42 | | required by Section 2054.133, Government Code, as added by this |
|---|
| 43 | 43 | | Act. |
|---|
| 44 | 44 | | SECTION 3. This Act takes effect September 1, 2013. |
|---|