By: Zaffirini S.B. No. 1910
A BILL TO BE ENTITLED
AN ACT
relating to state agency information security plans, information
technology employees, and online and mobile applications.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 2054.133(c), Government Code, is amended
to read as follows:
(c) Not later than October 15 of each even-numbered year,
each state agency shall submit a copy of the agency's information
security plan to the department. Subject to available resources,
the department shall select a portion of the submitted security
plans to be audited by the department in accordance with department
rules.
SECTION 2. Subchapter F, Chapter 2054, Government Code, is
amended by adding Section 2054.136 to read as follows:
Sec. 2054.136. INDEPENDENT INFORMATION SECURITY OFFICER.
Each state agency in the executive branch of state government that
has on staff a chief information security officer or information
security officer shall ensure that within the agency's
organizational structure the officer is independent from and not
subordinate to the agency's information technology operations.
SECTION 3. Subchapter N-1, Chapter 2054, Government Code,
is amended by adding Section 2054.516 to read as follows:
Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE
APPLICATIONS. (a) Each state agency implementing an Internet
website or mobile application that processes any personally
identifiable or confidential information must:
(1) submit a data security plan to the department
before beta testing the website or application; and
(2) before deploying the website or application:
(A) subject the website or application to a
vulnerability and penetration test conducted by an independent
third party; and
(B) address any vulnerability identified under
Paragraph (A).
(b) The data security plan required under Subsection (a)(1)
must include:
(1) data flow diagrams to show the location of
information in use, in transit, and not in use;
(2) data storage locations;
(3) data interaction with online or mobile devices;
(4) security of data transfer;
(5) security measures for the online or mobile
application; and
(6) a description of any action taken by the agency to
remediate any vulnerability identified by an independent third
party under Subsection (a)(2).
(c) The department shall review each data security plan
submitted under Subsection (a) and make any recommendations for
changes to the plan to the state agency as soon as practicable after
the department reviews the plan.
SECTION 4. As soon as practicable after the effective date
of this Act, the Department of Information Resources shall adopt
the rules necessary to implement Section 2054.133(c), Government
Code, as amended by this Act.
SECTION 5. This Act takes effect September 1, 2017.