| 8 | | - | SECTION 1. Subchapter C, Chapter 2054, Government Code, is |
|---|
| 9 | | - | amended by adding Sections 2054.0591 and 2054.0592 to read as |
|---|
| 10 | | - | follows: |
|---|
| 11 | | - | Sec. 2054.0591. CYBERSECURITY REPORT. (a) Not later than |
|---|
| 12 | | - | November 15 of each even-numbered year, the department shall submit |
|---|
| 13 | | - | to the governor, the lieutenant governor, the speaker of the house |
|---|
| 14 | | - | of representatives, and the standing committee of each house of the |
|---|
| 15 | | - | legislature with primary jurisdiction over state government |
|---|
| 16 | | - | operations a report identifying preventive and recovery efforts the |
|---|
| 17 | | - | state can undertake to improve cybersecurity in this state. The |
|---|
| 18 | | - | report must include: |
|---|
| 19 | | - | (1) an assessment of the resources available to |
|---|
| 20 | | - | address the operational and financial impacts of a cybersecurity |
|---|
| 21 | | - | event; |
|---|
| 22 | | - | (2) a review of existing statutes regarding |
|---|
| 23 | | - | cybersecurity and information resources technologies; |
|---|
| 24 | | - | (3) recommendations for legislative action to |
|---|
| 25 | | - | increase the state's cybersecurity and protect against adverse |
|---|
| 26 | | - | impacts from a cybersecurity event; |
|---|
| 27 | | - | (4) an evaluation of the costs and benefits of |
|---|
| 28 | | - | cybersecurity insurance; and |
|---|
| 29 | | - | (5) an evaluation of tertiary disaster recovery |
|---|
| 30 | | - | options. |
|---|
| 31 | | - | (b) The department or a recipient of a report under this |
|---|
| 32 | | - | section may redact or withhold information confidential under |
|---|
| 33 | | - | Chapter 552, including Section 552.139, or other state or federal |
|---|
| 34 | | - | law that is contained in the report in response to a request under |
|---|
| 35 | | - | Chapter 552 without the necessity of requesting a decision from the |
|---|
| 36 | | - | attorney general under Subchapter G, Chapter 552. |
|---|
| 37 | | - | Sec. 2054.0592. CYBERSECURITY EMERGENCY FUNDING. If a |
|---|
| 38 | | - | cybersecurity event creates a need for emergency funding, the |
|---|
| 39 | | - | department may request that the governor or Legislative Budget |
|---|
| 40 | | - | Board make a proposal under Chapter 317 to provide funding to manage |
|---|
| 41 | | - | the operational and financial impacts from the cybersecurity event. |
|---|
| 42 | | - | SECTION 2. Subchapter F, Chapter 2054, Government Code, is |
|---|
| 43 | | - | amended by adding Section 2054.1184 to read as follows: |
|---|
| 44 | | - | Sec. 2054.1184. ASSESSMENT OF MAJOR INFORMATION RESOURCES |
|---|
| 45 | | - | PROJECT. (a) A state agency proposing to spend appropriated funds |
|---|
| 46 | | - | for a major information resources project must first conduct an |
|---|
| 47 | | - | execution capability assessment to: |
|---|
| 48 | | - | (1) determine the agency's capability for implementing |
|---|
| 49 | | - | the project; |
|---|
| 50 | | - | (2) reduce the agency's financial risk in implementing |
|---|
| 51 | | - | the project; and |
|---|
| 52 | | - | (3) increase the probability of the agency's |
|---|
| 53 | | - | successful implementation of the project. |
|---|
| 54 | | - | (b) A state agency shall submit to the department, the |
|---|
| 55 | | - | quality assurance team established under Section 2054.158, and the |
|---|
| 56 | | - | Legislative Budget Board a detailed report that identifies the |
|---|
| 57 | | - | agency's organizational strengths and any weaknesses that will be |
|---|
| 58 | | - | addressed before the agency initially spends appropriated funds for |
|---|
| 59 | | - | a major information resources project. |
|---|
| 60 | | - | (c) A state agency may contract with an independent third |
|---|
| 61 | | - | party to conduct the assessment under Subsection (a) and prepare |
|---|
| 62 | | - | the report described by Subsection (b). |
|---|
| 63 | | - | SECTION 3. Section 2054.133(c), Government Code, is amended |
|---|
| 10 | + | SECTION 1. Section 2054.133(c), Government Code, is amended |
|---|
| 73 | | - | Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER. |
|---|
| 74 | | - | Each state agency shall designate an information security officer |
|---|
| 75 | | - | who: |
|---|
| 76 | | - | (1) reports to the agency's executive-level |
|---|
| 77 | | - | management; |
|---|
| 78 | | - | (2) has authority over information security for the |
|---|
| 79 | | - | entire agency; |
|---|
| 80 | | - | (3) possesses the training and experience required to |
|---|
| 81 | | - | perform the duties required by department rules; and |
|---|
| 82 | | - | (4) to the extent feasible, has information security |
|---|
| 83 | | - | duties as the officer's primary duties. |
|---|
| 84 | | - | SECTION 5. Subchapter N-1, Chapter 2054, Government Code, |
|---|
| 85 | | - | is amended by adding Sections 2054.516 and 2054.517 to read as |
|---|
| 86 | | - | follows: |
|---|
| 20 | + | Sec. 2054.136. INDEPENDENT INFORMATION SECURITY OFFICER. |
|---|
| 21 | + | Each state agency in the executive branch of state government that |
|---|
| 22 | + | has on staff a chief information security officer or information |
|---|
| 23 | + | security officer shall ensure that within the agency's |
|---|
| 24 | + | organizational structure the officer is independent from and not |
|---|
| 25 | + | subordinate to the agency's information technology operations. |
|---|
| 26 | + | SECTION 3. Subchapter N-1, Chapter 2054, Government Code, |
|---|
| 27 | + | is amended by adding Section 2054.516 to read as follows: |
|---|
| 88 | | - | APPLICATIONS. (a) Each state agency, other than an institution of |
|---|
| 89 | | - | higher education subject to Section 2054.517, implementing an |
|---|
| 90 | | - | Internet website or mobile application that processes any sensitive |
|---|
| 91 | | - | personally identifiable or confidential information must: |
|---|
| 92 | | - | (1) submit a biennial data security plan to the |
|---|
| 93 | | - | department not later than October 15 of each even-numbered year, to |
|---|
| 94 | | - | establish planned beta testing for websites or applications; and |
|---|
| 95 | | - | (2) subject the website or application to a |
|---|
| 96 | | - | vulnerability and penetration test and address any vulnerability |
|---|
| 97 | | - | identified in the test. |
|---|
| 98 | | - | (b) The department shall review each data security plan |
|---|
| 29 | + | APPLICATIONS. (a) Each state agency implementing an Internet |
|---|
| 30 | + | website or mobile application that processes any personally |
|---|
| 31 | + | identifiable or confidential information must: |
|---|
| 32 | + | (1) submit a data security plan to the department |
|---|
| 33 | + | before beta testing the website or application; and |
|---|
| 34 | + | (2) before deploying the website or application: |
|---|
| 35 | + | (A) subject the website or application to a |
|---|
| 36 | + | vulnerability and penetration test conducted by an independent |
|---|
| 37 | + | third party; and |
|---|
| 38 | + | (B) address any vulnerability identified under |
|---|
| 39 | + | Paragraph (A). |
|---|
| 40 | + | (b) The data security plan required under Subsection (a)(1) |
|---|
| 41 | + | must include: |
|---|
| 42 | + | (1) data flow diagrams to show the location of |
|---|
| 43 | + | information in use, in transit, and not in use; |
|---|
| 44 | + | (2) data storage locations; |
|---|
| 45 | + | (3) data interaction with online or mobile devices; |
|---|
| 46 | + | (4) security of data transfer; |
|---|
| 47 | + | (5) security measures for the online or mobile |
|---|
| 48 | + | application; and |
|---|
| 49 | + | (6) a description of any action taken by the agency to |
|---|
| 50 | + | remediate any vulnerability identified by an independent third |
|---|
| 51 | + | party under Subsection (a)(2). |
|---|
| 52 | + | (c) The department shall review each data security plan |
|---|
| 102 | | - | Sec. 2054.517. DATA SECURITY PROCEDURES FOR ONLINE AND |
|---|
| 103 | | - | MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a) Each |
|---|
| 104 | | - | institution of higher education, as defined by Section 61.003, |
|---|
| 105 | | - | Education Code, shall adopt and implement a policy for Internet |
|---|
| 106 | | - | website and mobile application security procedures that complies |
|---|
| 107 | | - | with this section. |
|---|
| 108 | | - | (b) Before deploying an Internet website or mobile |
|---|
| 109 | | - | application that processes confidential information for an |
|---|
| 110 | | - | institution of higher education, the developer of the website or |
|---|
| 111 | | - | application for the institution must submit to the institution's |
|---|
| 112 | | - | information security officer the information required under |
|---|
| 113 | | - | policies adopted by the institution to protect the privacy of |
|---|
| 114 | | - | individuals by preserving the confidentiality of information |
|---|
| 115 | | - | processed by the website or application. At a minimum, the |
|---|
| 116 | | - | institution's policies must require the developer to submit |
|---|
| 117 | | - | information describing: |
|---|
| 118 | | - | (1) the architecture of the website or application; |
|---|
| 119 | | - | (2) the authentication mechanism for the website or |
|---|
| 120 | | - | application; and |
|---|
| 121 | | - | (3) the administrator-level access to data included in |
|---|
| 122 | | - | the website or application. |
|---|
| 123 | | - | (c) Before deploying an Internet website or mobile |
|---|
| 124 | | - | application described by Subsection (b), an institution of higher |
|---|
| 125 | | - | education must subject the website or application to a |
|---|
| 126 | | - | vulnerability and penetration test conducted internally or by an |
|---|
| 127 | | - | independent third party. |
|---|
| 128 | | - | (d) Each institution of higher education shall submit to the |
|---|
| 129 | | - | department the policies adopted as required by Subsection (b). The |
|---|
| 130 | | - | department shall review the policies and make recommendations for |
|---|
| 131 | | - | appropriate changes. |
|---|
| 132 | | - | SECTION 6. As soon as practicable after the effective date |
|---|
| 56 | + | SECTION 4. As soon as practicable after the effective date |
|---|
| 136 | | - | SECTION 7. This Act takes effect September 1, 2017. |
|---|
| 137 | | - | ______________________________ ______________________________ |
|---|
| 138 | | - | President of the Senate Speaker of the House |
|---|
| 139 | | - | I hereby certify that S.B. No. 1910 passed the Senate on |
|---|
| 140 | | - | May 4, 2017, by the following vote: Yeas 31, Nays 0; and that the |
|---|
| 141 | | - | Senate concurred in House amendments on May 26, 2017, by the |
|---|
| 142 | | - | following vote: Yeas 31, Nays 0. |
|---|
| 143 | | - | ______________________________ |
|---|
| 144 | | - | Secretary of the Senate |
|---|
| 145 | | - | I hereby certify that S.B. No. 1910 passed the House, with |
|---|
| 146 | | - | amendments, on May 22, 2017, by the following vote: Yeas 144, |
|---|
| 147 | | - | Nays 0, one present not voting. |
|---|
| 148 | | - | ______________________________ |
|---|
| 149 | | - | Chief Clerk of the House |
|---|
| 150 | | - | Approved: |
|---|
| 151 | | - | ______________________________ |
|---|
| 152 | | - | Date |
|---|
| 153 | | - | ______________________________ |
|---|
| 154 | | - | Governor |
|---|
| 60 | + | SECTION 5. This Act takes effect September 1, 2017. |
|---|