S.B. No. 1910
AN ACT
relating to state agency information security plans, information
technology employees, and online and mobile applications.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subchapter C, Chapter 2054, Government Code, is
amended by adding Sections 2054.0591 and 2054.0592 to read as
follows:
Sec. 2054.0591. CYBERSECURITY REPORT. (a) Not later than
November 15 of each even-numbered year, the department shall submit
to the governor, the lieutenant governor, the speaker of the house
of representatives, and the standing committee of each house of the
legislature with primary jurisdiction over state government
operations a report identifying preventive and recovery efforts the
state can undertake to improve cybersecurity in this state. The
report must include:
(1) an assessment of the resources available to
address the operational and financial impacts of a cybersecurity
event;
(2) a review of existing statutes regarding
cybersecurity and information resources technologies;
(3) recommendations for legislative action to
increase the state's cybersecurity and protect against adverse
impacts from a cybersecurity event;
(4) an evaluation of the costs and benefits of
cybersecurity insurance; and
(5) an evaluation of tertiary disaster recovery
options.
(b) The department or a recipient of a report under this
section may redact or withhold information confidential under
Chapter 552, including Section 552.139, or other state or federal
law that is contained in the report in response to a request under
Chapter 552 without the necessity of requesting a decision from the
attorney general under Subchapter G, Chapter 552.
Sec. 2054.0592. CYBERSECURITY EMERGENCY FUNDING. If a
cybersecurity event creates a need for emergency funding, the
department may request that the governor or Legislative Budget
Board make a proposal under Chapter 317 to provide funding to manage
the operational and financial impacts from the cybersecurity event.
SECTION 2. Subchapter F, Chapter 2054, Government Code, is
amended by adding Section 2054.1184 to read as follows:
Sec. 2054.1184. ASSESSMENT OF MAJOR INFORMATION RESOURCES
PROJECT. (a) A state agency proposing to spend appropriated funds
for a major information resources project must first conduct an
execution capability assessment to:
(1) determine the agency's capability for implementing
the project;
(2) reduce the agency's financial risk in implementing
the project; and
(3) increase the probability of the agency's
successful implementation of the project.
(b) A state agency shall submit to the department, the
quality assurance team established under Section 2054.158, and the
Legislative Budget Board a detailed report that identifies the
agency's organizational strengths and any weaknesses that will be
addressed before the agency initially spends appropriated funds for
a major information resources project.
(c) A state agency may contract with an independent third
party to conduct the assessment under Subsection (a) and prepare
the report described by Subsection (b).
SECTION 3. Section 2054.133(c), Government Code, is amended
to read as follows:
(c) Not later than October 15 of each even-numbered year,
each state agency shall submit a copy of the agency's information
security plan to the department. Subject to available resources,
the department may select a portion of the submitted security plans
to be assessed by the department in accordance with department
rules.
SECTION 4. Subchapter F, Chapter 2054, Government Code, is
amended by adding Section 2054.136 to read as follows:
Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER.
Each state agency shall designate an information security officer
who:
(1) reports to the agency's executive-level
management;
(2) has authority over information security for the
entire agency;
(3) possesses the training and experience required to
perform the duties required by department rules; and
(4) to the extent feasible, has information security
duties as the officer's primary duties.
SECTION 5. Subchapter N-1, Chapter 2054, Government Code,
is amended by adding Sections 2054.516 and 2054.517 to read as
follows:
Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE
APPLICATIONS. (a) Each state agency, other than an institution of
higher education subject to Section 2054.517, implementing an
Internet website or mobile application that processes any sensitive
personally identifiable or confidential information must:
(1) submit a biennial data security plan to the
department not later than October 15 of each even-numbered year, to
establish planned beta testing for websites or applications; and
(2) subject the website or application to a
vulnerability and penetration test and address any vulnerability
identified in the test.
(b) The department shall review each data security plan
submitted under Subsection (a) and make any recommendations for
changes to the plan to the state agency as soon as practicable after
the department reviews the plan.
Sec. 2054.517. DATA SECURITY PROCEDURES FOR ONLINE AND
MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a) Each
institution of higher education, as defined by Section 61.003,
Education Code, shall adopt and implement a policy for Internet
website and mobile application security procedures that complies
with this section.
(b) Before deploying an Internet website or mobile
application that processes confidential information for an
institution of higher education, the developer of the website or
application for the institution must submit to the institution's
information security officer the information required under
policies adopted by the institution to protect the privacy of
individuals by preserving the confidentiality of information
processed by the website or application. At a minimum, the
institution's policies must require the developer to submit
information describing:
(1) the architecture of the website or application;
(2) the authentication mechanism for the website or
application; and
(3) the administrator-level access to data included in
the website or application.
(c) Before deploying an Internet website or mobile
application described by Subsection (b), an institution of higher
education must subject the website or application to a
vulnerability and penetration test conducted internally or by an
independent third party.
(d) Each institution of higher education shall submit to the
department the policies adopted as required by Subsection (b). The
department shall review the policies and make recommendations for
appropriate changes.
SECTION 6. As soon as practicable after the effective date
of this Act, the Department of Information Resources shall adopt
the rules necessary to implement Section 2054.133(c), Government
Code, as amended by this Act.
SECTION 7. This Act takes effect September 1, 2017.
______________________________ ______________________________
President of the Senate Speaker of the House
I hereby certify that S.B. No. 1910 passed the Senate on
May 4, 2017, by the following vote: Yeas 31, Nays 0; and that the
Senate concurred in House amendments on May 26, 2017, by the
following vote: Yeas 31, Nays 0.
______________________________
Secretary of the Senate
I hereby certify that S.B. No. 1910 passed the House, with
amendments, on May 22, 2017, by the following vote: Yeas 144,
Nays 0, one present not voting.
______________________________
Chief Clerk of the House
Approved:
______________________________
Date
______________________________
Governor