88R12618 CXP-D
By: Lujan H.B. No. 3217
A BILL TO BE ENTITLED
AN ACT
relating to a biennial audit by the Department of Information
Resources of state agency information technology infrastructure.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. The heading to Section 2054.068, Government
Code, is amended to read as follows:
Sec. 2054.068. INFORMATION TECHNOLOGY INFRASTRUCTURE AUDIT
AND REPORT.
SECTION 2. Sections 2054.068(b), (c), (d), and (e),
Government Code, are amended to read as follows:
(b) The department shall conduct a biennial audit of
[collect from each state agency information on] the status and
condition of each state [the] agency's information technology
infrastructure, including a review of [information regarding]:
(1) the agency's:
(A) information security program, including any
information technology security measures used by the agency;
(B) hardware, including [(2)] an inventory of the
agency's servers, mainframes, cloud services, and other
information technology equipment;
(C) [(3) identification of] vendors that operate
and manage the agency's information technology infrastructure;
(D) software and licenses, including:
(i) purchase date and cost;
(ii) license length;
(iii) date of last use; and
(iv) the purpose of the software or
license;
(E) information technology governance policies;
(F) cloud services;
(G) vendor-managed services;
(H) support services and the cost of those
services;
(I) network systems;
(J) digital data storage systems and security
measures;
(K) future information technology projects; and
(L) information technology needs;
(2) any information technology issues reported by the
public; and
(3) [(4)] any additional related issue [information
requested by] the department considers necessary.
(c) A state agency shall provide to the department:
(1) [the] information related to the subjects
described [required] by Subsection (b) [to the department]
according to a schedule determined by the department; and
(2) access to the state agency's information
technology infrastructure.
(d) Not later than December 1 [November 15] of each
even-numbered year, the department shall submit to the governor,
chair of the house appropriations committee, chair of the senate
finance committee, speaker of the house of representatives,
lieutenant governor, and staff of the Legislative Budget Board a
consolidated report on the audits conducted [of the information
submitted by state agencies] under Subsection (b).
(e) The consolidated report required by Subsection (d) must
include:
(1) [include] an analysis and assessment of each state
agency's security and operational risks; [and]
(2) for a state agency found to be at higher security
and operational risks, [include] a detailed analysis of agency
efforts to address the risks and related vulnerabilities;
(3) the information submitted by state agencies under
Subsection (c);
(4) the department's recommendations relating to the
state agency's information technology infrastructure; and
(5) a ranking of each state agency based on the
efficacy and ease of use of the agency's information technology
infrastructure.
SECTION 3. This Act takes effect September 1, 2023.