Bill Text: TX HB1604 | 2017-2018 | 85th Legislature | Comm Sub
Bill Title: Relating to the requirements for and approval of a state agency's information security plan.
Spectrum: Bipartisan Bill
Status: (Introduced - Dead) 2017-05-05 - Committee report sent to Calendars [HB1604 Detail]
Download: Texas-2017-HB1604-Comm_Sub.html
| 85R23797 YDB-D | |||
| By: Blanco, Elkins, Capriglione, | H.B. No. 1604 | ||
| Gonzales of Williamson, Lucio III | |||
| Substitute the following for H.B. No. 1604: | |||
| By: Elkins | C.S.H.B. No. 1604 | ||
|
|
||
|
|
||
| relating to the requirements for and approval of a state agency's | ||
| information security plan. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 2054.133, Government Code, is amended by | ||
| adding Subsections (b-1), (b-2), (b-3), and (b-4) to read as | ||
| follows: | ||
| (b-1) The executive head and chief information security | ||
| officer of each state agency shall annually review and approve in | ||
| writing the agency's information security plan and strategies for | ||
| addressing the agency's information resources systems that are at | ||
| highest risk for security breaches. If a state agency does not have | ||
| a chief information security officer, the highest ranking | ||
| information security employee for the agency shall review and | ||
| approve the plan and strategies. The executive head retains full | ||
| responsibility for the agency's information security and any risks | ||
| to that security. | ||
| (b-2) Before submitting to the Legislative Budget Board a | ||
| legislative appropriation request for a state fiscal biennium, a | ||
| state agency must file with the board the written approval required | ||
| under Subsection (b-1) for each year of the current state fiscal | ||
| biennium. | ||
| (b-3) Each state agency shall include in the agency's | ||
| information security plan the actions the agency is taking to | ||
| incorporate into the plan the core functions of "identify, protect, | ||
| detect, respond, and recover" as recommended in the "Framework for | ||
| Improving Critical Infrastructure Cybersecurity" of the United | ||
| States Department of Commerce National Institute of Standards and | ||
| Technology. The agency shall, at a minimum, identify any | ||
| information the agency requires individuals to provide to the | ||
| agency or the agency retains that is not necessary for the agency's | ||
| operations. The agency may incorporate the core functions over a | ||
| period of years. | ||
| (b-4) A state agency's information security plan must | ||
| include appropriate privacy and security standards that, at a | ||
| minimum, require a vendor who offers cloud computing services or | ||
| other software, applications, online services, or information | ||
| technology solutions to any state agency to demonstrate that data | ||
| provided by the state to the vendor will be maintained in compliance | ||
| with all applicable state and federal laws and rules. | ||
| SECTION 2. Section 2054.133, Government Code, as amended by | ||
| this Act, applies only to an information security plan submitted on | ||
| or after the effective date of this Act. | ||
| SECTION 3. This Act takes effect September 1, 2017. | ||
