Bill Text: TX HB2494 | 2023-2024 | 88th Legislature | Introduced
Bill Title: Relating to information security officers and network threat detection and response for state agencies.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2023-03-13 - Referred to State Affairs [HB2494 Detail]
Download: Texas-2023-HB2494-Introduced.html
By: Jetton | H.B. No. 2494 |
|
||
|
||
relating to information security officers and network threat | ||
detection and response for state agencies. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Section 2054.133(b), Government Code, is amended | ||
to read as follows: | ||
(b) In developing the plan, the state agency shall: | ||
(1) consider any vulnerability report prepared under | ||
Section 2054.077 for the agency; | ||
(2) incorporate the network security services | ||
provided by the department to the agency under Chapter 2059; | ||
(3) identify and define the responsibilities of agency | ||
staff who produce, access, use, or serve as custodians of the | ||
agency's information; | ||
(4) identify risk management and other measures taken | ||
to protect the agency's information from unauthorized access, | ||
disclosure, modification, or destruction; | ||
(5) include: | ||
(A) the best practices for information security | ||
developed by the department; or | ||
(B) a written explanation of why the best | ||
practices are not sufficient for the agency's security; [ |
||
(6) omit from any written copies of the plan | ||
information that could expose vulnerabilities in the agency's | ||
network or online systems; and | ||
(7) consider whether network threat detection and | ||
response solutions, that permit anonymized security reports to be | ||
shared among participating entities in as close to real time as | ||
possible, would enhance the plan and include those solutions as | ||
part of the plan as the agency determines appropriate. | ||
SECTION 2. Section 2054.136, Government Code, is amended to | ||
read as follows: | ||
Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER. | ||
Each state agency shall designate an information security officer | ||
who: | ||
(1) acts independently of the agency in the | ||
performance of the officer's duties under this chapter and reports | ||
to the department on information security issues and to the | ||
agency's executive-level management on other issues; | ||
(2) has authority over information security for the | ||
entire agency; | ||
(3) possesses the training and experience required to | ||
perform the duties required by department rules; and | ||
(4) to the extent feasible, has information security | ||
duties as the officer's primary duties. | ||
SECTION 3. Sections 2054.512(d) and (e), Government Code, | ||
are amended to read as follows: | ||
(d) The cybersecurity council shall: | ||
(1) consider the costs and benefits of establishing a | ||
computer emergency readiness team to address cyber attacks | ||
occurring in this state during routine and emergency situations; | ||
(2) establish criteria and priorities for addressing | ||
cybersecurity threats to critical state installations; | ||
(3) consolidate and synthesize best practices to | ||
assist state agencies in understanding and implementing | ||
cybersecurity measures, including network threat detection and | ||
response solutions, that are most beneficial to this state; and | ||
(4) assess the knowledge, skills, and capabilities of | ||
the existing information technology and cybersecurity workforce to | ||
mitigate and respond to cyber threats and develop recommendations | ||
for addressing immediate workforce deficiencies and ensuring a | ||
long-term pool of qualified applicants. | ||
(e) The cybersecurity council shall provide recommendations | ||
to the legislature on any legislation necessary to implement | ||
cybersecurity best practices and remediation strategies for this | ||
state, including network threat detection and response solutions. | ||
SECTION 4. Section 2054.518(a), Government Code, is amended | ||
to read as follows: | ||
(a) The department shall develop a plan to address | ||
cybersecurity risks and incidents in this state. The department | ||
may enter into an agreement with a national organization, including | ||
the National Cybersecurity Preparedness Consortium, to support the | ||
department's efforts in implementing the components of the plan for | ||
which the department lacks resources to address internally. The | ||
agreement may include provisions for: | ||
(1) providing technical assistance services to | ||
support preparedness for and response to cybersecurity risks and | ||
incidents; | ||
(2) conducting cybersecurity simulation exercises for | ||
state agencies to encourage coordination in defending against and | ||
responding to cybersecurity risks and incidents; | ||
(3) assisting state agencies in developing | ||
cybersecurity information-sharing programs to disseminate | ||
information related to cybersecurity risks and incidents; [ |
||
(4) incorporating cybersecurity risk and incident | ||
prevention and response methods into existing state emergency | ||
plans, including continuity of operation plans and incident | ||
response plans; and | ||
(5) incorporating network threat detection and | ||
response solutions into state agency cybersecurity plans, that | ||
permit anonymized security reports to be shared among participating | ||
entities in as close to real time as possible, to assist state | ||
agencies with monitoring agency networks for security threats and | ||
responding to detected security threats. | ||
SECTION 5. This Act takes effect September 1, 2023. |