Herb Krasner, University of Texas at Austin (ret.), CISQ Advisory Board member
Here is a summary of the cybersecurity legislation that was passed this year that will have an impact on state agencies and institutions of higher education (all from the 85th regular session of the Tx legislature). The Tx Dept. of Information Resources (DIR) and state agency CISO’s will be the primary actors to make these new laws happen. The 2017 cybersecurity legislation (HB 8, except where noted otherwise) includes the following summarized provisions:
- Establishment of legislative select committees for cybersecurity in the House and Senate.
- Establishment of an information sharing and analysis center to provide a forum for state agencies to share information regarding cybersecurity threats, best practices, and remediation strategies.
- Providing mandatory guidelines to state agencies for the continuing education requirements for cybersecurity training that must be completed by all IT employees of the agencies.
- Creating a statewide plan (by DIR) to address cybersecurity risks and incidents in the state.
- DIR will collect the following information from each state agency in order to produce a report due to the Legislature in November of every even numbered year. (SB 532)
– Information on their security program
– Inventory of agency’s servers, mainframe, cloud services, and other technologies
– List of vendors that operate and manage agency’s IT infrastructure - The state cybersecurity coordinator shall establish and lead a cybersecurity council that includes public and private sector leaders and cybersecurity practitioners to collaborate on matters of cybersecurity.
- Establishment of rules for security plans and assessments of Internet websites and mobile applications containing sensitive personal information.
- Requiring the conduct of a study on digital data storage and records management practices.
- Each agency shall prepare a biennial report assessing the extent to which all IT systems are vulnerable to unauthorized access or harm, or electronically stored information is vulnerable to alteration, damage, erasure, or inappropriate use.
- At least once every two years, each state agency shall conduct an information security assessment, and report the results to DIR, the governor, the lieutenant governor, and the speaker of the House of Representatives.
- Required proof that agency executives have been made aware of the risks revealed during the preparation of the agency ’s information security plan.
- Requires state agencies to identify information security issues and develop a plan to prioritize the remediation and mitigation of those issues including legacy modernization and cybersecurity workforce development and retention.
- In the event of a breach or suspected breach of system security or an unauthorized exposure of sensitive information, a state agency must report within 48 hours to their executives and the state CISO. Information arising from an organization’s efforts to prevent, detect, investigate, or mitigate security incidents is defined as confidential. (SB 532)
- Requires creating and defining an Election Cyber Attack Study (by Sec. of State).
- Allowing DIR to request emergency funding if a cybersecurity event creates a need (SB 1910).