AB 670, as introduced, Irwin. Security assessments.
Existing law establishes the Department of Technology within the Government Operations Agency, headed by the Director of Technology who is also known as the State Chief Information Officer. The department is responsible for the approval and oversight of information technology projects by, among other things, consulting with agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.
Existing law establishes the Office of Technology Services within the department, under the supervision of the Chief of the Office of Technology Services, and sets forth its duties, including, but not limited to, the authority to conduct or require a security assessments of any state agency, as prescribed.
This bill would, instead, require the office to conduct, or require, an assessment of every state agency at least once every 2 years and would require the state agency being audited to pay the costs of the security assessment. The bill would authorize the department to require agencies that are not in compliance to redirect available funding to pay the costs of the assessments. The bill would require the department to adopt standards, to be included within the State Administrative Manual, setting forth the manner for the assessed agency to communicate the assessment results to the department.
This bill would authorize the department and the Governor’s Office of Emergency Services to jointly conduct the strategic direction of risk assessments performed by the Military Department’s Computer Network Defense Team.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 11549.3 of the Government Code is
2amended to read:
(a) The director shall establish an information security
4program. The program responsibilities include, but are not limited
5to, all of the following:
6(1) The creation, updating, and publishing of information
7security and privacy policies, standards, and procedures for state
8agencies in the State Administrative Manual.
9(2) The creation, issuance, and maintenance of policies,
10standards, and procedures directing state agencies to effectively
11manage security and risk for both of the following:
12(A) Information technology, which includes, but is not limited
13to, all electronic technology systems and services, automated
14information handling,
system design and analysis, conversion of
15data, computer programming, information storage and retrieval,
16telecommunications, requisite system controls, simulation,
17electronic commerce, and all related interactions between people
18and machines.
19(B) Information that is identified as mission critical, confidential,
20sensitive, or personal, as defined and published by the Office of
21Information Security.
22(3) The creation, issuance, and maintenance of policies,
23standards, and procedures directing state agencies for the collection,
24tracking, and reporting of information regarding security and
25privacy incidents.
26(4) The creation, issuance, and maintenance of policies,
27standards, and procedures directing state agencies in the
28development, maintenance, testing, and filing of each agency’s
29disaster recovery plan.
P3 1(5) Coordination of the activities of agency information security
2officers, for purposes of integrating statewide security initiatives
3and ensuring compliance with information security and privacy
4policies and standards.
5(6) Promotion and enhancement of the state agencies’ risk
6management and privacy programs through education, awareness,
7collaboration, and consultation.
8(7) Representing the state before the federal government, other
9state agencies, local government entities, and private industry on
10issues that have statewide impact on information security and
11privacy.
12(b) An information security officer appointed pursuant to Section
1311546.1 shall implement the policies and procedures issued by the
14Office of Information Security, including, but not limited
to,
15performing both of the following duties:
16(1) Comply with the information security and privacy policies,
17standards, and procedures issued pursuant to this chapter by the
18Office of Information Security.
19(2) Comply with filing requirements and incident notification
20by providing timely information and reports as required by policy
21or directives of the office.
22(c) begin delete(1)end deletebegin delete end deletebegin deleteExcept as provided in paragraph (2), the office may end deletebegin insert The
23office shall end insertconduct, or require to be conducted,begin insert
anend insert independent
24security begin deleteassessmentsend deletebegin insert assessmentend insert
ofbegin delete anyend deletebegin insert everyend insert state agency,
25department, or begin deleteoffice, theend deletebegin insert office at least once every two years. Theend insert
26 cost ofbegin delete whichend deletebegin insert the security assessmentend insert shall be funded by the state
27agency, department, or office being assessed.begin insert The assessment shall
28include, at a minimum, all of the following components, which
29shall be conducted in compliance with the National
Institute of
30Standards and Technology (NIST) Special Publication (SP) 800-53
31Controls:end insert
32(1) A legal, policy, standards, and procedure compliance review.
end insertbegin insert33(2) Vulnerability scanning.
end insertbegin insert34(3) Penetration testing.
end insert
35(2) The office shall not conduct, or require to be conducted,
36independent
security assessments of the Department of Forestry
37and Fire Prevention.
38(d) The office may require an audit of information security to
39ensure program compliance, the cost of which shall be funded by
40the state agency, department, or office being audited.
P4 1(e)
end delete
2begin insert(d)end insert The office shall report to the Department of Technology any
3state agency found to be noncompliant with information security
4program requirements.
5(e) The Department of Technology may require that any agency
6in noncompliance with subdivision (c) redirect any funds within
7the agency’s budget, that may be legally expended for these
8purposes, for the purposes of paying the costs of compliance with
9subdivision (c).
10(f) The Department of Technology and the Governor’s Office
11of Emergency Services may jointly conduct the strategic direction
12of risk assessments performed by the Military Department’s
13Computer Network Defense Team, as budgeted in Item
148940-001-0001 of the Budget Act of 2014.
15(g) The Department of Technology shall adopt standards, to be
16included
within the State Administrative Manual, setting forth the
17manner for the assessed agency to communicate the assessment
18results to the department, including, but not limited to, all of the
19following:
20(1) Identification of vulnerabilities.
end insertbegin insert21(2) Prioritization of vulnerabilities.
end insertbegin insert22(3) Identification of relevant internal resources.
end insertbegin insert23(4) Strategy for addressing and mitigating those vulnerabilities.
end insertO
99