Assembly BillNo. 670

3

11549.3.  

(a) The director shall establish an information security
4program. The program responsibilities include, but are not limited
5to, all of the following:

6(1) The creation, updating, and publishing of information
7security and privacy policies, standards, and procedures for state
8agencies in the State Administrative Manual.

9(2) The creation, issuance, and maintenance of policies,
10standards, and procedures directing state agencies to effectively
11manage security and risk for both of the following:

12(A) Information technology, which includes, but is not limited
13to, all electronic technology systems and services, automated
14information handling, system design and analysis, conversion of
15data, computer programming, information storage and retrieval,
16telecommunications, requisite system controls, simulation,
17electronic commerce, and all related interactions between people
18and machines.

19(B) Information that is identified as mission critical, confidential,
20sensitive, or personal, as defined and published by the Office of
21Information Security.

P3    1(3) The creation, issuance, and maintenance of policies,
2standards, and procedures directing state agencies for the collection,
3tracking, and reporting of information regarding security and
4privacy incidents.

5(4) The creation, issuance, and maintenance of policies,
6standards, and procedures directing state agencies in the
7development, maintenance, testing, and filing of each agency’s
8disaster recovery plan.

9(5) Coordination of the activities of agency information security
10officers, for purposes of integrating statewide security initiatives
11and ensuring compliance with information security and privacy
12policies and standards.

13(6) Promotion and enhancement of the state agencies’ risk
14management and privacy programs through education, awareness,
15collaboration, and consultation.

16(7) Representing the state before the federal government, other
17state agencies, local government entities, and private industry on
18issues that have statewide impact on information security and
19privacy.

20(b) An information security officer appointed pursuant to Section
2111546.1 shall implement the policies and procedures issued by the
22Office of Information Security, including, but not limited to,
23performing both of the following duties:

24(1) Comply with the information security and privacy policies,
25standards, and procedures issued pursuant to this chapter by the
26Office of Information Security.

27(2) Comply with filing requirements and incident notification
28by providing timely information and reports as required by policy
29or directives of the office.

30(c)  The office shall conduct, or require to be conducted, an
31independent security assessment of every state agency, department,
32or office at least once every two years. The cost of the security
33assessment shall be funded by the state agency, department, or
34office being assessed.begin insert The assessment results shall be made
35available only to the assessed entity.end insert The assessment shall include,
36begin delete at a minimum,end deletebegin insert to the extent practicable,end insert all of the following
37components, which shall be conducted in compliance with the
38National Institute of Standards and Technology (NIST) Special
39Publication (SP) 800-53 Controls:

begin delete

40(1) A legal, policy, standards, and procedure compliance review.

end deletebegin delete

33 P4    1(2)

end delete

2begin insert(1)end insert Vulnerabilitybegin delete scanning.end deletebegin insert scanning, that includes, but is not
3limited to, all of the following:end insert

begin insert

4(A) Validation that IT systems have currently supported
5software, with all necessary security patches and updates applied.

end insertbegin insert

6(B) Validation that system security configurations are in
7compliance with NIST standards.

end insertbegin insert

8(C) Validation that the network architecture is arranged so as
9to separate internal, publicly accessible, and external zones, along
10with a mechanism to identify and alert on attempted intrusions.

end insertbegin delete

34 11(3)

end delete

12begin insert(2)end insert Penetrationbegin delete testing.end deletebegin insert testing, when determined appropriate
13by the Governor’s Offices of Emergency Services.end insert

begin insert

14(3) A report on the number, severity, and nature of identified
15vulnerabilities and recommendations for remediation and risk
16mitigation.

end insert

17(d) The office shall report to the Department of Technology any
18state agency found to be noncompliant with information security
19program requirements.

20(e) The Department of Technology may require that any agency
21in noncompliance with subdivision (c) redirect any funds within
22the agency’s budget, that may be legally expended for these
23purposes, for the purposes of paying the costs of compliance with
24subdivision (c).

25(f) Thebegin delete Department of Technology and theend delete Governor’s Office
26of Emergency Services maybegin delete jointlyend delete conduct the strategic direction
27ofbegin delete riskend deletebegin insert securityend insert assessments performed by the Military
28Department’s Computer Network Defense Team, as budgeted in
29Item 8940-001-0001 of the Budget Act of 2014.begin insert Each assessment
30shall include all of the following:end insert

begin insert

31(1) Contracting and negotiations with state agencies,
32departments, and offices, or private entities to be assessed.

end insertbegin insert

33(2) Setting an assessment calendar to be followed by the CND-T.

end insertbegin insert

34(3) Prioritizing of incident response.

end insert

35(g) The Department of Technology shall adopt standards, to be
36included within the State Administrative Manual, setting forth the
37manner for the assessed agency to communicate the assessment
38results to the department, including, but not limited to, all of the
39following:

begin delete

40(1) Identification of vulnerabilities.

end deletebegin insert

P5    1(1) Aggregated, statistical information relevant to the assessment
2results, including, but not limited to, the number of identified
3vulnerabilities categorized by high, medium, and low risk. These
4results shall not include any specific information relative to the
5nature of the risk that is potentially exploitable.

end insert

6(2) Prioritization of vulnerabilities.

7(3) Identification of relevant internal resources.

8(4) Strategy for addressing and mitigating those vulnerabilities.

begin insert

9(h) Communication of assessment results shall be restricted to
10only approved government employees and validated contractors.
11Assessment results and related aggregated reports shall be
12confidential and, pursuant to Section 6254.19, shall be exempt
13from disclosure under the California Public Records Act (Chapter
143.5 (commencing with Section 6250) of Division 7 of Title 1).

end insertbegin insert

15(i) Data produced by assessments shall be retained by all parties
16for no longer than one year, unless the Governor’s Office of
17Emergency Services determines that retention for a longer period
18is necessary.

end insert