Assembly BillNo. 670

3

11549.3.  

(a) The director shall establish an information security
4program. The office shall report to the Department of Technology
5any state agency found to be noncompliant with information
6security program requirements. The program responsibilities
7include, but are not limited to, all of the following:

8(1) The creation, updating, and publishing of information
9security and privacy policies, standards, and procedures for state
10agencies in the State Administrative Manual.

11(2) The creation, issuance, and maintenance of policies,
12standards, and procedures directing state agencies to effectively
13manage security and risk for both of the following:

14(A) Information technology, which includes, but is not limited
15to, all electronic technology systems and services, automated
16information handling, system design and analysis, conversion of
17data, computer programming, information storage and retrieval,
18telecommunications, requisite system controls, simulation,
19electronic commerce, and all related interactions between people
20and machines.

P4    1(B) Information that is identified as mission critical, confidential,
2sensitive, or personal, as defined and published by the Office of
3Information Security.

4(3) The creation, issuance, and maintenance of policies,
5standards, and procedures directing state agencies for the collection,
6tracking, and reporting of information regarding security and
7privacy incidents.

8(4) The creation, issuance, and maintenance of policies,
9standards, and procedures directing state agencies in the
10development, maintenance, testing, and filing of each agency’s
11disaster recovery plan.

12(5) Coordination of the activities of agency information security
13officers, for purposes of integrating statewide security initiatives
14and ensuring compliance with information security and privacy
15policies and standards.

16(6) Promotion and enhancement of the state agencies’ risk
17management and privacy programs through education, awareness,
18collaboration, and consultation.

19(7) Representing the state before the federal government, other
20state agencies, local government entities, and private industry on
21issues that have statewide impact on information security and
22privacy.

23(b) An information security officer appointed pursuant to Section
2411546.1 shall implement the policies and procedures issued by the
25Office of Information Security, including, but not limited to,
26performing both of the following duties:

27(1) Comply with the information security and privacy policies,
28standards, and procedures issued pursuant to this chapter by the
29Office of Information Security.

30(2) Comply with filing requirements and incident notification
31by providing timely information and reports as required by policy
32or directives of the office.

33(c) (1) The office shall conduct, or require to be conducted, an
34independent security assessment of every state agency, department,
35or office at least once every two years. The cost of the independent
36security assessment shall be funded by the state agency,
37department, or office being assessed. The independent security
38assessment shall include, to the extent practicable, all of the
39following components and shall be conducted in compliance with
P5    1the National Institute of Standards and Technology (NIST) Special
2Publication (SP) 800-53 Controls:

3(A) Vulnerability scanning, that includes, but is not limited to,
4all of the following:

5(i) Validation that IT systems have currently supported software,
6with all necessary security patches and updates applied.

7(ii) Validation that system security configurations are in
8compliance with NIST standards.

9(iii) Validation that the network architecture is arranged so as
10to separate internal, publicly accessible, and external zones, along
11with a mechanism to identify and alert on attempted intrusions.

12(B) Penetration testing, when determined appropriate by the
13begin delete Officesend deletebegin insert Officeend insert of Emergency Services.

14(C) A report on the number, severity, and nature of identified
15vulnerabilities and recommendations for remediation and risk
16mitigation.

17(2) (A) The Military Department may perform an independent
18security assessment required by paragraph (1).

19(B) The Military Department may mitigate the impact of a cyber
20attack or assist a law enforcement investigation into cyber security
21upon the request of the Office of Emergency Services, a state law
22enforcement agency, or a state agency, department, or office.

23(C) Thebegin delete Miliaryend deletebegin insert Militaryend insert Department may perform a cyber
24security assessment or respond to a cyber security incident
25impacting state infrastructure upon the request of the Office of
26 Emergency Services.

27(d) The Department of Technology may require a state agency,
28department, or office to redirect any funds within its budget that
29may be legally expended for these purposes, to pay the costs of
30becoming compliant with any recommendation made in an
31independent security assessment.

32(e) (1) The office, Military Department, or entity required to
33conduct an independent security assessment pursuant to subdivision
34(c) shall transmit the results of that assessment only to the state
35agency, department, or office that was the subject of that
36assessment.

37(2) The office, Military Department, or entity required to
38conduct an independent security assessment pursuant to subdivision
39(c) shall transmit an aggregate of the results of that assessment to
40the Department of Technology.

P6    1(3) The Department of Technology shall adopt standards, to be
2included within the State Administrative Manual, setting forth the
3requirements for the office, Military Department, or entity required
4to conduct an independent security assessment pursuant to
5subdivision (c) to transmit, pursuant to paragraph (2), the aggregate
6of the results of that assessment to the Department of Technology,
7including, but not limited to, all of the following:

8(A) Aggregated, statistical information relevant to the
9assessment results, including, but not limited to, the number of
10identified vulnerabilities categorized by high, medium, and low
11risk. These results shall not include any specific information
12relative to the nature of the risk that is potentially exploitable.

13(B) Prioritization of vulnerabilities.

14(C) Identification of relevant internal resources.

15(D) Strategy for addressing and mitigating those vulnerabilities.

16(f) (1) Transmission or communication of the results of an
17independent security assessment performed pursuant to subdivision
18(c) and any related information shall be restricted to state
19government employees and state contractors who have been
20approved as necessary to receive this information in order to
21perform that assessment by the office, Military Department, or
22entity required to conduct the independent security assessment.

23(2) The results of an independent security assessment performed
24pursuant to subdivision (c), the aggregate of the results of an
25independent security assessment transmitted to the Department of
26Technology pursuant to subdivision (e), and any related
27informationbegin delete are confidential and shall not be disclosedend deletebegin insert shall be
28subject to all disclosure and confidentiality provisionsend insert pursuant
29to any state law, including, but not limited to, the California Public
30Records Act (Chapter 3.5 (commencing with Section 6250) of
31Division 7 of Titlebegin delete 1).end deletebegin insert 1), including, but not limited to, Section
326254.19.end insert

33(3) Data produced during the creation of an independent security
34assessment performed pursuant to subdivision (c) shall be destroyed
35within one year of its date of creation, unless the Office of
36Emergency Services determines that retention for a longer period
37of time is necessary for state security.