AB 670, as amended, Irwin. Information technology security.
(1) Existing law establishes, within the Government Operations Agency, the Department of Technology under the supervision of the Director of Technology, who is also known as the State Chief Information Officer. The department is generally responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.
Existing law establishes, within the department, the Office of Information Security under the supervision of the Chief of the Office of Information Security. Existing law sets forth the authority of the office, including, but not limited to, the authority to conduct, or require to be conducted, an independent security assessment of any state
agency, department, orbegin delete officeend deletebegin insert office,end insert the cost of which is to be funded by the state agency, department, or office being assessed.
This bill would, instead, impose a duty on the office to require it to conduct, or require to be conducted, an independent security assessment of every state agency, department, or office at least once every 2 years and would maintain the requirement that the state agency, department, or office being assessed fund the costs of the independent security assessment. This bill would require an independent security assessment to include specific components, to the extent practicable, and authorize the department to require a state agency, department, or office not in compliance with any recommendation made in the independent security assessment to redirect its available and authorized funds to pay the costs of complying with the recommendation.
end deleteThis bill would require the results of an independent security assessment to be available only to the state agency, department, or office that was assessed. This bill would restrict the transmission or communication of the results of an independent security assessment and any related information to state government employees and state contractors who have been approved as necessary to receive this information in order to perform the assessment. The bill would require the department to adopt standards, to be included within the State Administrative Manual, setting forth the manner for the aggregate of the results of an independent security assessment to be transmitted to the department.
end deleteThis bill would require the results of an independent security assessment, the aggregate of the results of an independent security assessment transmitted to the department, and any related information to be subject to all disclosure and confidentiality provisions pursuant to any state law, including, but not limited to, the California Public Records Act, including provisions of the act that exclude from the disclosure requirements, certain security records that reveal the vulnerabilities of an information technology system. This bill would require data produced during the creation of an independent security assessment to be destroyed within 1 year of its date of creation, unless the Office of Emergency Services determines that retention for a longer period of time is necessary for state security.
end deleteThis bill would additionally require the office, in consultation with the Office of Emergency Services, to require no fewer than 35 independent security assessments of state entities each year and determine basic standards of services to be performed as part of an independent security assessment. The bill would require the state agency, department, or office being assessed to fund the costs of its independent security assessment. The bill would require the office and the Office of Emergency Services to receive the complete results of an independent security assessment. This bill would prohibit, during the process of conducting an independent security assessment, the disclosure of information and records concerning the independent security assessment, except that the information and records would be authorized to be transmitted to state employees and state contractors with specific duties relating to the independent security assessment. The bill would require the disclosure of the results of a completed independent security assessment under state law.
end insertbegin insertThis bill would require the office, in consultation with the Office of Emergency Services, to rank state entities on an information security risk index, as specified. The bill would require the office to report to the Department of Technology and the Office of Emergency Services any state entity found noncompliant with information security requirements. The bill would further require the office to notify the Office of Emergency Services, Department of the California Highway Patrol, and the Department of Justice of any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government. The bill would authorize the office to conduct or require to be conducted an audit of information security to ensure program compliance, the cost of which to be funded by the state agency, department, or office being audited.
end insertThis bill wouldbegin delete alsoend delete authorize the Military Department to perform an independent security assessment as described above.begin delete This bill would authorize the Military Department to mitigate the impact of a cyber attack or assist a law enforcement investigation into cyber security upon the request of the Office of Emergency Services, a state law enforcement agency, or a state agency, department, or office. This bill would further authorize the Military Department to perform a cyber security assessment or respond to a
cyber security incident impacting state infrastructure upon the request of the Office of Emergency Services.end delete
This bill would require state entities, as defined, rather than certain information security officers, to comply with policies and procedures issued by the office. The bill would also make technical, nonsubstantive changes.
end insert(2) Existing law requires that a statute that limits the public’s right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings to demonstrate the interest protected by the limitation and the need for protecting that interest.
This bill would limit access tobegin delete the resultsend deletebegin insert
information and recordsend insert of anbegin insert
ongoingend insert independent security assessmentbegin delete and related recordsend delete
and would make findings to demonstrate the interest protected by the limitation and the need for protecting that interest.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 11549.3 of the Government Code is
2amended to read:
(a) Thebegin delete directorend deletebegin insert chiefend insert shall establish an information
4security program.begin delete The office shall report to the Department of The program
5Technology any state agency found to be noncompliant with
6information security program requirements.end delete
7responsibilities include, but are not limited to, all of the following:
8(1) The creation, updating, and publishing of information
9security and privacy policies, standards, and procedures for state
10agencies in
the State Administrative Manual.
11(2) The creation, issuance, and maintenance of policies,
12standards, and procedures directing state agencies to effectively
13manage security and risk for both of the following:
14(A) Information technology, which includes, but is not limited
15to, all electronic technology systems and services, automated
16information handling, system design and analysis, conversion of
17data, computer programming, information storage and retrieval,
18telecommunications, requisite system controls, simulation,
19electronic commerce, and all related interactions between people
20and machines.
21(B) Information that is identified as mission critical, confidential,
22sensitive, or personal, as defined and published by thebegin delete Office of
23Information
Security.end delete
24(3) The creation, issuance, and maintenance of policies,
25standards, and procedures directing state agencies for the collection,
26tracking, and reporting of information regarding security and
27privacy incidents.
P5 1(4) The creation, issuance, and maintenance of policies,
2standards, and procedures directing state agencies in the
3development, maintenance, testing, and filing of eachbegin insert stateend insert
4 agency’s disaster recovery plan.
5(5) Coordination of the activities ofbegin insert
stateend insert agency information
6security officers, for purposes of integrating statewide security
7initiatives and ensuring compliance with information security and
8privacy policies and standards.
9(6) Promotion and enhancement of the state agencies’ risk
10management and privacy programs through education, awareness,
11collaboration, and consultation.
12(7) Representing the state before the federal government, other
13state agencies, local government entities, and private industry on
14issues that have statewide impact on information security and
15privacy.
16(b) begin deleteAn information security officer appointed pursuant to end deletebegin insertAll
17
state entities defined in end insertSection 11546.1 shall implement the
18policies and procedures issued by thebegin delete Office of Information begin insert office,end insert including, but not limited to, performing both of
19Security,end delete
20the following duties:
21(1) Comply with the information security and privacy policies,
22standards, and procedures issued pursuant to this chapter by the
23begin delete Office of Information Security.end deletebegin insert office.end insert
24(2) Comply with filing requirements
and incident notification
25by providing timely information and reports as required bybegin delete policy the office.
26or directives ofend delete
27(c) (1) The officebegin delete shallend deletebegin insert mayend insert conduct, or require to be conducted,
28an independent security assessment of every state agency,
29department, or officebegin delete at least once every two years.end deletebegin insert.end insert The cost of
30the independent security assessment shall be funded by the state
31agency, department, or office
being assessed.begin delete The independent
32security assessment shall include, to the extent practicable, all of
33the following components and shall be conducted in compliance
34with the National Institute of Standards and Technology (NIST)
35Special Publication (SP) 800-53 Controls:end delete
36(A) Vulnerability scanning, that includes, but is not limited to,
37all of the following:
38(i) Validation that IT systems have currently supported
software,
39with all necessary security patches and updates applied.
P6 1(ii) Validation that system security configurations are in
2compliance with NIST standards.
3(iii) Validation that the network architecture is arranged so as
4to separate internal, publicly accessible, and external zones, along
5with a mechanism to identify and alert on attempted intrusions.
6(B) Penetration testing, when determined appropriate by the
7Office of Emergency Services.
8(C) A report on the number, severity, and nature of identified
9vulnerabilities and recommendations for remediation and risk
10mitigation.
11(2) (A) The Military Department may perform an independent
12security assessment required by paragraph (1).
13(B) The Military Department may mitigate the impact of a cyber
14attack or assist a law enforcement investigation into cyber security
15upon the request of the Office of Emergency Services, a state law
16enforcement agency, or a state agency, department, or office.
17(C) The Military Department may perform a cyber security
18assessment or respond to a cyber security incident impacting state
19infrastructure upon the request of the Office of Emergency
20Services.
21(d) The Department of Technology may require a state agency,
22department, or office to redirect any funds within its budget that
23may be legally expended for these
purposes, to pay the costs of
24becoming compliant with any recommendation made in an
25independent security assessment.
26(e)
end delete
27(2) In addition to the independent security assessments
28authorized by paragraph (1), the office, in consultation with the
29Office of Emergency Services, shall perform all the following
30duties:
31(A) Annually require no fewer than thirty-five (35) state entities
32to perform an independent security assessment, the cost of which
33shall be funded by the state agency, department, or office being
34assessed.
35(B) Determine criteria and rank state entities based on an
36information security
risk index that may include, but not be limited
37to, analysis of the relative amount of the following factors within
38state agencies:
39(i) Personally identifiable information protected by law.
end insertbegin insert40(ii) Health information protected by law.
end insertbegin insertP7 1(iii) Confidential financial data.
end insertbegin insert
2(iv) Self-certification of compliance and indicators of unreported
3noncompliance with security provisions in the following areas:
4(I) Information asset management.
end insertbegin insert5(II) Risk management.
end insertbegin insert6(III) Information security program management.
end insertbegin insert7(IV) Information security incident management.
end insertbegin insert8(V) Technology recovery planning.
end insertbegin insert
9(C) Determine the basic standards of services to be performed
10as part of independent security assessments required by this
11subdivision.
12(3) The Military Department may perform an independent
13security assessment of any state agency, department, or office, the
14cost of which shall be funded by the state agency, department, or
15office being assessed.
16begin insert(d)end insert begin delete(1)end deletebegin delete end deletebegin deleteThe office, Military Department, or entity end deletebegin insertState
agencies
17and entities end insertrequired to conductbegin insert or receiveend insert an independent security
18assessment pursuant to subdivision (c) shall transmit thebegin insert completeend insert
19 results of that assessmentbegin delete only to the state agency, department, or begin insert and
20office that was the subject of that assessment.end delete
21recommendations for mitigating system vulnerabilities, if any, to
22the office and the Office of Emergency Services.end insert
23(e) The office
shall report to the Department of Technology and
24the Office of Emergency Services any state entity found to be
25noncompliant with information security program requirements.
26(2) The office, Military Department, or entity required to
27conduct an independent security assessment pursuant to subdivision
28(c) shall transmit an aggregate of the results of that assessment to
29the Department of Technology.
30(3) The Department of Technology shall adopt standards, to be
31included within the
State Administrative Manual, setting forth the
32requirements for the office, Military Department, or entity required
33to conduct an independent security assessment pursuant to
34subdivision (c) to transmit, pursuant to paragraph (2), the aggregate
35of the results of that assessment to the Department of Technology,
36including, but not limited to, all of the following:
37(A) Aggregated, statistical information relevant to the
38assessment results, including, but not limited to, the number of
39identified vulnerabilities categorized by high, medium, and low
P8 1risk. These results shall not include any specific information
2relative to the nature of the risk that is potentially exploitable.
3(B) Prioritization of vulnerabilities.
4(C) Identification of relevant internal resources.
5(D) Strategy for addressing and mitigating those vulnerabilities.
end delete
6(f) (1) begin deleteTransmission or communication of the results of an begin insertNotwithstandingend insertbegin insert any other law, during the process of conducting
7independent security assessment performed pursuant to subdivision
8(c) and any related information shall be restricted
9toend delete
10an independent security assessment pursuant to subdivision (c),
11information and records concerning the independent
security
12assessment are confidential and shall not be disclosed, except that
13the information and records may be transmitted toend insert state
14begin delete governmentend delete employees and state contractors who have been
15approved as necessary to receivebegin delete thisend deletebegin insert theend insert informationbegin delete in orderend deletebegin insert and
16recordsend insert to perform thatbegin insert independent securityend insert assessmentbegin delete by the begin insert,
subsequent remediation activity,
17office, Military Department, or entity required to conduct the
18independent security assessment.end delete
19or monitoring of remediation activity.end insert
20(2) The results ofbegin delete anend deletebegin insert
a completedend insert independent security
21assessment performed pursuant to subdivision (c),begin delete the aggregate and
22of the results of an independent security assessment transmitted
23to the Department of Technology pursuant to subdivision (e),end delete
24any related information shall be subject to all disclosure and
25confidentiality provisions pursuant to any state law, including, but
26not limited to, the California Public Records Act (Chapter 3.5
27(commencing with Section 6250) of Division 7 of Title 1),
28including, but not limited to, Section 6254.19.
29(3) Data produced during the creation of an independent security
30assessment performed pursuant to subdivision (c) shall be destroyed
31within one year of its date of creation, unless the
Office of
32Emergency Services determines that retention for a longer period
33of time is necessary for state security.
34(g) The office may conduct or require to be conducted an audit
35of information security to ensure program compliance, the cost of
36which shall be funded by the state agency, department, or office
37being audited.
38(h) The office shall notify the Office of Emergency Services,
39Department of the California Highway Patrol, and the Department
40of Justice regarding any criminal or alleged criminal cyber activity
P9 1affecting any state entity or critical infrastructure of state
2government.
The Legislature finds and declares that Section 1 of
4this act, which amends Section 11549.3 of the Government Code,
5imposes a limitation on the public’s right of access to the meetings
6of public bodies or the writings of public officials and agencies
7within the meaning of Section 3 of Article I of the California
8Constitution. Pursuant to that constitutional provision, the
9Legislature makes the following findings to demonstrate the interest
10protected by this limitation and the need for protecting that interest:
11The state has a very strong interest in protecting its information
12technology systems from intrusion, because those systems contain
13confidential information and
play a critical role in the performance
14of the duties of state government. Thus, information regarding the
15specific vulnerabilities of those systems must be protected to
16preclude use of that information to facilitate attacks on those
17systems.
O
95