BILL ANALYSIS �Ó
AB 670
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB
670 (Irwin)
As Amended September 3, 2015
Majority vote
--------------------------------------------------------------------
|ASSEMBLY: |79-0 |(June 2, 2015) |SENATE: |39-0 |(September 8, |
| | | | | |2015) |
| | | | | | |
| | | | | | |
--------------------------------------------------------------------
Original Committee Reference: P. & C.P.
SUMMARY: Requires the Department of Technology (Department) to
conduct, or require to be conducted, no fewer than 35
independent security assessments of state agencies, departments
or offices annually. Specifically, this bill:
1)Authorizes the California Information Security Office (ISO)
within the Department to conduct, or require to be conducted,
an independent security assessment of every state agency,
department, or office.
2)Requires the cost of an independent security assessment to be
funded by the state agency, department, or office being
assessed.
�
AB 670
Page 2
3) Requires ISO, in consultation with the Office of Emergency
Services (OES), to perform all the following duties:
a) Annually require no fewer than 35 state entities to
perform an independent security assessment, the cost of
which shall be funded by the state agency, department, or
office being assessed.
b) Determine criteria and rank state entities based on an
information security risk index that may include, but not
be limited to, consideration of the following factors:
i) Personally identifiable information protected by
law.
ii) Health information protected by law.
iii) Confidential financial data.
iv) Self-certification of compliance and indicators of
unreported noncompliance with security provisions related
to information asset management, risk management,
information security program management, information
security incident management and technology recovery
planning.
c) Determine the basic standards of services to be
performed as part of an independent security assessment.
4)Authorizes the Military Department to perform an independent
security assessment of any state agency, department, or
office, the cost of which shall be funded by the state agency,
department, or office being assessed.
5)Requires state agencies and entities required to conduct or
receive an independent security assessment to transmit the
complete results of that assessment and recommendations for
mitigating system vulnerabilities, if any, to ISO and OES.
�
AB 670
Page 3
6)Requires ISO to report to the Department and OES any state
entity found to be noncompliant with information security
program requirements.
7)Specifies, notwithstanding any other law, that during the
process of conducting an independent security assessment,
information and records concerning the assessment are
confidential and shall not be disclosed, except to approved
state employees and state contractors.
8)Declares the results of a completed independent security
assessment and any related information to be subject to all
disclosure and confidentiality provisions under state law,
including the California Public Records Act.
9)Requires the Department to notify OES, the California Highway
Patrol, and the Department of Justice regarding any criminal
or alleged criminal cyber activity affecting any state entity
or critical infrastructure of state government.
10)Deletes a pre-existing exemption from independent security
assessments for the Department of Forestry and Fire
Prevention.
11)Makes findings and declaration relative to the necessity of
imposing a limitation on the public's right of access to the
meetings of public bodies or the writings of public officials
and agencies, namely that the state has a very strong interest
in protecting its information systems from intrusion, because
those systems contain confidential information and play a
critical role in the performance of the duties of state
government.
The Senate amendments generally revise and recast the provisions
of this bill, requiring that no fewer than 35 state entities
every year be required to perform an independent security
�
AB 670
Page 4
assessment, setting broad criteria for the assessment, and
clarifying the provisions for transmission and disclosure of
assessment results.
FISCAL EFFECT: According to the Senate Appropriations
Committee:
1)[the Department] would incur costs of approximately $2 million
in 2016-17, and ongoing costs of approximately $1.9 million
for 12 Personnel Year of staff to conduct security
assessments. Staff estimates that ISO would have additional
costs in the hundreds of thousands annually for travel and
other associated charges. (Technology Services Revolving
Fund)
2)Further, ongoing, potentially significant cost pressures for
state entities to make necessary Information Technology
improvements to address vulnerabilities identified through
security assessments. However, these improvements would
decrease the likelihood that agencies would experience a
future data breach, thereby avoiding related costs in future
years. (General Fund and/or Special Funds)
3)Finally, an estimated [Department] costs in the range of
$100,000 to $150,000 to develop and adopt standards for the
ISO, Military Department, or entity conducting a security
assessment to follow when conducting those assessments and
reporting results. These costs include necessary updates to
the State Administrative Manual. (Technology Services
Revolving Fund)
COMMENTS: This bill is intended to increase the security of
California state computer networks by requiring the ISO within
the Department of Technology to conduct a security assessment of
the information technology systems of at least 35 state
agencies, departments and offices under its jurisdiction every
year.
�
AB 670
Page 5
According to the author, the State Administrative Manual
currently requires state government entities to conduct security
assessments every two years, but there is no mechanism of
enforcement and less than one-third of state agencies,
departments, or offices have conducted or received an assessment
to date. These preventative assessments are a vital tool in
combating the increasingly sophisticated cyber-attacks because
they reveal vulnerabilities, demonstrate the extent of potential
exploitation, and provide recommendations for remediation and
risk mitigation.
According to the California Military Department, California's
size and prominence makes it vulnerable to cyber incidents that
disrupt business, shutdown critical infrastructure, and
compromise intellectual property or national security. A
targeted attack on critical infrastructure and key resources
could cause up to $1 billion dollars of economic impact to
California each day until services are restored. According to
the author's office, there are a total of 384 state entities
subject to the ISO (which excludes some constitutional offices).
It is not known how many attacks, whether successful or
unsuccessful, have been made against state agency computers over
the past year.
Under current law, ISO is authorized to conduct independent
security assessments of any state agency, department or office,
but is not required to do so. It is not known how many security
assessments were conducted by ISO in the past year. According
to the author's office, a security assessment will generally
cost a public entity between $10,000 and $40,000 to complete,
depending on its size and sophistication. The assessment
usually takes 1-2 days, with the assessed entity receiving a
written report on findings within 2-3 weeks.
An August 2015 report released by the California State Auditor
entitled "High Risk Update - Information Security" describes a
litany of shortcomings in state entities' compliance with the
�
AB 670
Page 6
information security requirements of the State Administrative
Manual, including widespread misreporting of compliance
self-certification. The Auditor found that the Department
"failed to take sufficient action to ensure that reporting
entities address these deficiencies." The report's primary
legislative recommendation is to mandate the performance of an
independent security assessment for each entity at least every
two years.
Analysis Prepared by:
Hank Dempsey / P. & C.P. / (916) 319-2200 FN:
0002224