BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON APPROPRIATIONS
                             Senator Ricardo Lara, Chair
                            2015 - 2016  Regular  Session

          AB 2623 (Gordon) - State information security costs:  annual  
          report
          
           ----------------------------------------------------------------- 
          |                                                                 |
          |                                                                 |
          |                                                                 |
           ----------------------------------------------------------------- 
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Version: April 28, 2016         |Policy Vote: G.O. 13 - 0        |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Urgency: No                     |Mandate: No                     |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Hearing Date: August 1, 2016    |Consultant: Mark McKenzie       |
          |                                |                                |
           ----------------------------------------------------------------- 


          This bill does not meet the criteria for referral to the  
          Suspense File.



          Bill  
          Summary:  AB 2623 would require state entities to annually  
          report specified information on actual and projected information  
          security expenditures to the Department of Technology (CDT), as  
          specified.


          Fiscal  
          Impact:  
           Minor and absorbable CDT costs to develop reporting criteria.   
            (General Fund)

           Likely absorbable costs for individual state agencies to  
            segregate information security costs from overall information  
            technology (IT) expenditures and annually report to CDT.  
            (General Fund / various special funds)








          AB 2623 (Gordon)                                       Page 1 of  
          ?
          
          

          Background:  Existing law provides that the CDT is generally responsible  
          for the approval and oversight of state IT projects.  The Office  
          of Information Security (OIS) within the CDT is responsible for  
          ensuring the confidentiality and integrity of state data  
          systems, and establishing policies, standards, and procedures  
          for state agencies to manage security and risk.  Existing law  
          authorizes the OIS and the Military Department to conduct  
          independent security assessments of any state agency,  
          department, or office, and requires the state entity whose  
          systems are being assessed to pay for the security assessment.   
          In addition to those discretionary assessments, OIS is required  
          to conduct, or cause to be conducted, an independent security  
          assessment of at least 35 state agencies each year.  Existing  
          state policy outlined in the State Administrative Manual  
          requires each state agency to conduct a comprehensive IT risk  
          assessment once every two years and document the results in a  
          risk assessment report.
          Existing law requires specified state agencies and entities to  
          annually submit a summary of actual and projected IT and  
          telecommunications costs to CDT, including personnel, for the  
          immediate preceding fiscal year and current fiscal year, showing  
          current and projected expenses, as specified.  The report is due  
          by February 1 of each year.




          Proposed Law:  
            AB 2623 would require state entities to submit a summary of  
          actual and projected information security costs, including  
          personnel, for the immediately preceding fiscal year and current  
          fiscal year, showing current and projected expenses, in a format  
          prescribed by CDT in order to capture statewide expenditures,  
          including the expenditure of federal grant funds for information  
          security purposes.  The information must be submitted to CDT by  
          February 1, 2017 and annually thereafter.


          Related  
          Legislation:  AB 1841 (Irwin), which is pending in this  
          Committee, would require the Governor's Office of Emergency  
          Services (OES) and the CDT to transmit a statewide cybersecurity  
          incident response plan to the Legislature by July 1, 2017.  That  








          AB 2623 (Gordon)                                       Page 2 of  
          ?
          
          
          bill would also require OES and CDT to develop cybersecurity  
          incident response standards for state agencies to prepare for  
          possible interference, compromise, or incapacitation, of  
          critical infrastructure.


          Staff  
          Comments:  This bill would require numerous state entities to  
          determine the level of current and projected resources dedicated  
          to information security.  The CDT indicates that it would incur  
          absorbable costs to develop guidance for how those entities  
          should report the information.  State entities will likely incur  
          minor one-time administrative costs to implement procedures that  
          allow for separate and accurate accounting of relevant  
          expenditures.  Annual costs to report segregated information  
          security cost data to CDT would also be minor.  


                                      -- END --