BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
AB 2623 (Gordon) - State information security costs: annual
report
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: April 28, 2016 |Policy Vote: G.O. 13 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: August 1, 2016 |Consultant: Mark McKenzie |
| | |
-----------------------------------------------------------------
This bill does not meet the criteria for referral to the
Suspense File.
Bill
Summary: AB 2623 would require state entities to annually
report specified information on actual and projected information
security expenditures to the Department of Technology (CDT), as
specified.
Fiscal
Impact:
Minor and absorbable CDT costs to develop reporting criteria.
(General Fund)
Likely absorbable costs for individual state agencies to
segregate information security costs from overall information
technology (IT) expenditures and annually report to CDT.
(General Fund / various special funds)
�
AB 2623 (Gordon) Page 1 of
?
Background: Existing law provides that the CDT is generally responsible
for the approval and oversight of state IT projects. The Office
of Information Security (OIS) within the CDT is responsible for
ensuring the confidentiality and integrity of state data
systems, and establishing policies, standards, and procedures
for state agencies to manage security and risk. Existing law
authorizes the OIS and the Military Department to conduct
independent security assessments of any state agency,
department, or office, and requires the state entity whose
systems are being assessed to pay for the security assessment.
In addition to those discretionary assessments, OIS is required
to conduct, or cause to be conducted, an independent security
assessment of at least 35 state agencies each year. Existing
state policy outlined in the State Administrative Manual
requires each state agency to conduct a comprehensive IT risk
assessment once every two years and document the results in a
risk assessment report.
Existing law requires specified state agencies and entities to
annually submit a summary of actual and projected IT and
telecommunications costs to CDT, including personnel, for the
immediate preceding fiscal year and current fiscal year, showing
current and projected expenses, as specified. The report is due
by February 1 of each year.
Proposed Law:
AB 2623 would require state entities to submit a summary of
actual and projected information security costs, including
personnel, for the immediately preceding fiscal year and current
fiscal year, showing current and projected expenses, in a format
prescribed by CDT in order to capture statewide expenditures,
including the expenditure of federal grant funds for information
security purposes. The information must be submitted to CDT by
February 1, 2017 and annually thereafter.
Related
Legislation: AB 1841 (Irwin), which is pending in this
Committee, would require the Governor's Office of Emergency
Services (OES) and the CDT to transmit a statewide cybersecurity
incident response plan to the Legislature by July 1, 2017. That
�
AB 2623 (Gordon) Page 2 of
?
bill would also require OES and CDT to develop cybersecurity
incident response standards for state agencies to prepare for
possible interference, compromise, or incapacitation, of
critical infrastructure.
Staff
Comments: This bill would require numerous state entities to
determine the level of current and projected resources dedicated
to information security. The CDT indicates that it would incur
absorbable costs to develop guidance for how those entities
should report the information. State entities will likely incur
minor one-time administrative costs to implement procedures that
allow for separate and accurate accounting of relevant
expenditures. Annual costs to report segregated information
security cost data to CDT would also be minor.
-- END --