Skip to Navigation | Skip to Main Content | Skip to Site Map

MyFloridaHouse.gov | Flsenate.gov Archives | Mobile Site

Senate Tracker: Sign Up | Login

2011 Florida Statutes

SECTION 318
Enterprise security of data and information technology.
F.S. 282.318
282.318 Enterprise security of data and information technology.
(1) This section may be cited as the “Enterprise Security of Data and Information Technology Act.”
(2) Information technology security is established as an enterprise information technology service as defined in s. 282.0041.
(3) The Agency for Enterprise Information Technology is responsible for establishing rules and publishing guidelines for ensuring an appropriate level of security for all data and information technology resources for executive branch agencies. The agency shall also perform the following duties and responsibilities:
(a) Develop, and annually update by February 1, an enterprise information security strategic plan that includes security goals and objectives for the strategic issues of information security policy, risk management, training, incident management, and survivability planning.
(b) Develop enterprise security rules and published guidelines for:
1. Comprehensive risk analyses and information security audits conducted by state agencies.
2. Responding to suspected or confirmed information security incidents, including suspected or confirmed breaches of personal information or exempt data.
3. Agency security plans, including strategic security plans and security program plans.
4. The recovery of information technology and data following a disaster.
5. The managerial, operational, and technical safeguards for protecting state government data and information technology resources.
(c) Assist agencies in complying with the provisions of this section.
(d) Pursue appropriate funding for the purpose of enhancing domestic security.
(e) Provide training for agency information security managers.
(f) Annually review the strategic and operational information security plans of executive branch agencies.
(4) To assist the Agency for Enterprise Information Technology in carrying out its responsibilities, each agency head shall, at a minimum:
(a) Designate an information security manager to administer the security program of the agency for its data and information technology resources. This designation must be provided annually in writing to the Agency for Enterprise Information Technology by January 1.
(b) Submit to the Agency for Enterprise Information Technology annually by July 31, the agency’s strategic and operational information security plans developed pursuant to the rules and guidelines established by the Agency for Enterprise Information Technology.
1. The agency strategic information security plan must cover a 3-year period and define security goals, intermediate objectives, and projected agency costs for the strategic issues of agency information security policy, risk management, security training, security incident response, and survivability. The plan must be based on the enterprise strategic information security plan created by the Agency for Enterprise Information Technology. Additional issues may be included.
2. The agency operational information security plan must include a progress report for the prior operational information security plan and a project plan that includes activities, timelines, and deliverables for security objectives that, subject to current resources, the agency will implement during the current fiscal year. The cost of implementing the portions of the plan which cannot be funded from current resources must be identified in the plan.
(c) Conduct, and update every 3 years, a comprehensive risk analysis to determine the security threats to the data, information, and information technology resources of the agency. The risk analysis information is confidential and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology for performing postauditing duties.
(d) Develop, and periodically update, written internal policies and procedures, which include procedures for notifying the Agency for Enterprise Information Technology when a suspected or confirmed breach, or an information security incident, occurs. Such policies and procedures must be consistent with the rules and guidelines established by the Agency for Enterprise Information Technology to ensure the security of the data, information, and information technology resources of the agency. The internal policies and procedures that, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology for performing postauditing duties.
(e) Implement appropriate cost-effective safeguards to address identified risks to the data, information, and information technology resources of the agency.
(f) Ensure that periodic internal audits and evaluations of the agency’s security program for the data, information, and information technology resources of the agency are conducted. The results of such audits and evaluations are confidential information and exempt from s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology for performing postauditing duties.
(g) Include appropriate security requirements in the written specifications for the solicitation of information technology and information technology resources and services, which are consistent with the rules and guidelines established by the Agency for Enterprise Information Technology.
(h) Provide security awareness training to employees and users of the agency’s communication and information resources concerning information security risks and the responsibility of employees and users to comply with policies, standards, guidelines, and operating procedures adopted by the agency to reduce those risks.
(i) Develop a process for detecting, reporting, and responding to suspected or confirmed security incidents, including suspected or confirmed breaches consistent with the security rules and guidelines established by the Agency for Enterprise Information Technology.
1. Suspected or confirmed information security incidents and breaches must be immediately reported to the Agency for Enterprise Information Technology.
2. For incidents involving breaches, agencies shall provide notice in accordance with s. 817.5681 and to the Agency for Enterprise Information Technology in accordance with this subsection.
(5) Each state agency shall include appropriate security requirements in the specifications for the solicitation of contracts for procuring information technology or information technology resources or services which are consistent with the rules and guidelines established by the Agency for Enterprise Information Technology.
(6) The Agency for Enterprise Information Technology may adopt rules relating to information security and to administer the provisions of this section.
History.ss. 1, 2, 3, ch. 84-236; s. 28, ch. 87-137; s. 1, ch. 89-14; s. 7, ch. 90-160; s. 13, ch. 91-171; s. 234, ch. 92-279; s. 55, ch. 92-326; s. 22, ch. 94-340; s. 863, ch. 95-148; s. 131, ch. 96-406; s. 15, ch. 97-286; s. 25, ch. 2000-164; s. 26, ch. 2001-261; s. 18, ch. 2006-26; s. 10, ch. 2007-105; s. 12, ch. 2009-80; s. 46, ch. 2010-5; s. 9, ch. 2011-50.