Florida Senate - 2016 COMMITTEE AMENDMENT
Bill No. PCS (591178) for SB 7050
Ì3973164Î397316
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/01/2016 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Appropriations (Ring) recommended the
following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Subsection (3) of section 20.61, Florida
6 Statutes, is amended to read:
7 20.61 Agency for State Technology.—The Agency for State
8 Technology is created within the Department of Management
9 Services. The agency is a separate budget program and is not
10 subject to control, supervision, or direction by the Department
11 of Management Services, including, but not limited to,
12 purchasing, transactions involving real or personal property,
13 personnel, or budgetary matters.
14 (3) The Technology Advisory Council, consisting of seven
15 members, is established within the Agency for State Technology
16 and shall be maintained pursuant to s. 20.052. Four members of
17 the council shall be appointed by the Governor, two of whom must
18 be from the private sector and one of whom must be a
19 cybersecurity expert. The President of the Senate and the
20 Speaker of the House of Representatives shall each appoint one
21 member of the council. The Attorney General, the Commissioner of
22 Agriculture and Consumer Services, and the Chief Financial
23 Officer shall jointly appoint one member by agreement of a
24 majority of these officers. Upon initial establishment of the
25 council, two of the Governor’s appointments shall be for 2-year
26 terms. Thereafter, all appointments shall be for 4-year terms.
27 (a) The council shall consider and make recommendations to
28 the executive director on such matters as enterprise information
29 technology policies, standards, services, and architecture. The
30 council may also identify and recommend opportunities for the
31 establishment of public-private partnerships when considering
32 technology infrastructure and services in order to accelerate
33 project delivery and provide a source of new or increased
34 project funding.
35 (b) The executive director shall consult with the council
36 with regard to executing the duties and responsibilities of the
37 agency related to statewide information technology strategic
38 planning and policy.
39 (c) The council shall be governed by the Code of Ethics for
40 Public Officers and Employees as set forth in part III of
41 chapter 112, and each member must file a statement of financial
42 interests pursuant to s. 112.3145.
43 Section 2. Subsections (3) and (4) of section 282.318,
44 Florida Statutes, are amended to read:
45 282.318 Security of data and information technology.—
46 (3) The Agency for State Technology is responsible for
47 establishing standards and processes consistent with generally
48 accepted best practices for information technology security, to
49 include cybersecurity, and adopting rules that safeguard an
50 agency’s data, information, and information technology resources
51 to ensure availability, confidentiality, and integrity and to
52 mitigate risks. The agency shall also:
53 (a) Develop, and annually update by February 1, a statewide
54 information technology security strategic plan that includes
55 security goals and objectives for the strategic issues of
56 information technology security policy, risk management,
57 training, incident management, and disaster recovery planning.
58 (b) Develop and publish for use by state agencies an
59 information technology security framework that, at a minimum,
60 includes guidelines and processes for:
61 1. Establishing asset management procedures to ensure that
62 an agency’s information technology resources are identified and
63 managed consistent with their relative importance to the
64 agency’s business objectives.
65 2. Using a standard risk assessment methodology that
66 includes the identification of an agency’s priorities,
67 constraints, risk tolerances, and assumptions necessary to
68 support operational risk decisions.
69 3. Completing comprehensive risk assessments and
70 information technology security audits, which may be completed
71 by a private sector vendor, and submitting completed assessments
72 and audits to the Agency for State Technology.
73 4. Identifying protection procedures to manage the
74 protection of an agency’s information, data, and information
75 technology resources.
76 5. Establishing procedures for accessing information and
77 data to ensure the confidentiality, integrity, and availability
78 of such information and data.
79 6. Detecting threats through proactive monitoring of
80 events, continuous security monitoring, and defined detection
81 processes.
82 7. Establishing agency computer security incident response
83 teams and describing their responsibilities for responding to
84 information technology security incidents, including breaches of
85 personal information containing confidential or exempt data.
86 8. Recovering information and data in response to an
87 information technology security incident. The recovery may
88 include recommended improvements to the agency processes,
89 policies, or guidelines.
90 9. Establishing an information technology security incident
91 reporting process that includes procedures and tiered reporting
92 timeframes for notifying the Agency for State Technology and the
93 Department of Law Enforcement of information technology security
94 incidents. The tiered reporting timeframes shall be based upon
95 the level of severity of the information technology security
96 incidents being reported.
97 10. Incorporating information obtained through detection
98 and response activities into the agency’s information technology
99 security incident response plans.
100 11.9. Developing agency strategic and operational
101 information technology security plans required pursuant to this
102 section.
103 12.10. Establishing the managerial, operational, and
104 technical safeguards for protecting state government data and
105 information technology resources that align with the state
106 agency risk management strategy and that protect the
107 confidentiality, integrity, and availability of information and
108 data.
109 (c) Assist state agencies in complying with this section.
110 (d) In collaboration with the Cybercrime Office of the
111 Department of Law Enforcement, annually provide training for
112 state agency information security managers and computer security
113 incident response team members that contains training on
114 information technology security, including cybersecurity,
115 threats, trends, and best practices.
116 (e) Annually review the strategic and operational
117 information technology security plans of executive branch
118 agencies.
119 (4) Each state agency head shall, at a minimum:
120 (a) Designate an information security manager to administer
121 the information technology security program of the state agency.
122 This designation must be provided annually in writing to the
123 Agency for State Technology by January 1. A state agency’s
124 information security manager, for purposes of these information
125 security duties, shall report directly to the agency head.
126 (b) In consultation with the Agency for State Technology
127 and the Cybercrime Office of the Department of Law Enforcement,
128 establish an agency computer security incident response team to
129 respond to an information technology security incident. The
130 agency computer security incident response team shall convene
131 immediately upon notification of an information technology
132 security incident and must comply with all applicable guidelines
133 and processes established pursuant to paragraph (3)(b).
134 (c)(b) Submit to the Agency for State Technology annually
135 by July 31, the state agency’s strategic and operational
136 information technology security plans developed pursuant to
137 rules and guidelines established by the Agency for State
138 Technology.
139 1. The state agency strategic information technology
140 security plan must cover a 3-year period and, at a minimum,
141 define security goals, intermediate objectives, and projected
142 agency costs for the strategic issues of agency information
143 security policy, risk management, security training, security
144 incident response, and disaster recovery. The plan must be based
145 on the statewide information technology security strategic plan
146 created by the Agency for State Technology and include
147 performance metrics that can be objectively measured to reflect
148 the status of the state agency’s progress in meeting security
149 goals and objectives identified in the agency’s strategic
150 information security plan.
151 2. The state agency operational information technology
152 security plan must include a progress report that objectively
153 measures progress made towards the prior operational information
154 technology security plan and a project plan that includes
155 activities, timelines, and deliverables for security objectives
156 that the state agency will implement during the current fiscal
157 year.
158 (d)(c) Conduct, and update every 3 years, a comprehensive
159 risk assessment, which may be completed by a private sector
160 vendor, to determine the security threats to the data,
161 information, and information technology resources, including
162 mobile devices and print environments, of the agency. The risk
163 assessment must comply with the risk assessment methodology
164 developed by the Agency for State Technology and is confidential
165 and exempt from s. 119.07(1), except that such information shall
166 be available to the Auditor General, the Agency for State
167 Technology, the Cybercrime Office of the Department of Law
168 Enforcement, and, for state agencies under the jurisdiction of
169 the Governor, the Chief Inspector General.
170 (e)(d) Develop, and periodically update, written internal
171 policies and procedures, which include procedures for reporting
172 information technology security incidents and breaches to the
173 Cybercrime Office of the Department of Law Enforcement and the
174 Agency for State Technology. Such policies and procedures must
175 be consistent with the rules, guidelines, and processes
176 established by the Agency for State Technology to ensure the
177 security of the data, information, and information technology
178 resources of the agency. The internal policies and procedures
179 that, if disclosed, could facilitate the unauthorized
180 modification, disclosure, or destruction of data or information
181 technology resources are confidential information and exempt
182 from s. 119.07(1), except that such information shall be
183 available to the Auditor General, the Cybercrime Office of the
184 Department of Law Enforcement, the Agency for State Technology,
185 and, for state agencies under the jurisdiction of the Governor,
186 the Chief Inspector General.
187 (f)(e) Implement managerial, operational, and technical
188 safeguards and risk assessment remediation plans recommended
189 established by the Agency for State Technology to address
190 identified risks to the data, information, and information
191 technology resources of the agency.
192 (g)(f) Ensure that periodic internal audits and evaluations
193 of the agency’s information technology security program for the
194 data, information, and information technology resources of the
195 agency are conducted. The results of such audits and evaluations
196 are confidential information and exempt from s. 119.07(1),
197 except that such information shall be available to the Auditor
198 General, the Cybercrime Office of the Department of Law
199 Enforcement, the Agency for State Technology, and, for agencies
200 under the jurisdiction of the Governor, the Chief Inspector
201 General.
202 (h)(g) Include appropriate information technology security
203 requirements in the written specifications for the solicitation
204 of information technology and information technology resources
205 and services, which are consistent with the rules and guidelines
206 established by the Agency for State Technology in collaboration
207 with the Department of Management Services.
208 (i)(h) Provide information technology security and
209 cybersecurity awareness training to all state agency employees
210 in the first 30 days after commencing employment concerning
211 information technology security risks and the responsibility of
212 employees to comply with policies, standards, guidelines, and
213 operating procedures adopted by the state agency to reduce those
214 risks. The training may be provided in collaboration with the
215 Cybercrime Office of the Department of Law Enforcement.
216 (j)(i) Develop a process for detecting, reporting, and
217 responding to threats, breaches, or information technology
218 security incidents that are consistent with the security rules,
219 guidelines, and processes established by the Agency for State
220 Technology.
221 1. All information technology security incidents and
222 breaches must be reported to the Agency for State Technology and
223 the Cybercrime Office of the Department of Law Enforcement and
224 must comply with the notification procedures and reporting
225 timeframes established pursuant to paragraph (3)(b).
226 2. For information technology security breaches, state
227 agencies shall provide notice in accordance with s. 501.171.
228 Section 3. Paragraph (e) of subsection (4) of section
229 501.171, Florida Statutes, is amended to read:
230 501.171 Security of confidential personal information.—
231 (4) NOTICE TO INDIVIDUALS OF SECURITY BREACH.—
232 (e) The notice to an individual with respect to a breach of
233 security shall include, at a minimum:
234 1. The date, estimated date, or estimated date range of the
235 breach of security.
236 2. A description of the personal information that was
237 accessed or reasonably believed to have been accessed as a part
238 of the breach of security.
239 3. Information that the individual can use to contact the
240 covered entity to inquire about the breach of security and the
241 personal information that the covered entity maintained about
242 the individual.
243 4. Information on how to obtain free medical identity
244 monitoring if personal health information as described in sub
245 sub-subparagraph (1)(g)1.a.(IV) or sub-sub-subparagraph
246 (1)(g)1.a.(V) was accessed or reasonably believed to have been
247 accessed as part of the breach of security.
248 5. Information indicating whether the covered entity is
249 required or otherwise chooses to offer free financial credit
250 monitoring to affected individuals.
251 Section 4. This act shall take effect July 1, 2016.
252
253 ================= T I T L E A M E N D M E N T ================
254 And the title is amended as follows:
255 Delete everything before the enacting clause
256 and insert:
257 A bill to be entitled
258 An act relating to information technology security;
259 amending s. 20.61, F.S.; revising the membership of
260 the Technology Advisory Council to include a
261 cybersecurity expert; amending s. 282.318, F.S.;
262 revising the duties of the Agency for State
263 Technology; providing that risk assessments and
264 security audits may be completed by a private vendor;
265 providing for the establishment of computer security
266 incident response teams within state agencies;
267 providing for the establishment of an information
268 technology security incident reporting process;
269 providing for information technology security and
270 cybersecurity awareness training; revising duties of
271 state agency heads; establishing computer security
272 incident response team responsibilities; establishing
273 notification procedures and reporting timelines for an
274 information technology security incident or breach;
275 amending s. 501.171, F.S.; revising the information
276 that must be included in a notice of a security
277 breach; providing an effective date.