S.B. No. 1910
 
 
 
 
AN ACT
  relating to state agency information security plans, information
  technology employees, and online and mobile applications.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subchapter C, Chapter 2054, Government Code, is
  amended by adding Sections 2054.0591 and 2054.0592 to read as
  follows:
         Sec. 2054.0591.  CYBERSECURITY REPORT.  (a)  Not later than
  November 15 of each even-numbered year, the department shall submit
  to the governor, the lieutenant governor, the speaker of the house
  of representatives, and the standing committee of each house of the
  legislature with primary jurisdiction over state government
  operations a report identifying preventive and recovery efforts the
  state can undertake to improve cybersecurity in this state.  The
  report must include:
               (1)  an assessment of the resources available to
  address the operational and financial impacts of a cybersecurity
  event;
               (2)  a review of existing statutes regarding
  cybersecurity and information resources technologies;
               (3)  recommendations for legislative action to
  increase the state's cybersecurity and protect against adverse
  impacts from a cybersecurity event;
               (4)  an evaluation of the costs and benefits of
  cybersecurity insurance; and
               (5)  an evaluation of tertiary disaster recovery
  options.
         (b)  The department or a recipient of a report under this
  section may redact or withhold information confidential under
  Chapter 552, including Section 552.139, or other state or federal
  law that is contained in the report in response to a request under
  Chapter 552 without the necessity of requesting a decision from the
  attorney general under Subchapter G, Chapter 552.
         Sec. 2054.0592.  CYBERSECURITY EMERGENCY FUNDING.  If a
  cybersecurity event creates a need for emergency funding, the
  department may request that the governor or Legislative Budget
  Board make a proposal under Chapter 317 to provide funding to manage
  the operational and financial impacts from the cybersecurity event.
         SECTION 2.  Subchapter F, Chapter 2054, Government Code, is
  amended by adding Section 2054.1184 to read as follows:
         Sec. 2054.1184.  ASSESSMENT OF MAJOR INFORMATION RESOURCES
  PROJECT. (a)  A state agency proposing to spend appropriated funds
  for a major information resources project must first conduct an
  execution capability assessment to:
               (1)  determine the agency's capability for implementing
  the project;
               (2)  reduce the agency's financial risk in implementing
  the project; and
               (3)  increase the probability of the agency's
  successful implementation of the project.
         (b)  A state agency shall submit to the department, the
  quality assurance team established under Section 2054.158, and the
  Legislative Budget Board a detailed report that identifies the
  agency's organizational strengths and any weaknesses that will be
  addressed before the agency initially spends appropriated funds for
  a major information resources project.
         (c)  A state agency may contract with an independent third
  party to conduct the assessment under Subsection (a) and prepare
  the report described by Subsection (b).
         SECTION 3.  Section 2054.133(c), Government Code, is amended
  to read as follows:
         (c)  Not later than October 15 of each even-numbered year,
  each state agency shall submit a copy of the agency's information
  security plan to the department. Subject to available resources,
  the department may select a portion of the submitted security plans
  to be assessed by the department in accordance with department
  rules.
         SECTION 4.  Subchapter F, Chapter 2054, Government Code, is
  amended by adding Section 2054.136 to read as follows:
         Sec. 2054.136.  DESIGNATED INFORMATION SECURITY OFFICER.
  Each state agency shall designate an information security officer
  who:
               (1)  reports to the agency's executive-level
  management;
               (2)  has authority over information security for the
  entire agency;
               (3)  possesses the training and experience required to
  perform the duties required by department rules; and
               (4)  to the extent feasible, has information security
  duties as the officer's primary duties.
         SECTION 5.  Subchapter N-1, Chapter 2054, Government Code,
  is amended by adding Sections 2054.516 and 2054.517 to read as
  follows:
         Sec. 2054.516.  DATA SECURITY PLAN FOR ONLINE AND MOBILE
  APPLICATIONS. (a)  Each state agency, other than an institution of
  higher education subject to Section 2054.517, implementing an
  Internet website or mobile application that processes any sensitive
  personally identifiable or confidential information must:
               (1)  submit a biennial data security plan to the
  department not later than October 15 of each even-numbered year, to
  establish planned beta testing for websites or applications; and
               (2)  subject the website or application to a
  vulnerability and penetration test and address any vulnerability
  identified in the test.
         (b)  The department shall review each data security plan
  submitted under Subsection (a) and make any recommendations for
  changes to the plan to the state agency as soon as practicable after
  the department reviews the plan.
         Sec. 2054.517.  DATA SECURITY PROCEDURES FOR ONLINE AND
  MOBILE APPLICATIONS OF INSTITUTIONS OF HIGHER EDUCATION. (a)  Each
  institution of higher education, as defined by Section 61.003,
  Education Code, shall adopt and implement a policy for Internet
  website and mobile application security procedures that complies
  with this section.
         (b)  Before deploying an Internet website or mobile
  application that processes confidential information for an
  institution of higher education, the developer of the website or
  application for the institution must submit to the institution's
  information security officer the information required under
  policies adopted by the institution to protect the privacy of
  individuals by preserving the confidentiality of information
  processed by the website or application. At a minimum, the
  institution's policies must require the developer to submit
  information describing:
               (1)  the architecture of the website or application;
               (2)  the authentication mechanism for the website or
  application; and
               (3)  the administrator-level access to data included in
  the website or application.
         (c)  Before deploying an Internet website or mobile
  application described by Subsection (b), an institution of higher
  education must subject the website or application to a
  vulnerability and penetration test conducted internally or by an
  independent third party.
         (d)  Each institution of higher education shall submit to the
  department the policies adopted as required by Subsection (b).  The
  department shall review the policies and make recommendations for
  appropriate changes.
         SECTION 6.  As soon as practicable after the effective date
  of this Act, the Department of Information Resources shall adopt
  the rules necessary to implement Section 2054.133(c), Government
  Code, as amended by this Act.
         SECTION 7.  This Act takes effect September 1, 2017.
 
 
 
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
         I hereby certify that S.B. No. 1910 passed the Senate on
  May 4, 2017, by the following vote: Yeas 31, Nays 0; and that the
  Senate concurred in House amendments on May 26, 2017, by the
  following vote: Yeas 31, Nays 0.
 
 
  ______________________________
  Secretary of the Senate    
 
         I hereby certify that S.B. No. 1910 passed the House, with
  amendments, on May 22, 2017, by the following vote: Yeas 144,
  Nays 0, one present not voting.
 
 
  ______________________________
  Chief Clerk of the House   
 
 
 
  Approved:
 
  ______________________________ 
              Date
 
 
  ______________________________ 
            Governor