By: Zaffirini S.B. No. 1910
 
  (Capriglione)
 
   
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to state agency information security plans, information
  technology employees, and online and mobile applications.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 2054.133(c), Government Code, is amended
  to read as follows:
         (c)  Not later than October 15 of each even-numbered year,
  each state agency shall submit a copy of the agency's information
  security plan to the department. Subject to available resources,
  the department shall select a portion of the submitted security
  plans to be audited by the department in accordance with department
  rules.
         SECTION 2.  Subchapter F, Chapter 2054, Government Code, is
  amended by adding Section 2054.136 to read as follows:
         Sec. 2054.136.  INDEPENDENT INFORMATION SECURITY OFFICER.
  Each state agency in the executive branch of state government that
  has on staff a chief information security officer or information
  security officer shall ensure that within the agency's
  organizational structure the officer is independent from and not
  subordinate to the agency's information technology operations.
         SECTION 3.  Subchapter N-1, Chapter 2054, Government Code,
  is amended by adding Section 2054.516 to read as follows:
         Sec. 2054.516.  DATA SECURITY PLAN FOR ONLINE AND MOBILE
  APPLICATIONS. (a)  Each state agency implementing an Internet
  website or mobile application that processes any personally
  identifiable or confidential information must:
               (1)  submit a data security plan to the department
  before beta testing the website or application; and
               (2)  before deploying the website or application:
                     (A)  subject the website or application to a
  vulnerability and penetration test conducted by an independent
  third party; and
                     (B)  address any vulnerability identified under
  Paragraph (A).
         (b)  The data security plan required under Subsection (a)(1)
  must include:
               (1)  data flow diagrams to show the location of
  information in use, in transit, and not in use;
               (2)  data storage locations;
               (3)  data interaction with online or mobile devices;
               (4)  security of data transfer;
               (5)  security measures for the online or mobile
  application; and
               (6)  a description of any action taken by the agency to
  remediate any vulnerability identified by an independent third
  party under Subsection (a)(2).
         (c)  The department shall review each data security plan
  submitted under Subsection (a) and make any recommendations for
  changes to the plan to the state agency as soon as practicable after
  the department reviews the plan.
         SECTION 4.  As soon as practicable after the effective date
  of this Act, the Department of Information Resources shall adopt
  the rules necessary to implement Section 2054.133(c), Government
  Code, as amended by this Act.
         SECTION 5.  This Act takes effect September 1, 2017.