The Florida Senate

282.318  Security of data and information technology resources.--

(1)  This section may be cited as the "Security of Data and Information Technology Resources Act."

(2)(a)  The State Technology Office, in consultation with each agency head, is responsible and accountable for assuring an adequate level of security for all data and information technology resources of each agency and, to carry out this responsibility, shall, at a minimum:

1.  Designate an information security manager who shall administer the security program of each agency for its data and information technology resources.

2.  Conduct, and periodically update, a comprehensive risk analysis to determine the security threats to the data and information technology resources of each agency. The risk analysis information is confidential and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

3.  Develop, and periodically update, written internal policies and procedures to assure the security of the data and information technology resources of each agency. The internal policies and procedures which, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

4.  Implement appropriate cost-effective safeguards to reduce, eliminate, or recover from the identified risks to the data and information technology resources of each agency.

5.  Ensure that periodic internal audits and evaluations of each security program for the data and information technology resources of the agency are conducted. The results of such internal audits and evaluations are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

6.  Include appropriate security requirements, as determined by the State Technology Office, in consultation with each agency head, in the written specifications for the solicitation of information technology resources.

(b)  In those instances in which the State Technology Office develops state contracts for use by state agencies, the office shall include appropriate security requirements in the specifications for the solicitation for state contracts for procuring information technology resources.

¹(3)  Notwithstanding subsection (2), the Department of Management Services, hereafter referred to as the "department," in consultation with each agency head, is responsible for coordinating, assessing, and recommending minimum operating procedures for ensuring an adequate level of security for data and information technology resources. To assist the department in carrying out this responsibility, each agency shall, at a minimum:

(a)  Designate an information security manager who shall administer the security program of the agency for its data and information technology resources.

(b)  Conduct, and update every 3 years, a comprehensive risk analysis to determine the security threats to the data, information, and information technology resources of the agency. The risk analysis information made confidential and exempt under subparagraph (2)(a)2. shall be available to the Auditor General in performing his or her postauditing duties.

(c)  Develop, and periodically update, written internal policies and procedures that are consistent with the standard operating procedures recommended by the department to ensure the security of the data and information technology resources of the agency. The internal policies and procedures that, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources made confidential and exempt under subparagraph (2)(a)3. shall be available to the Auditor General in performing his or her postauditing duties.

(d)  Implement appropriate cost-effective safeguards to reduce, eliminate, or recover from the identified risks to the data and information technology resources of the agency.

(e)  Ensure that periodic internal audits and evaluations of the security program for the data, information, and information technology resources of the agency are conducted. The results of such internal audits and evaluations made confidential and exempt under subparagraph (2)(a)5. shall be available to the Auditor General in performing his or her postauditing duties.

(f)  Include appropriate security requirements in the written specifications for the solicitation of information technology resources that are consistent with the standard security operating procedures as recommended by the department.

(g)  This subsection expires July 1, 2007.

In those instances under this subsection in which the department develops state contracts for use by state agencies, the department shall include appropriate security requirements in the specifications for the solicitation for state contracts for procuring information technology resources.

¹(4)  In order to ensure the security of data, information, and information technology resources, the department shall establish the Office of Information Security and shall designate a Chief Information Security Officer as the head of the office. The office shall coordinate its activities with the Agency Chief Information Officers Council as established in s. 282.315 The office is responsible for developing a strategic plan for information technology security which shall be submitted by March 1, 2007, to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives; developing standards and templates for conducting comprehensive risk analyses and information security audits by state agencies; assisting agencies in their compliance with the provisions of this section; establishing minimum standards for the recovery of information technology following a disaster; and conducting training for agency information security managers. This subsection expires July 1, 2007.

History.--ss. 1, 2, 3, ch. 84-236; s. 28, ch. 87-137; s. 1, ch. 89-14; s. 7, ch. 90-160; s. 13, ch. 91-171; s. 234, ch. 92-279; s. 55, ch. 92-326; s. 22, ch. 94-340; s. 863, ch. 95-148; s. 131, ch. 96-406; s. 15, ch. 97-286; s. 25, ch. 2000-164; s. 26, ch. 2001-261; s. 18, ch. 2006-26.

¹Note.--Section 18, ch. 2006-26, added subsections (3) and (4) "[i]n order to implement Specific Appropriation 2969A of the 2006-2007 General Appropriations Act."