Florida Senate - 2006 COMMITTEE AMENDMENT
Bill No. CS for SB 856
Barcode 681588
CHAMBER ACTION
Senate House
.
.
1 Comm: RCS .
04/19/2006 06:44 PM .
2 .
.
3 .
.
4 ______________________________________________________________
5
6
7
8
9
10 ______________________________________________________________
11 The Committee on Governmental Oversight and Productivity
12 (Argenziano) recommended the following amendment:
13
14 Senate Amendment (with title amendment)
15 On page 2, line 5, through
16 page 4, line 18, delete those lines
17
18 and insert:
19 (1) This section may be cited as the "Security of Data
20 and Information Technology Resources Act."
21 (2)(a) The Department of Management Services,
22 hereafter referred to as the department The State Technology
23 Office, in consultation with each agency head, is responsible
24 for coordinating, assessing, and recommending minimum
25 operating procedures for and accountable for assuring an
26 adequate level of security for all data and information
27 technology resources. To assist the department in carrying of
28 each agency and, to carry out this responsibility, each agency
29 shall, at a minimum:
30 (a)1. Designate an information security manager who
31 shall administer the security program of each agency for its
1
3:28 PM 04/14/06 s0856c1c-go03-c3t
Florida Senate - 2006 COMMITTEE AMENDMENT
Bill No. CS for SB 856
Barcode 681588
1 data and information technology resources.
2 (b)2. Conduct, and periodically update every 3 years,
3 a comprehensive risk analysis to determine the security
4 threats to the data, information, and information technology
5 resources of each agency. The risk analysis information is
6 confidential and exempt from the provisions of s. 119.07(1),
7 except that such information shall be available to the Auditor
8 General in performing his or her postauditing duties.
9 (c)3. Develop, and periodically update, written
10 internal policies and procedures that are consistent with the
11 standard operating procedures recommended by the department to
12 assure the security of the data and information technology
13 resources of each agency. The internal policies and
14 procedures which, if disclosed, could facilitate the
15 unauthorized modification, disclosure, or destruction of data
16 or information technology resources are confidential
17 information and exempt from the provisions of s. 119.07(1),
18 except that such information shall be available to the Auditor
19 General in performing his or her postauditing duties.
20 (d)4. Implement appropriate cost-effective safeguards
21 to reduce, eliminate, or recover from the identified risks to
22 the data and information technology resources of each agency.
23 (e)5. Ensure that periodic internal audits and
24 evaluations of each security program for the data,
25 information, and information technology resources of the
26 agency are conducted. The results of such internal audits and
27 evaluations are confidential information and exempt from the
28 provisions of s. 119.07(1), except that such information shall
29 be available to the Auditor General in performing his or her
30 postauditing duties.
31 (f)6. Include appropriate security requirements, as
2
3:28 PM 04/14/06 s0856c1c-go03-c3t
Florida Senate - 2006 COMMITTEE AMENDMENT
Bill No. CS for SB 856
Barcode 681588
1 determined by the State Technology Office, in consultation
2 with each agency head, in the written specifications for the
3 solicitation of information technology resources which are
4 consistent with the standard security operating procedures as
5 recommended by the department.
6 (b) In those instances in which the department State
7 Technology Office develops state contracts for use by state
8 agencies, the department office shall include appropriate
9 security requirements in the specifications for the
10 solicitation for state contracts for procuring information
11 technology resources.
12 (3) In order to ensure the security of data,
13 information, and information technology resources, the
14 department shall establish the Office of Information Security
15 and shall designate a Chief Information Security Officer as
16 the head of the office. The office shall coordinate its
17 activities with the Agency Chief Information Officers Council
18 as established in s. 282.315. The office is responsible for
19 developing a strategic plan for information technology
20 security which shall be submitted by December 1, 2006, to the
21 Executive Office of the Governor, the President of the Senate,
22 and the Speaker of the House of Representatives; developing
23 standards and templates for conducting comprehensive risk
24 analyses and information security audits by state agencies;
25 assisting agencies in their compliance with the provisions of
26 this section; establishing minimum standards for the recovery
27 of information technology following a disaster; and conducting
28 training for agency information security managers. This
29 subsection shall expire on June 30, 2007.
30
31
3
3:28 PM 04/14/06 s0856c1c-go03-c3t
Florida Senate - 2006 COMMITTEE AMENDMENT
Bill No. CS for SB 856
Barcode 681588
1 ================ T I T L E A M E N D M E N T ===============
2 And the title is amended as follows:
3 On page 1, lines 4-20, delete those lines
4
5 and insert:
6 Management Services to recommend minimum
7 operating procedures for the security of data
8 and information technology resources; requiring
9 each agency to conduct certain procedures to
10 assure the security of data, information, and
11 information technology resources; requiring
12 that the results of certain internal audits and
13 evaluations be available to the Auditor
14 General; requiring the department to establish
15 an Office of Information Security and to
16 designate a Chief Information Security Officer;
17 requiring the office to develop a strategic
18 plan; providing that the office is responsible
19 for certain procedures and standards; providing
20
21
22
23
24
25
26
27
28
29
30
31
4
3:28 PM 04/14/06 s0856c1c-go03-c3t