Senate Bill sb0856c1
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for SB 856
By the Committee on Domestic Security; and Senator Diaz de la
Portilla
583-1960-06
1 A bill to be entitled
2 An act relating to domestic security; amending
3 s. 282.318, F.S.; requiring the Department of
4 Management Services to set minimum standard
5 operating procedures for the security of data
6 and information technology resources; providing
7 for the department to require each agency to
8 conduct certain procedures to assure the
9 security of data, information, and information
10 technology resources; requiring that the
11 results of certain internal audits and
12 evaluations be available to the Office of
13 Information Security; requiring the department
14 to establish an Office of Information Security
15 and to designate a Chief Information Security
16 Officer; providing that the office is
17 responsible for certain procedures and
18 standards; providing for the office to be
19 funded by general revenue; authorizing the
20 department to adopt rules; providing
21 legislative findings with respect to the
22 provision of additional funds for enhancements
23 and improvements to the radio system used by
24 state law enforcement agencies; providing for
25 the implementation of certain recommendations
26 contingent upon appropriation; providing an
27 effective date.
28
29 Be It Enacted by the Legislature of the State of Florida:
30
31
1
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for SB 856
583-1960-06
1 Section 1. Section 282.318, Florida Statutes, is
2 amended to read:
3 282.318 Security of data and information technology
4 resources.--
5 (1) This section may be cited as the "Security of Data
6 and Information Technology Resources Act."
7 (2)(a) The Department of Management Services,
8 hereafter referred to as the department The State Technology
9 Office, in consultation with each agency head, is responsible
10 for coordinating, assessing, and setting minimum standard
11 operating procedures for and accountable for assuring an
12 adequate level of security for all data and information
13 technology resources of each agency and, to carry out this
14 responsibility, will shall, at a minimum:
15 (a)1. Require that each agency designate an
16 information security manager who shall administer the security
17 program of each agency for its data and information technology
18 resources.
19 (b)2. Require that each agency conduct and update
20 every 3 years Conduct, and periodically update, a
21 comprehensive risk analysis to determine the security threats
22 to the data, information, and information technology resources
23 of each agency. The risk analysis information is confidential
24 and exempt from the provisions of s. 119.07(1), except that
25 such information shall be available to the Auditor General in
26 performing his or her postauditing duties.
27 (c)3. Assist each agency with the development and
28 provide revisions of Develop, and periodically update, written
29 internal policies and procedures to assure the security of the
30 data, information, and information technology resources of
31 each agency. The internal policies and procedures which, if
2
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for SB 856
583-1960-06
1 disclosed, could facilitate the unauthorized modification,
2 disclosure, or destruction of data or information technology
3 resources are confidential information and exempt from the
4 provisions of s. 119.07(1), except that such information shall
5 be available to the Auditor General in performing his or her
6 postauditing duties.
7 (d)4. Require each agency to implement appropriate
8 cost-effective safeguards to reduce, eliminate, or recover
9 from the identified risks to the data and information
10 technology resources of each agency.
11 (e)5. Require each agency to ensure that periodic
12 internal audits and evaluations of each security program for
13 the data and information technology resources of the agency
14 are conducted. The results of such internal audits and
15 evaluations are confidential information and exempt from the
16 provisions of s. 119.07(1), except that such information shall
17 be available to the Auditor General in performing his or her
18 postauditing duties and to the Office of Information Security
19 for performance of its coordination and assessment duties.
20 (f)6. Require that each agency include appropriate
21 security requirements, as determined by the Department of
22 Management Services the State Technology Office, in
23 consultation with the Department of Law Enforcement each
24 agency head, in the written specifications for the
25 solicitation of information technology resources.
26 (b) In those instances in which the department State
27 Technology Office develops state contracts for use by state
28 agencies, the department office shall include appropriate
29 security requirements in the specifications for the
30 solicitation for state contracts for procuring information
31 technology resources.
3
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for SB 856
583-1960-06
1 (3) In order to ensure the security of enterprise
2 information, the department shall establish the Office of
3 Information Security and shall designate a Chief Information
4 Security Officer as the head of the office. The office shall
5 work with all branches of state government and coordinate with
6 the Agency Chief Information Officers Council and the
7 Executive Office of the Governor. The office is responsible
8 for security rulemaking and formulation of policy
9 recommendations, security audit oversight, training of
10 information security managers, coordination of domestic
11 security funding for cybersecurity issues, and shall set
12 minimum standards for the recovery of information technology
13 following a disaster. The funding for this office and the
14 associated positions shall be provided with general revenue
15 and is the responsibility of the department.
16 (4) The department may adopt rules relating to the
17 security of data, information, and information technology
18 pursuant to ss. 120.536(1) and 120.54 to administer this part.
19 Section 2. The Legislature finds that infrastructure
20 enhancements and improvements to the radio system used by
21 state law enforcement agencies will provide increased
22 protection to the residents of this state and should be
23 considered for additional funding. In order to ensure
24 continued, improved communication and protection by state and
25 local law enforcement personnel, the recommendations of the
26 Joint Task Force on State Agency Law Enforcement
27 Communications, dated February 2005, or any subsequent
28 recommendations of the joint task force, should be implemented
29 contingent upon the appropriation of funds.
30 Section 3. This act shall take effect upon becoming a
31 law.
4
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for SB 856
583-1960-06
1 STATEMENT OF SUBSTANTIAL CHANGES CONTAINED IN
COMMITTEE SUBSTITUTE FOR
2 Senate Bill 0856
3
4 Senate Bill 856 as originally filed stated the intent to
revise laws relating to domestic security.
5
This committee substitute provides for the reinstatement of
6 the former State Technology Office's information technology
security function within the Department of Management
7 Services. The committee substitute assigns and clarifies
certain information technology security responsibilities for
8 the department and each state agency.
9 The Office of Information Security is created within the
department and provides for the designation of a Chief
10 Information Security Officer.
11 The committee substitute finds that enhancements and
improvements to the state law enforcement radio system should
12 be considered based on joint task force recommendations.
Recommendations implementation should be contingent upon
13 appropriations.
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
5
CODING: Words stricken are deletions; words underlined are additions.