Senate Bill sb0856c2
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for CS for SB 856
By the Committees on Governmental Oversight and Productivity;
Domestic Security; and Senator Diaz de la Portilla
585-2347-06
1 A bill to be entitled
2 An act relating to domestic security; amending
3 s. 282.318, F.S.; requiring the Department of
4 Management Services to recommend minimum
5 operating procedures for the security of data
6 and information technology resources; requiring
7 each agency to conduct certain procedures to
8 assure the security of data, information, and
9 information technology resources; requiring
10 that the results of certain internal audits and
11 evaluations be available to the Auditor
12 General; requiring the department to establish
13 an Office of Information Security and to
14 designate a Chief Information Security Officer;
15 requiring the office to develop a strategic
16 plan; providing that the office is responsible
17 for certain procedures and standards; providing
18 legislative findings with respect to the
19 provision of additional funds for enhancements
20 and improvements to the radio system used by
21 state law enforcement agencies; providing for
22 the implementation of certain recommendations
23 contingent upon appropriation; providing an
24 effective date.
25
26 Be It Enacted by the Legislature of the State of Florida:
27
28 Section 1. Section 282.318, Florida Statutes, is
29 amended to read:
30 282.318 Security of data and information technology
31 resources.--
1
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for CS for SB 856
585-2347-06
1 (1) This section may be cited as the "Security of Data
2 and Information Technology Resources Act."
3 (2)(a) The Department of Management Services,
4 hereafter referred to as the department The State Technology
5 Office, in consultation with each agency head, is responsible
6 for coordinating, assessing, and recommending minimum
7 operating procedures for and accountable for assuring an
8 adequate level of security for all data and information
9 technology resources. To assist the department in carrying of
10 each agency and, to carry out this responsibility, each agency
11 shall, at a minimum:
12 (a)1. Designate an information security manager who
13 shall administer the security program of each agency for its
14 data and information technology resources.
15 (b)2. Conduct, and periodically update every 3 years,
16 a comprehensive risk analysis to determine the security
17 threats to the data, information, and information technology
18 resources of each agency. The risk analysis information is
19 confidential and exempt from the provisions of s. 119.07(1),
20 except that such information shall be available to the Auditor
21 General in performing his or her postauditing duties.
22 (c)3. Develop, and periodically update, written
23 internal policies and procedures that are consistent with the
24 standard operating procedures recommended by the department to
25 assure the security of the data and information technology
26 resources of each agency. The internal policies and
27 procedures which, if disclosed, could facilitate the
28 unauthorized modification, disclosure, or destruction of data
29 or information technology resources are confidential
30 information and exempt from the provisions of s. 119.07(1),
31
2
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for CS for SB 856
585-2347-06
1 except that such information shall be available to the Auditor
2 General in performing his or her postauditing duties.
3 (d)4. Implement appropriate cost-effective safeguards
4 to reduce, eliminate, or recover from the identified risks to
5 the data and information technology resources of each agency.
6 (e)5. Ensure that periodic internal audits and
7 evaluations of each security program for the data,
8 information, and information technology resources of the
9 agency are conducted. The results of such internal audits and
10 evaluations are confidential information and exempt from the
11 provisions of s. 119.07(1), except that such information shall
12 be available to the Auditor General in performing his or her
13 postauditing duties.
14 (f)6. Include appropriate security requirements, as
15 determined by the State Technology Office, in consultation
16 with each agency head, in the written specifications for the
17 solicitation of information technology resources which are
18 consistent with the standard security operating procedures as
19 recommended by the department.
20 (b) In those instances in which the department State
21 Technology Office develops state contracts for use by state
22 agencies, the department office shall include appropriate
23 security requirements in the specifications for the
24 solicitation for state contracts for procuring information
25 technology resources.
26 (3) In order to ensure the security of data,
27 information, and information technology resources, the
28 department shall establish the Office of Information Security
29 and shall designate a Chief Information Security Officer as
30 the head of the office. The office shall coordinate its
31 activities with the Agency Chief Information Officers Council
3
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for CS for SB 856
585-2347-06
1 as established in s. 282.315. The office is responsible for
2 developing a strategic plan for information technology
3 security which shall be submitted by December 1, 2006, to the
4 Executive Office of the Governor, the President of the Senate,
5 and the Speaker of the House of Representatives; developing
6 standards and templates for conducting comprehensive risk
7 analyses and information security audits by state agencies;
8 assisting agencies in their compliance with the provisions of
9 this section; establishing minimum standards for the recovery
10 of information technology following a disaster; and conducting
11 training for agency information security managers. This
12 subsection shall expire on June 30, 2007.
13 Section 2. The Legislature finds that infrastructure
14 enhancements and improvements to the radio system used by
15 state law enforcement agencies will provide increased
16 protection to the residents of this state and should be
17 considered for additional funding. In order to ensure
18 continued, improved communication and protection by state and
19 local law enforcement personnel, the recommendations of the
20 Joint Task Force on State Agency Law Enforcement
21 Communications, dated February 2005, or any subsequent
22 recommendations of the joint task force, should be implemented
23 contingent upon the appropriation of funds.
24 Section 3. This act shall take effect upon becoming a
25 law.
26
27
28
29
30
31
4
CODING: Words stricken are deletions; words underlined are additions.
Florida Senate - 2006 CS for CS for SB 856
585-2347-06
1 STATEMENT OF SUBSTANTIAL CHANGES CONTAINED IN
COMMITTEE SUBSTITUTE FOR
2 CS for SB 856
3
4 Provides that the DMS will recommend minimum standard
operating procedures for an adequate level of data and
5 information technology security.
6 Requires agencies to develop IT security procedures consistent
with the operating procedures recommended by the DMS.
7
Requires the Office of Information Security to develop and
8 submit to the Legislature and the Governor by December 1,
2006, a strategic plan for information security.
9
Assigns to the OIS various responsibilities relating to IT
10 security.
11 Provides that the section establishing the OIS expires on June
30, 2007.
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
5
CODING: Words stricken are deletions; words underlined are additions.