Florida Senate - 2014 COMMITTEE AMENDMENT
Bill No. SPB 7024
Ì122778OÎ122778
LEGISLATIVE ACTION
Senate . House
Comm: FAV .
02/05/2014 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
(Ring) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete lines 948 - 1125
4 and insert:
5 generally accepted best practices for information technology
6 security, and adopting rules that safeguard an agency’s data,
7 information, and information technology resources to ensure its
8 availability, confidentiality, and integrity rules and
9 publishing guidelines for ensuring an appropriate level of
10 security for all data and information technology resources for
11 executive branch agencies. The agency shall also perform the
12 following duties and responsibilities:
13 (a) By June 30, 2015, develop, and annually update a
14 statewide by February 1, an enterprise information technology
15 security strategic plan that includes security goals and
16 objectives for the strategic issues of information technology
17 security policy, risk management, training, incident management,
18 and disaster recovery survivability planning.
19 (b) Develop and publish an information security framework
20 for use by state agencies which, at a minimum, includes
21 guidelines and processes enterprise security rules and published
22 guidelines for:
23 1. Developing and using a risk assessment methodology that
24 will apply to state agencies to identify the priorities,
25 constraints, risk tolerance, and assumptions.
26 2.1. Completing comprehensive risk assessments analyses and
27 information technology security audits. Such assessments and
28 audits shall be conducted by state agencies and reviewed by the
29 Agency for State Technology conducted by state agencies.
30 3. Identifying protection procedures to manage the
31 protection of a state agency’s information, data, and
32 information technology resources.
33 4. Detecting threats through proactive monitoring of
34 events, continuous security monitoring, and specified detection
35 processes.
36 5.2. Responding to suspected or confirmed information
37 technology security incidents, including suspected or confirmed
38 breaches of personal information containing confidential or
39 exempt data.
40 6.3. Developing state agency strategic and operational
41 information technology security plans required under this
42 section, including strategic security plans and security program
43 plans.
44 7.4. Recovering The recovery of information technology and
45 data in response to an information technology security incident
46 following a disaster. The recovery may include recommended
47 improvements to the processes, policies, or guidelines.
48 8.5. Establishing The managerial, operational, and
49 technical safeguards for protecting state government data and
50 information technology resources which align with state agency
51 risk management strategies for protecting the confidentiality,
52 integrity, and availability of information technology and data.
53 9. Establishing procedures for accessing information
54 technology resources and data in order to limit authorized
55 users, processes, or devices to authorized activities and
56 transactions to ensure the confidentiality, integrity, and
57 availability of such information and data.
58 10. Establishing asset management procedures to ensure that
59 information technology resources are identified and consistently
60 managed with their relative importance to business objectives.
61 (c) Assist state agencies in complying with the provisions
62 of this section.
63 (d) Pursue appropriate funding for the purpose of enhancing
64 domestic security.
65 (d)(e) In collaboration with the Cybercrime Office in the
66 Department of Law Enforcement, provide training for state agency
67 information security managers.
68 (e)(f) Annually review the strategic and operational
69 information technology security plans of state executive branch
70 agencies.
71 (3)(4) To assist the Agency for Enterprise Information
72 Technology in carrying out its responsibilities, Each state
73 agency head shall, at a minimum:
74 (a) Designate an information security manager who, for the
75 purposes of his or her information technology security duties,
76 shall report to the agency head and shall to administer the
77 information technology security program of the agency for its
78 data and information technology resources. This designation must
79 be provided annually in writing to the Agency for State
80 Enterprise Information Technology by January 1.
81 (b) Submit annually to the Agency for State Enterprise
82 Information Technology annually by July 31, the state agency’s
83 strategic and operational information technology security plans
84 developed pursuant to the rules and guidelines established by
85 the Agency for State Enterprise Information Technology.
86 1. The state agency strategic information technology
87 security plan must cover a 3-year period and, at a minimum,
88 define security goals, intermediate objectives, and projected
89 agency costs for the strategic issues of agency information
90 security policy, risk management, security training, security
91 incident response, and disaster recovery survivability. The plan
92 must be based on the statewide enterprise strategic information
93 security strategic plan created by the Agency for State
94 Enterprise Information Technology and include performance
95 metrics that can be objectively measured in order to gauge the
96 state agency’s progress in meeting the security goals and
97 objectives identified in the strategic information technology
98 security plan. Additional issues may be included.
99 2. The state agency operational information technology
100 security plan must include a progress report that objectively
101 measures progress made toward for the prior operational
102 information technology security plan and a project plan that
103 includes activities, timelines, and deliverables for security
104 objectives that, subject to current resources, the state agency
105 will implement during the current fiscal year. The cost of
106 implementing the portions of the plan which cannot be funded
107 from current resources must be identified in the plan.
108 (c) Conduct, and update every 3 years, a comprehensive risk
109 assessment analysis to determine the security threats to the
110 data, information, and information technology resources of the
111 state agency. The risk assessment must comply with the risk
112 assessment methodology developed by the Agency for State
113 Technology. The risk assessment analysis information is
114 confidential and exempt from the provisions of s. 119.07(1),
115 except that such information shall be available to the Auditor
116 General, and the Agency for State Enterprise Information
117 Technology, and the Cybercrime Office in the Department of Law
118 Enforcement for performing postauditing duties.
119 (d) Develop, and periodically update, written internal
120 policies and procedures, which include procedures for reporting
121 information technology security incidents and breaches to the
122 Cybercrime Office in the Department of Law Enforcement and
123 notifying the Agency for State Enterprise Information
124 Technology, and for those agencies under the jurisdiction of the
125 Governor, to the Chief Inspector General when a suspected or
126 confirmed breach, or an information security incident, occurs.
127 Such policies and procedures must be consistent with the rules,
128 and guidelines, and processes established by the Agency for
129 State Enterprise Information Technology to ensure the security
130 of the data, information, and information technology resources
131 of the state agency. The internal policies and procedures that,
132 if disclosed, could facilitate the unauthorized modification,
133 disclosure, or destruction of data or information technology
134 resources are confidential information and exempt from s.
135 119.07(1), except that such information shall be available to
136 the Auditor General, the Cybercrime Office in the Department of
137 Law Enforcement, and the Agency for State Enterprise Information
138 Technology, and for those agencies under the jurisdiction of the
139 Governor, to the Chief Inspector General for performing
140 postauditing duties.
141 (e) Implement the managerial, operational, and technical
142 appropriate cost-effective safeguards established by the Agency
143 for State Technology to address identified risks to the data,
144 information, and information technology resources of the agency.
145 (f) Ensure that periodic internal audits and evaluations of
146 the agency’s information technology security program for the
147 data, information, and information technology resources of the
148 agency are conducted. The results of such audits and evaluations
149 are confidential information and exempt from s. 119.07(1),
150 except that such information shall be available to the Auditor
151 General, the Cybercrime Office in the Department of Law
152 Enforcement, and the Agency for State Enterprise Information
153 Technology for performing postauditing duties.
154 (g) Include appropriate information technology security
155 requirements in the written specifications for the solicitation
156 of information technology and information technology resources
157 and services, which are consistent with the rules and guidelines
158 established by the Agency for State Enterprise Information
159 Technology in collaboration with the department.
160 (h) Require that state agency employees complete the
161 security awareness training offered by the Agency for State
162 Technology in collaboration with the Cybercrime Office in the
163 Department of Law Enforcement. Coordinate with state agencies to
164 provide agency-specific security training aligned with the
165 agency operational information technology security plan. Provide
166 security awareness training to employees and users of the
167 agency’s communication and information resources concerning
168 information security risks and the responsibility of employees
169 and users to comply with policies, standards, guidelines, and
170 operating procedures adopted by the agency to reduce those
171 risks.
172 (i) Develop processes a process for detecting, reporting,
173 and responding to information technology suspected or confirmed
174 security threats or breaches or information technology security
175 incidents which are, including suspected or confirmed breaches
176 consistent with the security rules, and guidelines, and
177 processes established by the Agency for State Enterprise
178 Information Technology.
179 1. All Suspected or confirmed information technology
180 security incidents and breaches must be immediately reported to
181 the Cybercrime Office in the Department of Law Enforcement and
182 the Agency for State Enterprise Information Technology.
183 2. For information technology security incidents involving
184 breaches, agencies shall provide notice in accordance with s.
185 817.5681 and to the Agency for Enterprise Information Technology
186 in accordance with this subsection.
187 (5) Each state agency shall include appropriate security
188 requirements in the specifications for the solicitation of
189 contracts for procuring information technology or information
190 technology resources or services which are consistent with the
191 rules and guidelines established by the Agency for Enterprise
192 Information Technology.
193 (4)(6) The Agency for State Enterprise Information
194 Technology may adopt rules relating to information technology
195 security and
196
197
198 ================= T I T L E A M E N D M E N T ================
199 And the title is amended as follows:
200 Delete line 36
201 and insert:
202 with respect to information technology security; repealing s.