The Florida Senate

282.318  Security of data and information technology resources.--

(1)  This section may be cited as the "Security of Data and Information Technology Infrastructure Act."

(2)(a)  The Agency for Enterprise Information Technology, in consultation with each agency head, is responsible for assessing and recommending minimum operating procedures for ensuring an adequate level of security for all data and information technology resources for executive branch agencies created or authorized in statute to perform legislatively delegated functions. To assist the agency in carrying out this responsibility, each agency head shall, at a minimum:

1.  Designate an information security manager who shall administer the security program of the agency for its data and information technology resources.

2.  Conduct, and update every 3 years, a comprehensive risk analysis to determine the security threats to the data, information, and information technology resources of the agency. The risk analysis information is confidential and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology in performing postauditing duties.

3.  Develop, and periodically update, written internal policies and procedures, which shall include procedures for notifying the Agency for Enterprise Information Technology when an information security incident occurs or data is compromised. Such policies and procedures must be consistent with the standard operating procedures adopted by the Agency for Enterprise Information Technology in order to ensure the security of the data, information, and information technology resources of the agency. The internal policies and procedures that, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology in performing postauditing duties.

4.  Implement appropriate cost-effective safeguards to reduce, eliminate, or recover from the identified risks to the data, information, and information technology resources of the agency.

5.  Ensure that periodic internal audits and evaluations of the agency's security program for the data, information, and information technology resources of the agency are conducted. The results of such internal audits and evaluations are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology in performing postauditing duties.

6.  Include appropriate security requirements in the written specifications for the solicitation of information technology and information technology resources which are consistent with the standard security operating procedures adopted by the Agency for Enterprise Information Technology.

(b)  In those instances under this subsection in which the state agency or department develops state contracts, the state agency or department shall include appropriate security requirements in the specifications for the solicitation for state contracts for procuring information technology or information technology resources.

(3)  The Agency for Enterprise Information Technology shall designate a chief information security officer.

(4)  The Agency for Enterprise Information Technology shall develop standards and templates for conducting comprehensive risk analyses and information security audits by state agencies, assist agencies in their compliance with the provisions of this section, pursue appropriate funding provided for the purpose of enhancing domestic security, establish minimum guidelines and procedures for the recovery of information technology following a disaster, and provide training for agency information security managers. Standards, templates, guidelines, and procedures shall be published annually, no later than September 30 each year, to enable agencies to incorporate them in their planning for the following fiscal year.

(5)  The Agency for Enterprise Information Technology may adopt rules pursuant to ss. 120.536(1) and 120.54 relating to information security and to administer the provisions of this section.

History.--ss. 1, 2, 3, ch. 84-236; s. 28, ch. 87-137; s. 1, ch. 89-14; s. 7, ch. 90-160; s. 13, ch. 91-171; s. 234, ch. 92-279; s. 55, ch. 92-326; s. 22, ch. 94-340; s. 863, ch. 95-148; s. 131, ch. 96-406; s. 15, ch. 97-286; s. 25, ch. 2000-164; s. 26, ch. 2001-261; s. 18, ch. 2006-26; s. 10, ch. 2007-105.