Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Sen. Appropriations

advertisement 
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
AB 670 (Irwin) - Information technology security
Version: June 23, 2015
Urgency: No
Hearing Date: August 17, 2015
Policy Vote: G.O. 12 - 0
Mandate: No
Consultant: Mark McKenzie
This bill meets the criteria for referral to the Suspense File.
Bill Summary: AB 670 would require the Office of Information Security (OIS), within
the Department of Technology, to conduct an independent security assessment of every
state agency at least once every two years, as specified.
Fiscal Impact:
 The Department of Technology would incur costs of approximately $2 million in
2016-17, and ongoing costs of approximately $1.9 million for 12 PY of staff to
conduct security assessments. Staff estimates that OIS would have additional costs
in the hundreds of thousands annually for travel and other associated charges.
(Technology Services Revolving Fund)

Ongoing, potentially significant cost pressures for state entities to make necessary
IT improvements to address vulnerabilities identified through security assessments.
However, these improvements would decrease the likelihood that agencies would
experience a future data breach, thereby avoiding related costs in future years.
(General Fund and/or Special Funds)

Estimated Department of Technology costs in the range of $100,000 to $150,000 to
develop and adopt standards for the OIS, Military Department, or entity conducting a
security assessment to follow when conducting those assessments and reporting
results. These costs include necessary updates to the State Administrative Manual.
(Technology Services Revolving Fund)
Background: Existing law provides that the Department of Technology is generally
responsible for the approval and oversight of state information technology (IT) projects.
The OIS within the Department of Technology is responsible for ensuring the
confidentiality and integrity of state data systems. The OIS is required to establish
policies, standards, and procedures for state agencies to manage security and risk.
Existing law authorizes the OIS to conduct independent security assessments of any
state agency, department, or office, and requires the state entity whose systems are
being assessed to pay for the security assessment. Existing state policy outlined in the
State Administrative Manual requires each state agency to conduct a comprehensive IT
risk assessment once every two years and document the results in a risk assessment
report.
In 2013, the Governor administratively directed the Office of Emergency Services (OES)
and the Department of Technology to create a Cyber Security Task Force comprised of
AB 670 (Irwin)
Page 2 of 3
specified stakeholders, subject matter experts, and cyber security professionals from
public, private, academic, and law enforcement sectors. The mission of the Task Force
is to enhance the security of California’s digital infrastructure and to create a culture of
cybersecurity through collaboration, information sharing, and education and awareness.
Existing law provides that the California Military Department manages the Computer
Network Defense Team (CND-T) to assist Department of Defense, federal, state, local
government partners, and critical infrastructure providers to provide confidentiality,
integrity, and availability of critical network infrastructure. The CND-T also provides
support and assistance through established partnerships with cyber security vendors,
academia, and government entities. The 2014 Budget Act provided 6 PY of staff and
$774,000 in ongoing funding to support the CND-T with the goal of assisting agencies
by providing actionable products, assistance, and services designed to improve overall
cyber security compliance, reduce risk, and protect the public.
Proposed Law: AB 670 would require the OIS to conduct, or cause to be conducted,
an independent security assessment of every state agency, department, and office at
least once every two years, the cost of which is funded by the state entity being
assessed. Specifically, this bill would:








Require the assessment to be conducted in compliance with specified national
standards and include, to the extent practicable, vulnerability scanning, penetration
testing, and a report on the number, severity, and nature of identified vulnerabilities
and recommendations for remediation and risk mitigation.
Authorize the Military Department to perform required independent security
assessments, respond to a security incident, or mitigate the impacts of a cyber
attack, upon the request of OES.
Require OIS to report to the Department of Technology any state agency found to be
noncompliant with information security program requirements.
Authorize the Department of Technology to require an agency to redirect any
authorized funds within its budget to pay costs of coming into compliance with
recommendations made in a security assessment.
Require OIS, the Military Department, or any entity conducting an assessment to
transmit the results only to the agency being that was the subject of the assessment,
and to transmit aggregated results of the assessment to the Department of
Technology.
Require the Department of Technology to adopt standards that prescribe the manner
in which the aggregate results of an assessment are transmitted to the Department
of Technology. The standards must include specified information and must be
incorporated into the State Administrative Manual.
Specify that transmission of the results of an independent security assessment
results must be restricted to state government employees and approved contractors,
but those results, the aggregate of the results, and any related information are
subject to all disclosure and confidentiality provisions of state law, as specified.
Require that any data produced during the creation of a security assessment be
destroyed within one year, unless OES determines it should be retained for a longer
period for state security purposes.
AB 670 (Irwin)
Page 3 of 3
Staff Comments: AB 670 is intended to increase the overall security of state IT
systems and networks by requiring OIS, within the Department of Technology, to
perform an independent security assessment of every state agency under its jurisdiction
every two years. While state policy, as outlined in the State Administrative Manual,
currently requires agencies to conduct security assessments once every two years,
there is no statutory requirement, and many agencies have failed to comply.
The bill requires OIS to conduct, or require to be conducted, an independent security
assessment of every state agency every two years, and authorizes the Military
Department to conduct assessments, when directed by the Office of Emergency
Services. Since the bill mandates OIS to conduct the assessments, the Department of
Technology estimates it will need an additional 12 PY of staff, at an ongoing cost of
approximately $1.9 million annually, to conduct security assessments of approximately
75 state agencies each year. There would be additional costs and charges related to
travel, meals, and lodging, as well as vendor costs and project management and
oversight charges. All costs would be charged to the agencies being assessed, so the
bill would result in costs to the funds of various agency budgets, the revenues of which
would be transferred to the Technology Services Revolving Fund to support the OIS
activities.
The costs to each individual agency would vary, depending on the number of systems
and critical applications, the complexity of those systems, and the locations of facilities
around the state that would need to be accessed. The Military Department estimates
that security assessments range in cost from $11,000 to $35,000, although it is unclear
that these costs include all required components specified in the bill. Individual state
entities that have reported costs to the Committee, based on previous assessments,
indicate that costs can range from the low tens of thousands to the low hundreds of
thousands for each department’s security assessment. In addition, the Department of
Technology has provided information with a sampling of recent costs incurred by state
agencies related to outsourcing independent risk assessments to contractors, with
smaller agencies having total costs of $30,000 to $50,000 per assessment, and large
agencies having security assessment costs ranging from $200,000 to $500,000. Using
these samples of costs, total statewide costs could be as high as $10 million annually, if
security assessments were performed solely through contracts with private vendors.
These costs are only presented for illustrative and comparative purposes.
-- END --
Related documents
Glacial and interglacial sedimentary regimes at sites 1305
Glacial and interglacial sedimentary regimes at sites 1305
Comparison of career texts
Comparison of career texts
Age Appropriate Transition Assessments Questions
Age Appropriate Transition Assessments Questions
H-1B Visa - Clemson University
H-1B Visa - Clemson University
Below grade level in math
Below grade level in math
Web Application Error Handling Standards
Web Application Error Handling Standards
Field Service Engineer
Field Service Engineer
Download
advertisement