|
Sen. Iris Y. Martinez
Filed: 5/4/2017
| | 10000HB3737sam001 | | LRB100 10533 JWD 25838 a |
|
|
| 1 | | AMENDMENT TO HOUSE BILL 3737
|
| 2 | | AMENDMENT NO. ______. Amend House Bill 3737 by replacing |
| 3 | | everything after the enacting clause with the following:
|
| 4 | | "Section 1. Short title. This Act may be cited as the |
| 5 | | Illinois Information Security Improvement Act.
|
| 6 | | Section 5. Definitions. As used in this Act: |
| 7 | | "Critical information system" means any information system |
| 8 | | (including any telecommunications system) used or operated by a |
| 9 | | State agency or by a contractor of a State agency or other |
| 10 | | organization or entity on behalf of a State agency: that |
| 11 | | contains health insurance information, medical information, or |
| 12 | | personal information as defined in the Personal Information |
| 13 | | Protection Act;
where the unauthorized disclosure, |
| 14 | | modification, destruction of information in the information |
| 15 | | system could be expected to have a serious, severe, or |
| 16 | | catastrophic adverse effect on State agency operations, |
|
| | 10000HB3737sam001 | - 2 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | assets, or individuals; or where the disruption of access to or |
| 2 | | use of the information or information system could be expected |
| 3 | | to have a serious, severe, or catastrophic adverse effect on |
| 4 | | State operations, assets, or individuals. |
| 5 | | "Department" means the Department of Innovation and |
| 6 | | Technology. |
| 7 | | "Information security" means protecting information and |
| 8 | | information systems from unauthorized access, use, disclosure, |
| 9 | | disruption, modification, or destruction in order to provide:
|
| 10 | | integrity, which means guarding against improper information |
| 11 | | modification or destruction, and includes ensuring information |
| 12 | | nonrepudiation and authenticity;
confidentiality, which means |
| 13 | | preserving authorized restrictions on access and disclosure, |
| 14 | | including means for protecting personal privacy and |
| 15 | | proprietary information; and
availability, which means |
| 16 | | ensuring timely and reliable access to and use of information. |
| 17 | | "Incident" means an occurrence that:
actually or |
| 18 | | imminently jeopardizes, without lawful authority, the |
| 19 | | confidentiality, integrity, or availability of information or |
| 20 | | an information system; or
constitutes a violation or imminent |
| 21 | | threat of violation of law, security policies, security |
| 22 | | procedures, or acceptable use policies or standard security |
| 23 | | practices. |
| 24 | | "Information system" means a discrete set of information |
| 25 | | resources organized for the collection, processing, |
| 26 | | maintenance, use, sharing, dissemination, or disposition of |
|
| | 10000HB3737sam001 | - 3 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | information created or maintained by or for the State of |
| 2 | | Illinois. |
| 3 | | "Office" means the Office of the Statewide Chief |
| 4 | | Information Security Officer. |
| 5 | | "Secretary" means the Secretary of Innovation and |
| 6 | | Technology. |
| 7 | | "Security controls" means the management, operational, and |
| 8 | | technical controls (including safeguards and countermeasures) |
| 9 | | for an information system that protect the confidentiality, |
| 10 | | integrity, and availability of the system and its information. |
| 11 | | "State agency" means any agency under the jurisdiction of |
| 12 | | the Governor.
|
| 13 | | Section 10. Purpose. The purposes of this Act are to: |
| 14 | | (1) provide a comprehensive framework for ensuring the |
| 15 | | effectiveness of information security controls over |
| 16 | | information resources that support State agency operations |
| 17 | | and assets; |
| 18 | | (2) recognize the critical role of information and |
| 19 | | information systems in the provision of life, health, |
| 20 | | safety, and other crucial services to the citizens of the |
| 21 | | State of Illinois and the risk posed to these services due |
| 22 | | to the ever-evolving cybersecurity threat; |
| 23 | | (3) recognize the highly networked nature of the |
| 24 | | current State of Illinois working environment and provide |
| 25 | | effective statewide management and oversight of the |
|
| | 10000HB3737sam001 | - 4 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | related information security risks, including coordination |
| 2 | | of information security efforts across State agencies; |
| 3 | | (4) provide for the development and maintenance of |
| 4 | | minimum security controls required to protect State of |
| 5 | | Illinois information and information systems; |
| 6 | | (5) provide a mechanism for improved oversight of State |
| 7 | | agency information security programs, including through |
| 8 | | automated security tools to continuously diagnose and |
| 9 | | improve security; |
| 10 | | (6) recognize that information security risk is both a |
| 11 | | business and public safety issue, and the acceptance of |
| 12 | | risk is a decision to be made at the executive levels of |
| 13 | | State government; and
|
| 14 | | (7) ensure a continued and deliberate effort to reduce |
| 15 | | the risk posed to the State by cyberattacks and other |
| 16 | | information security incidents that could impact the |
| 17 | | information security of the State.
|
| 18 | | Section 15. Office of the Statewide Chief Information |
| 19 | | Security Officer. |
| 20 | | (a) The Office of the Statewide Chief Information Security |
| 21 | | Officer is established within the Department of Innovation and |
| 22 | | Technology. The Office is directly subordinate to the Secretary |
| 23 | | of Innovation and Technology. |
| 24 | | (b) The Office shall: |
| 25 | | (1) serve as the strategic planning, facilitation, and |
|
| | 10000HB3737sam001 | - 5 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | coordination office for information technology security in |
| 2 | | this State and as the lead and central coordinating entity |
| 3 | | to guide and oversee the information security functions of |
| 4 | | State agencies;
|
| 5 | | (2) provide information security services to support |
| 6 | | the secure delivery of State agency services that utilize |
| 7 | | information systems and to assist State agencies with |
| 8 | | fulfilling their responsibilities under this Act;
|
| 9 | | (3) conduct information and cybersecurity strategic, |
| 10 | | operational, and resource planning and facilitating an |
| 11 | | effective enterprise information security architecture |
| 12 | | capable of protecting the State;
|
| 13 | | (4) identify information security risks in each State |
| 14 | | agency and recommend risk mitigation strategies, methods, |
| 15 | | and procedures to reduce these risks; |
| 16 | | (5) manage the response to information security and |
| 17 | | information security incidents involving State of Illinois |
| 18 | | information systems and
ensure the completeness of |
| 19 | | information system security plans for critical information |
| 20 | | systems; |
| 21 | | (6) conduct pre-deployment information security |
| 22 | | assessments for critical information systems and submit |
| 23 | | findings and recommendations to the Secretary and State |
| 24 | | agency heads; |
| 25 | | (7) develop and conduct targeted operational |
| 26 | | evaluations, including threat and vulnerability |
|
| | 10000HB3737sam001 | - 6 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | assessments on information systems; |
| 2 | | (8) monitor and report compliance of each State agency |
| 3 | | with State information security policies, standards, and |
| 4 | | procedures; |
| 5 | | (9) coordinate statewide information security |
| 6 | | awareness and training programs; and |
| 7 | | (10) develop and execute other strategies as necessary |
| 8 | | to protect this State's information technology |
| 9 | | infrastructure and the data stored on or transmitted by |
| 10 | | such infrastructure.
|
| 11 | | (c) The Office may temporarily suspend operation of an |
| 12 | | information system or information technology infrastructure |
| 13 | | that is owned, leased, outsourced, or shared by one or more |
| 14 | | State agencies in order to isolate the source of, or stop the |
| 15 | | spread of, an information security breach or other similar |
| 16 | | information security incident. State agencies shall comply |
| 17 | | with directives to temporarily discontinue or suspend |
| 18 | | operations of information systems or information technology |
| 19 | | infrastructure.
|
| 20 | | Section 20. Statewide Chief Information Security Officer. |
| 21 | | The position of Statewide Chief Information Security Officer is |
| 22 | | established within the Office. The Secretary shall appoint a |
| 23 | | Statewide Chief Information Security Officer who shall serve at |
| 24 | | the pleasure of the Secretary. The Statewide Chief Information |
| 25 | | Security Officer shall report to and be under the supervision |
|
| | 10000HB3737sam001 | - 7 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | of the Secretary. The Statewide Chief Information Security |
| 2 | | Officer shall exhibit a background and experience in |
| 3 | | information security, information technology, or risk |
| 4 | | management, or exhibit other appropriate expertise required to |
| 5 | | fulfill the duties of the Statewide Chief Information Security |
| 6 | | Officer.
If the Statewide Chief Information Security Officer is |
| 7 | | unable or unavailable to perform the duties and |
| 8 | | responsibilities under Section 25, all powers and authority |
| 9 | | granted to the Statewide Chief Information Security Officer may |
| 10 | | be exercised by the Secretary or his or her designee.
|
| 11 | | Section 25. Responsibilities. |
| 12 | | (a) The Secretary shall: |
| 13 | | (1) appoint a Statewide Chief Information Security |
| 14 | | Officer pursuant to Section 20; |
| 15 | | (2) provide the Office with the staffing and resources |
| 16 | | deemed necessary by the Secretary to fulfill the |
| 17 | | responsibilities of the Office; |
| 18 | | (3) oversee statewide information security policies |
| 19 | | and practices, including:
|
| 20 | | (A) directing and overseeing the development, |
| 21 | | implementation, and communication of statewide |
| 22 | | information security policies, standards, and |
| 23 | | guidelines; |
| 24 | | (B) overseeing the education of State agency |
| 25 | | personnel regarding the requirement to identify and |
|
| | 10000HB3737sam001 | - 8 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | provide information security protections commensurate |
| 2 | | with the risk and magnitude of the harm resulting from |
| 3 | | the unauthorized access, use, disclosure, disruption, |
| 4 | | modification, or destruction of information in a |
| 5 | | critical information system; |
| 6 | | (C) overseeing the development and implementation |
| 7 | | of a statewide information security risk management |
| 8 | | program; |
| 9 | | (D) overseeing State agency compliance with the |
| 10 | | requirements of this Section; |
| 11 | | (E) coordinating Information Security policies and |
| 12 | | practices with related information and personnel |
| 13 | | resources management policies and procedures; and |
| 14 | | (F) providing an effective and efficient process |
| 15 | | to assist State agencies with complying with the |
| 16 | | requirements of this Act. |
| 17 | | (b) The Statewide Chief Information Security Officer |
| 18 | | shall: |
| 19 | | (1) serve as the head of the Office and ensure the |
| 20 | | execution of the responsibilities of the Office as set |
| 21 | | forth in subsection (c) of Section 15, the Statewide Chief |
| 22 | | Information Security Officer shall also oversee State |
| 23 | | agency personnel with significant responsibilities for |
| 24 | | information security and ensure a competent workforce that |
| 25 | | keeps pace with the changing information security |
| 26 | | environment; |
|
| | 10000HB3737sam001 | - 9 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | (2) develop and recommend information security |
| 2 | | policies, standards, procedures, and guidelines to the |
| 3 | | Secretary for statewide adoption and monitor compliance |
| 4 | | with these policies, standards, guidelines, and procedures |
| 5 | | through periodic testing; |
| 6 | | (3) develop and maintain risk-based, cost-effective |
| 7 | | information security programs and control techniques to |
| 8 | | address all applicable security and compliance |
| 9 | | requirements throughout the life cycle of State agency |
| 10 | | information systems; |
| 11 | | (4) establish the procedures, processes, and |
| 12 | | technologies to rapidly and effectively identify threats, |
| 13 | | risks, and vulnerabilities to State information systems, |
| 14 | | and ensure the prioritization of the remediation of |
| 15 | | vulnerabilities that pose risk to the State; |
| 16 | | (5) develop and implement capabilities and procedures |
| 17 | | for detecting, reporting, and responding to information |
| 18 | | security incidents; |
| 19 | | (6) establish and direct a statewide information |
| 20 | | security risk management program to identify information |
| 21 | | security risks in State agencies and deploy risk mitigation |
| 22 | | strategies, processes, and procedures; |
| 23 | | (7) establish the State's capability to sufficiently |
| 24 | | protect the security of data through effective information |
| 25 | | system security planning, secure system development, |
| 26 | | acquisition, and deployment, the application of protective |
|
| | 10000HB3737sam001 | - 10 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | technologies and information system certification, |
| 2 | | accreditation, and assessments; |
| 3 | | (8) ensure that State agency personnel, including |
| 4 | | contractors, are appropriately screened and receive |
| 5 | | information security awareness training; |
| 6 | | (9) convene meetings with agency heads and other State |
| 7 | | officials to help ensure: |
| 8 | | (A) the ongoing communication of risk and risk |
| 9 | | reduction strategies, |
| 10 | | (B) effective implementation of information |
| 11 | | security policies and practices, and |
| 12 | | (C) the incorporation of and compliance with |
| 13 | | information security policies, standards, and |
| 14 | | guidelines into the policies and procedures of the |
| 15 | | agencies; |
| 16 | | (10) provide operational and technical assistance to |
| 17 | | State agencies in implementing policies, principles, |
| 18 | | standards, and guidelines on information security, |
| 19 | | including implementation of standards promulgated under |
| 20 | | subparagraph (A) of paragraph (3) of subsection (a) of this |
| 21 | | Section, and provide assistance and effective and |
| 22 | | efficient means for State agencies to comply with the State |
| 23 | | agency requirements under this Act; |
| 24 | | (11) in coordination and consultation with the |
| 25 | | Secretary and the Governor's Office of Management and |
| 26 | | Budget, review State agency budget requests related to |
|
| | 10000HB3737sam001 | - 11 - | LRB100 10533 JWD 25838 a |
|
|
| 1 | | Information Security systems and provide recommendations |
| 2 | | to the Governor's Office of Management and Budget; |
| 3 | | (12) ensure the preparation and maintenance of plans |
| 4 | | and procedures to provide cyber resilience and continuity |
| 5 | | of operations for critical information systems that |
| 6 | | support the operations of the State; and |
| 7 | | (13) take such other actions as the Secretary may |
| 8 | | direct.
|
| 9 | | Section 99. Effective date. This Act takes effect January |
| 10 | | 1, 2018, but this Act does not take effect at all unless Senate |
| 11 | | Bill 1606 of the 100th General Assembly becomes law.".
|