Full Text of HB3737 100th General Assembly
HB3737sam001 100TH GENERAL ASSEMBLY | Sen. Iris Y. Martinez Filed: 5/4/2017
| | 10000HB3737sam001 | | LRB100 10533 JWD 25838 a |
|
| 1 | | AMENDMENT TO HOUSE BILL 3737
| 2 | | AMENDMENT NO. ______. Amend House Bill 3737 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the | 5 | | Illinois Information Security Improvement Act. | 6 | | Section 5. Definitions. As used in this Act: | 7 | | "Critical information system" means any information system | 8 | | (including any telecommunications system) used or operated by a | 9 | | State agency or by a contractor of a State agency or other | 10 | | organization or entity on behalf of a State agency: that | 11 | | contains health insurance information, medical information, or | 12 | | personal information as defined in the Personal Information | 13 | | Protection Act;
where the unauthorized disclosure, | 14 | | modification, destruction of information in the information | 15 | | system could be expected to have a serious, severe, or | 16 | | catastrophic adverse effect on State agency operations, |
| | | 10000HB3737sam001 | - 2 - | LRB100 10533 JWD 25838 a |
|
| 1 | | assets, or individuals; or where the disruption of access to or | 2 | | use of the information or information system could be expected | 3 | | to have a serious, severe, or catastrophic adverse effect on | 4 | | State operations, assets, or individuals. | 5 | | "Department" means the Department of Innovation and | 6 | | Technology. | 7 | | "Information security" means protecting information and | 8 | | information systems from unauthorized access, use, disclosure, | 9 | | disruption, modification, or destruction in order to provide:
| 10 | | integrity, which means guarding against improper information | 11 | | modification or destruction, and includes ensuring information | 12 | | nonrepudiation and authenticity;
confidentiality, which means | 13 | | preserving authorized restrictions on access and disclosure, | 14 | | including means for protecting personal privacy and | 15 | | proprietary information; and
availability, which means | 16 | | ensuring timely and reliable access to and use of information. | 17 | | "Incident" means an occurrence that:
actually or | 18 | | imminently jeopardizes, without lawful authority, the | 19 | | confidentiality, integrity, or availability of information or | 20 | | an information system; or
constitutes a violation or imminent | 21 | | threat of violation of law, security policies, security | 22 | | procedures, or acceptable use policies or standard security | 23 | | practices. | 24 | | "Information system" means a discrete set of information | 25 | | resources organized for the collection, processing, | 26 | | maintenance, use, sharing, dissemination, or disposition of |
| | | 10000HB3737sam001 | - 3 - | LRB100 10533 JWD 25838 a |
|
| 1 | | information created or maintained by or for the State of | 2 | | Illinois. | 3 | | "Office" means the Office of the Statewide Chief | 4 | | Information Security Officer. | 5 | | "Secretary" means the Secretary of Innovation and | 6 | | Technology. | 7 | | "Security controls" means the management, operational, and | 8 | | technical controls (including safeguards and countermeasures) | 9 | | for an information system that protect the confidentiality, | 10 | | integrity, and availability of the system and its information. | 11 | | "State agency" means any agency under the jurisdiction of | 12 | | the Governor. | 13 | | Section 10. Purpose. The purposes of this Act are to: | 14 | | (1) provide a comprehensive framework for ensuring the | 15 | | effectiveness of information security controls over | 16 | | information resources that support State agency operations | 17 | | and assets; | 18 | | (2) recognize the critical role of information and | 19 | | information systems in the provision of life, health, | 20 | | safety, and other crucial services to the citizens of the | 21 | | State of Illinois and the risk posed to these services due | 22 | | to the ever-evolving cybersecurity threat; | 23 | | (3) recognize the highly networked nature of the | 24 | | current State of Illinois working environment and provide | 25 | | effective statewide management and oversight of the |
| | | 10000HB3737sam001 | - 4 - | LRB100 10533 JWD 25838 a |
|
| 1 | | related information security risks, including coordination | 2 | | of information security efforts across State agencies; | 3 | | (4) provide for the development and maintenance of | 4 | | minimum security controls required to protect State of | 5 | | Illinois information and information systems; | 6 | | (5) provide a mechanism for improved oversight of State | 7 | | agency information security programs, including through | 8 | | automated security tools to continuously diagnose and | 9 | | improve security; | 10 | | (6) recognize that information security risk is both a | 11 | | business and public safety issue, and the acceptance of | 12 | | risk is a decision to be made at the executive levels of | 13 | | State government; and
| 14 | | (7) ensure a continued and deliberate effort to reduce | 15 | | the risk posed to the State by cyberattacks and other | 16 | | information security incidents that could impact the | 17 | | information security of the State.
| 18 | | Section 15. Office of the Statewide Chief Information | 19 | | Security Officer. | 20 | | (a) The Office of the Statewide Chief Information Security | 21 | | Officer is established within the Department of Innovation and | 22 | | Technology. The Office is directly subordinate to the Secretary | 23 | | of Innovation and Technology. | 24 | | (b) The Office shall: | 25 | | (1) serve as the strategic planning, facilitation, and |
| | | 10000HB3737sam001 | - 5 - | LRB100 10533 JWD 25838 a |
|
| 1 | | coordination office for information technology security in | 2 | | this State and as the lead and central coordinating entity | 3 | | to guide and oversee the information security functions of | 4 | | State agencies;
| 5 | | (2) provide information security services to support | 6 | | the secure delivery of State agency services that utilize | 7 | | information systems and to assist State agencies with | 8 | | fulfilling their responsibilities under this Act;
| 9 | | (3) conduct information and cybersecurity strategic, | 10 | | operational, and resource planning and facilitating an | 11 | | effective enterprise information security architecture | 12 | | capable of protecting the State;
| 13 | | (4) identify information security risks in each State | 14 | | agency and recommend risk mitigation strategies, methods, | 15 | | and procedures to reduce these risks; | 16 | | (5) manage the response to information security and | 17 | | information security incidents involving State of Illinois | 18 | | information systems and
ensure the completeness of | 19 | | information system security plans for critical information | 20 | | systems; | 21 | | (6) conduct pre-deployment information security | 22 | | assessments for critical information systems and submit | 23 | | findings and recommendations to the Secretary and State | 24 | | agency heads; | 25 | | (7) develop and conduct targeted operational | 26 | | evaluations, including threat and vulnerability |
| | | 10000HB3737sam001 | - 6 - | LRB100 10533 JWD 25838 a |
|
| 1 | | assessments on information systems; | 2 | | (8) monitor and report compliance of each State agency | 3 | | with State information security policies, standards, and | 4 | | procedures; | 5 | | (9) coordinate statewide information security | 6 | | awareness and training programs; and | 7 | | (10) develop and execute other strategies as necessary | 8 | | to protect this State's information technology | 9 | | infrastructure and the data stored on or transmitted by | 10 | | such infrastructure.
| 11 | | (c) The Office may temporarily suspend operation of an | 12 | | information system or information technology infrastructure | 13 | | that is owned, leased, outsourced, or shared by one or more | 14 | | State agencies in order to isolate the source of, or stop the | 15 | | spread of, an information security breach or other similar | 16 | | information security incident. State agencies shall comply | 17 | | with directives to temporarily discontinue or suspend | 18 | | operations of information systems or information technology | 19 | | infrastructure. | 20 | | Section 20. Statewide Chief Information Security Officer. | 21 | | The position of Statewide Chief Information Security Officer is | 22 | | established within the Office. The Secretary shall appoint a | 23 | | Statewide Chief Information Security Officer who shall serve at | 24 | | the pleasure of the Secretary. The Statewide Chief Information | 25 | | Security Officer shall report to and be under the supervision |
| | | 10000HB3737sam001 | - 7 - | LRB100 10533 JWD 25838 a |
|
| 1 | | of the Secretary. The Statewide Chief Information Security | 2 | | Officer shall exhibit a background and experience in | 3 | | information security, information technology, or risk | 4 | | management, or exhibit other appropriate expertise required to | 5 | | fulfill the duties of the Statewide Chief Information Security | 6 | | Officer.
If the Statewide Chief Information Security Officer is | 7 | | unable or unavailable to perform the duties and | 8 | | responsibilities under Section 25, all powers and authority | 9 | | granted to the Statewide Chief Information Security Officer may | 10 | | be exercised by the Secretary or his or her designee.
| 11 | | Section 25. Responsibilities. | 12 | | (a) The Secretary shall: | 13 | | (1) appoint a Statewide Chief Information Security | 14 | | Officer pursuant to Section 20; | 15 | | (2) provide the Office with the staffing and resources | 16 | | deemed necessary by the Secretary to fulfill the | 17 | | responsibilities of the Office; | 18 | | (3) oversee statewide information security policies | 19 | | and practices, including:
| 20 | | (A) directing and overseeing the development, | 21 | | implementation, and communication of statewide | 22 | | information security policies, standards, and | 23 | | guidelines; | 24 | | (B) overseeing the education of State agency | 25 | | personnel regarding the requirement to identify and |
| | | 10000HB3737sam001 | - 8 - | LRB100 10533 JWD 25838 a |
|
| 1 | | provide information security protections commensurate | 2 | | with the risk and magnitude of the harm resulting from | 3 | | the unauthorized access, use, disclosure, disruption, | 4 | | modification, or destruction of information in a | 5 | | critical information system; | 6 | | (C) overseeing the development and implementation | 7 | | of a statewide information security risk management | 8 | | program; | 9 | | (D) overseeing State agency compliance with the | 10 | | requirements of this Section; | 11 | | (E) coordinating Information Security policies and | 12 | | practices with related information and personnel | 13 | | resources management policies and procedures; and | 14 | | (F) providing an effective and efficient process | 15 | | to assist State agencies with complying with the | 16 | | requirements of this Act. | 17 | | (b) The Statewide Chief Information Security Officer | 18 | | shall: | 19 | | (1) serve as the head of the Office and ensure the | 20 | | execution of the responsibilities of the Office as set | 21 | | forth in subsection (c) of Section 15, the Statewide Chief | 22 | | Information Security Officer shall also oversee State | 23 | | agency personnel with significant responsibilities for | 24 | | information security and ensure a competent workforce that | 25 | | keeps pace with the changing information security | 26 | | environment; |
| | | 10000HB3737sam001 | - 9 - | LRB100 10533 JWD 25838 a |
|
| 1 | | (2) develop and recommend information security | 2 | | policies, standards, procedures, and guidelines to the | 3 | | Secretary for statewide adoption and monitor compliance | 4 | | with these policies, standards, guidelines, and procedures | 5 | | through periodic testing; | 6 | | (3) develop and maintain risk-based, cost-effective | 7 | | information security programs and control techniques to | 8 | | address all applicable security and compliance | 9 | | requirements throughout the life cycle of State agency | 10 | | information systems; | 11 | | (4) establish the procedures, processes, and | 12 | | technologies to rapidly and effectively identify threats, | 13 | | risks, and vulnerabilities to State information systems, | 14 | | and ensure the prioritization of the remediation of | 15 | | vulnerabilities that pose risk to the State; | 16 | | (5) develop and implement capabilities and procedures | 17 | | for detecting, reporting, and responding to information | 18 | | security incidents; | 19 | | (6) establish and direct a statewide information | 20 | | security risk management program to identify information | 21 | | security risks in State agencies and deploy risk mitigation | 22 | | strategies, processes, and procedures; | 23 | | (7) establish the State's capability to sufficiently | 24 | | protect the security of data through effective information | 25 | | system security planning, secure system development, | 26 | | acquisition, and deployment, the application of protective |
| | | 10000HB3737sam001 | - 10 - | LRB100 10533 JWD 25838 a |
|
| 1 | | technologies and information system certification, | 2 | | accreditation, and assessments; | 3 | | (8) ensure that State agency personnel, including | 4 | | contractors, are appropriately screened and receive | 5 | | information security awareness training; | 6 | | (9) convene meetings with agency heads and other State | 7 | | officials to help ensure: | 8 | | (A) the ongoing communication of risk and risk | 9 | | reduction strategies, | 10 | | (B) effective implementation of information | 11 | | security policies and practices, and | 12 | | (C) the incorporation of and compliance with | 13 | | information security policies, standards, and | 14 | | guidelines into the policies and procedures of the | 15 | | agencies; | 16 | | (10) provide operational and technical assistance to | 17 | | State agencies in implementing policies, principles, | 18 | | standards, and guidelines on information security, | 19 | | including implementation of standards promulgated under | 20 | | subparagraph (A) of paragraph (3) of subsection (a) of this | 21 | | Section, and provide assistance and effective and | 22 | | efficient means for State agencies to comply with the State | 23 | | agency requirements under this Act; | 24 | | (11) in coordination and consultation with the | 25 | | Secretary and the Governor's Office of Management and | 26 | | Budget, review State agency budget requests related to |
| | | 10000HB3737sam001 | - 11 - | LRB100 10533 JWD 25838 a |
|
| 1 | | Information Security systems and provide recommendations | 2 | | to the Governor's Office of Management and Budget; | 3 | | (12) ensure the preparation and maintenance of plans | 4 | | and procedures to provide cyber resilience and continuity | 5 | | of operations for critical information systems that | 6 | | support the operations of the State; and | 7 | | (13) take such other actions as the Secretary may | 8 | | direct.
| 9 | | Section 99. Effective date. This Act takes effect January | 10 | | 1, 2018, but this Act does not take effect at all unless Senate | 11 | | Bill 1606 of the 100th General Assembly becomes law.".
|
|