|
| | 100TH GENERAL ASSEMBLY
State of Illinois
2017 and 2018
HB5093 Introduced , by Rep. Jaime M. Andrade, Jr. SYNOPSIS AS INTRODUCED:
|
| |
Creates the Illinois Information Security Improvement Act. Creates the Office of the Statewide Chief Information Security Officer within the Department of Innovation and Technology. Provides for the duties and powers of the Office. Creates the position of Statewide Chief Information Security Officer to serve as the head of the Office. Provides for the qualifications, powers, and duties of the Statewide Chief Information Security Officer, and for the appointment of the Statewide Chief Information Security Officer by the Secretary of Innovation and Technology. Defines terms. Effective January 1, 2019.
|
| |
| | A BILL FOR |
|
|
| | HB5093 | | LRB100 20465 RJF 35821 b |
|
|
| 1 | | AN ACT concerning government.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the |
| 5 | | Illinois Information Security Improvement Act.
|
| 6 | | Section 5. Definitions. As used in this Act: |
| 7 | | "Critical information system" means any information system |
| 8 | | (including any telecommunications system) used or operated by a |
| 9 | | State agency or by a contractor of a State agency or other |
| 10 | | organization or entity on behalf of a State agency: that |
| 11 | | contains health insurance information, medical information, or |
| 12 | | personal information as defined in the Personal Information |
| 13 | | Protection Act;
where the unauthorized disclosure, |
| 14 | | modification, destruction of information in the information |
| 15 | | system could be expected to have a serious, severe, or |
| 16 | | catastrophic adverse effect on State agency operations, |
| 17 | | assets, or individuals; or where the disruption of access to or |
| 18 | | use of the information or information system could be expected |
| 19 | | to have a serious, severe, or catastrophic adverse effect on |
| 20 | | State operations, assets, or individuals. |
| 21 | | "Department" means the Department of Innovation and |
| 22 | | Technology. |
| 23 | | "Information security" means protecting information and |
|
| | HB5093 | - 2 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | information systems from unauthorized access, use, disclosure, |
| 2 | | disruption, modification, or destruction in order to provide:
|
| 3 | | integrity, which means guarding against improper information |
| 4 | | modification or destruction, and includes ensuring information |
| 5 | | nonrepudiation and authenticity;
confidentiality, which means |
| 6 | | preserving authorized restrictions on access and disclosure, |
| 7 | | including means for protecting personal privacy and |
| 8 | | proprietary information; and
availability, which means |
| 9 | | ensuring timely and reliable access to and use of information. |
| 10 | | "Incident" means an occurrence that:
actually or |
| 11 | | imminently jeopardizes, without lawful authority, the |
| 12 | | confidentiality, integrity, or availability of information or |
| 13 | | an information system; or
constitutes a violation or imminent |
| 14 | | threat of violation of law, security policies, security |
| 15 | | procedures, or acceptable use policies or standard security |
| 16 | | practices. |
| 17 | | "Information system" means a discrete set of information |
| 18 | | resources organized for the collection, processing, |
| 19 | | maintenance, use, sharing, dissemination, or disposition of |
| 20 | | information created or maintained by or for the State of |
| 21 | | Illinois. |
| 22 | | "Office" means the Office of the Statewide Chief |
| 23 | | Information Security Officer. |
| 24 | | "Secretary" means the Secretary of Innovation and |
| 25 | | Technology. |
| 26 | | "Security controls" means the management, operational, and |
|
| | HB5093 | - 3 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | technical controls (including safeguards and countermeasures) |
| 2 | | for an information system that protect the confidentiality, |
| 3 | | integrity, and availability of the system and its information. |
| 4 | | "State agency" means any agency under the jurisdiction of |
| 5 | | the Governor.
|
| 6 | | Section 10. Purpose. The purposes of this Act are to: |
| 7 | | (1) provide a comprehensive framework for ensuring the |
| 8 | | effectiveness of information security controls over |
| 9 | | information resources that support State agency operations |
| 10 | | and assets; |
| 11 | | (2) recognize the critical role of information and |
| 12 | | information systems in the provision of life, health, |
| 13 | | safety, and other crucial services to the citizens of the |
| 14 | | State of Illinois and the risk posed to these services due |
| 15 | | to the ever-evolving cybersecurity threat; |
| 16 | | (3) recognize the highly networked nature of the |
| 17 | | current State of Illinois working environment and provide |
| 18 | | effective statewide management and oversight of the |
| 19 | | related information security risks, including coordination |
| 20 | | of information security efforts across State agencies; |
| 21 | | (4) provide for the development and maintenance of |
| 22 | | minimum security controls required to protect State of |
| 23 | | Illinois information and information systems; |
| 24 | | (5) provide a mechanism for improved oversight of State |
| 25 | | agency information security programs, including through |
|
| | HB5093 | - 4 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | automated security tools to continuously diagnose and |
| 2 | | improve security; |
| 3 | | (6) recognize that information security risk is both a |
| 4 | | business and public safety issue, and the acceptance of |
| 5 | | risk is a decision to be made at the executive levels of |
| 6 | | State government; and
|
| 7 | | (7) ensure a continued and deliberate effort to reduce |
| 8 | | the risk posed to the State by cyberattacks and other |
| 9 | | information security incidents that could impact the |
| 10 | | information security of the State.
|
| 11 | | Section 15. Office of the Statewide Chief Information |
| 12 | | Security Officer. |
| 13 | | (a) The Office of the Statewide Chief Information Security |
| 14 | | Officer is established within the Department of Innovation and |
| 15 | | Technology. The Office is directly subordinate to the Secretary |
| 16 | | of Innovation and Technology. |
| 17 | | (b) The Office shall: |
| 18 | | (1) serve as the strategic planning, facilitation, and |
| 19 | | coordination office for information technology security in |
| 20 | | this State and as the lead and central coordinating entity |
| 21 | | to guide and oversee the information security functions of |
| 22 | | State agencies;
|
| 23 | | (2) provide information security services to support |
| 24 | | the secure delivery of State agency services that utilize |
| 25 | | information systems and to assist State agencies with |
|
| | HB5093 | - 5 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | fulfilling their responsibilities under this Act;
|
| 2 | | (3) conduct information and cybersecurity strategic, |
| 3 | | operational, and resource planning and facilitating an |
| 4 | | effective enterprise information security architecture |
| 5 | | capable of protecting the State;
|
| 6 | | (4) identify information security risks to each State
|
| 7 | | agency, to third-party providers, and to key supply chain
|
| 8 | | partners, including an assessment of the extent to which
|
| 9 | | information resources or processes are vulnerable to
|
| 10 | | unauthorized access or harm, including the extent to which |
| 11 | | the
agency's or contractor's electronically stored |
| 12 | | information is
vulnerable to unauthorized access, use, |
| 13 | | disclosure,
disruption, modification, or destruction, and |
| 14 | | recommend risk
mitigation strategies, methods, and |
| 15 | | procedures to reduce those
risks. These assessments shall |
| 16 | | also include, but not be limited
to, assessments of |
| 17 | | information systems, computers, printers,
software, |
| 18 | | computer networks, interfaces to computer systems, mobile |
| 19 | | and peripheral device sensors, and other devices or
systems |
| 20 | | which access the State's network, computer software,
and |
| 21 | | information processing or operational procedures of the
|
| 22 | | agency or of a contractor of the agency. |
| 23 | | (5) manage the response to information security and |
| 24 | | information security incidents involving State of Illinois |
| 25 | | information systems and
ensure the completeness of |
| 26 | | information system security plans for critical information |
|
| | HB5093 | - 6 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | systems; |
| 2 | | (6) conduct pre-deployment information security |
| 3 | | assessments for critical information systems and submit |
| 4 | | findings and recommendations to the Secretary and State |
| 5 | | agency heads; |
| 6 | | (7) develop and conduct targeted operational |
| 7 | | evaluations, including threat and vulnerability |
| 8 | | assessments on information systems; |
| 9 | | (8) monitor and report compliance of each State agency |
| 10 | | with State information security policies, standards, and |
| 11 | | procedures; |
| 12 | | (9) coordinate statewide information security |
| 13 | | awareness and training programs; and |
| 14 | | (10) develop and execute other strategies as necessary |
| 15 | | to protect this State's information technology |
| 16 | | infrastructure and the data stored on or transmitted by |
| 17 | | such infrastructure.
|
| 18 | | (c) The Office may temporarily suspend operation of an |
| 19 | | information system or information technology infrastructure |
| 20 | | that is owned, leased, outsourced, or shared by one or more |
| 21 | | State agencies in order to isolate the source of, or stop the |
| 22 | | spread of, an information security breach or other similar |
| 23 | | information security incident. State agencies shall comply |
| 24 | | with directives to temporarily discontinue or suspend |
| 25 | | operations of information systems or information technology |
| 26 | | infrastructure.
|
|
| | HB5093 | - 7 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | Section 20. Statewide Chief Information Security Officer. |
| 2 | | The position of Statewide Chief Information Security Officer is |
| 3 | | established within the Office. The Secretary shall appoint a |
| 4 | | Statewide Chief Information Security Officer who shall serve at |
| 5 | | the pleasure of the Secretary. The Statewide Chief Information |
| 6 | | Security Officer shall report to and be under the supervision |
| 7 | | of the Secretary. The Statewide Chief Information Security |
| 8 | | Officer shall exhibit a background and experience in |
| 9 | | information security, information technology, or risk |
| 10 | | management, or exhibit other appropriate expertise required to |
| 11 | | fulfill the duties of the Statewide Chief Information Security |
| 12 | | Officer.
If the Statewide Chief Information Security Officer is |
| 13 | | unable or unavailable to perform the duties and |
| 14 | | responsibilities under Section 25, all powers and authority |
| 15 | | granted to the Statewide Chief Information Security Officer may |
| 16 | | be exercised by the Secretary or his or her designee.
|
| 17 | | Section 25. Responsibilities. |
| 18 | | (a) The Secretary shall: |
| 19 | | (1) appoint a Statewide Chief Information Security |
| 20 | | Officer pursuant to Section 20; |
| 21 | | (2) provide the Office with the staffing and resources |
| 22 | | deemed necessary by the Secretary to fulfill the |
| 23 | | responsibilities of the Office; |
| 24 | | (3) oversee statewide information security policies |
|
| | HB5093 | - 8 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | and practices, including:
|
| 2 | | (A) directing and overseeing the development, |
| 3 | | implementation, and communication of statewide |
| 4 | | information security policies, standards, and |
| 5 | | guidelines; |
| 6 | | (B) overseeing the education of State agency |
| 7 | | personnel regarding the requirement to identify and |
| 8 | | provide information security protections commensurate |
| 9 | | with the risk and magnitude of the harm resulting from |
| 10 | | the unauthorized access, use, disclosure, disruption, |
| 11 | | modification, or destruction of information in a |
| 12 | | critical information system; |
| 13 | | (C) overseeing the development and implementation |
| 14 | | of a statewide information security risk management |
| 15 | | program; |
| 16 | | (D) overseeing State agency compliance with the |
| 17 | | requirements of this Section; |
| 18 | | (E) coordinating Information Security policies and |
| 19 | | practices with related information and personnel |
| 20 | | resources management policies and procedures; and |
| 21 | | (F) providing an effective and efficient process |
| 22 | | to assist State agencies with complying with the |
| 23 | | requirements of this Act. |
| 24 | | (b) The Statewide Chief Information Security Officer |
| 25 | | shall: |
| 26 | | (1) serve as the head of the Office and ensure the |
|
| | HB5093 | - 9 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | execution of the responsibilities of the Office as set |
| 2 | | forth in subsection (c) of Section 15, the Statewide Chief |
| 3 | | Information Security Officer shall also oversee State |
| 4 | | agency personnel with significant responsibilities for |
| 5 | | information security and ensure a competent workforce that |
| 6 | | keeps pace with the changing information security |
| 7 | | environment; |
| 8 | | (2) develop and recommend information security |
| 9 | | policies, standards, procedures, and guidelines to the |
| 10 | | Secretary for statewide adoption and monitor compliance |
| 11 | | with these policies, standards, guidelines, and procedures |
| 12 | | through periodic testing; |
| 13 | | (3) develop and maintain risk-based, cost-effective |
| 14 | | information security programs and control techniques to |
| 15 | | address all applicable security and compliance |
| 16 | | requirements throughout the life cycle of State agency |
| 17 | | information systems; |
| 18 | | (4) establish the procedures, processes, and |
| 19 | | technologies to rapidly and effectively identify threats, |
| 20 | | risks, and vulnerabilities to State information systems, |
| 21 | | and ensure the prioritization of the remediation of |
| 22 | | vulnerabilities that pose risk to the State; |
| 23 | | (5) develop and implement capabilities and procedures |
| 24 | | for detecting, reporting, and responding to information |
| 25 | | security incidents; |
| 26 | | (6) establish and direct a statewide information |
|
| | HB5093 | - 10 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | security risk management program to identify information |
| 2 | | security risks in State agencies and deploy risk mitigation |
| 3 | | strategies, processes, and procedures; |
| 4 | | (7) establish the State's capability to sufficiently |
| 5 | | protect the security of data through effective information |
| 6 | | system security planning, secure system development, |
| 7 | | acquisition, and deployment, the application of protective |
| 8 | | technologies and information system certification, |
| 9 | | accreditation, and assessments; |
| 10 | | (8) ensure that State agency personnel, including |
| 11 | | contractors, are appropriately screened and receive |
| 12 | | information security awareness training; |
| 13 | | (9) convene meetings with agency heads and other State |
| 14 | | officials to help ensure: |
| 15 | | (A) the ongoing communication of risk and risk |
| 16 | | reduction strategies, |
| 17 | | (B) effective implementation of information |
| 18 | | security policies and practices, and |
| 19 | | (C) the incorporation of and compliance with |
| 20 | | information security policies, standards, and |
| 21 | | guidelines into the policies and procedures of the |
| 22 | | agencies; |
| 23 | | (10) provide operational and technical assistance to |
| 24 | | State agencies in implementing policies, principles, |
| 25 | | standards, and guidelines on information security, |
| 26 | | including implementation of standards promulgated under |
|
| | HB5093 | - 11 - | LRB100 20465 RJF 35821 b |
|
|
| 1 | | subparagraph (A) of paragraph (3) of subsection (a) of this |
| 2 | | Section, and provide assistance and effective and |
| 3 | | efficient means for State agencies to comply with the State |
| 4 | | agency requirements under this Act; |
| 5 | | (11) in coordination and consultation with the |
| 6 | | Secretary and the Governor's Office of Management and |
| 7 | | Budget, review State agency budget requests related to |
| 8 | | Information Security systems and provide recommendations |
| 9 | | to the Governor's Office of Management and Budget; |
| 10 | | (12) ensure the preparation and maintenance of plans |
| 11 | | and procedures to provide cyber resilience and continuity |
| 12 | | of operations for critical information systems that |
| 13 | | support the operations of the State; and |
| 14 | | (13) take such other actions as the Secretary may |
| 15 | | direct.
|
| 16 | | Section 99. Effective date. This Act takes effect January |
| 17 | | 1, 2019. |