AB 670: Information technology security.

(1)Existing law establishes, within the Government Operations Agency, the Department of Technology under the supervision of the Director of Technology, who is also known as the State Chief Information Officer. The department is generally responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.

Existing law establishes, within the department, the Office of Information Security under the supervision of the Chief of the Office of Information Security. Existing law sets forth the authority of the office, including, but not limited to, the authority to conduct, or require to be conducted, an independent security assessment of any state agency, department, or office, the cost of which is to be funded by the state agency, department, or office being assessed.

This bill would additionally require the office, in consultation with the Office of Emergency Services, to require no fewer than 35 independent security assessments of state entities each year and determine basic standards of services to be performed as part of an independent security assessment. The bill would require the state agency, department, or office being assessed to fund the costs of its independent security assessment. The bill would require the office and the Office of Emergency Services to receive the complete results of an independent security assessment. The bill would prohibit, during the process of conducting an independent security assessment, the disclosure of information and records concerning the independent security assessment, except that the information and records would be authorized to be transmitted to state employees and state contractors with specific duties relating to the independent security assessment. The bill would require the disclosure of the results of a completed independent security assessment under state law.

This bill would require the office, in consultation with the Office of Emergency Services, to rank state entities on an information security risk index, as specified. The bill would require the office to report to the Department of Technology and the Office of Emergency Services any state entity found noncompliant with information security requirements. The bill would further require the office to notify the Office of Emergency Services, Department of the California Highway Patrol, and the Department of Justice of any criminal or alleged criminal cyber activity affecting any state entity or critical infrastructure of state government. The bill would authorize the office to conduct or require to be conducted an audit of information security to ensure program compliance, the cost of which to be funded by the state agency, department, or office being audited.

This bill would authorize the Military Department to perform an independent security assessment as described above.

This bill would require state entities, as defined, rather than certain information security officers, to comply with policies and procedures issued by the office. The bill would also make technical, nonsubstantive changes.

(2)Existing law requires that a statute that limits the publics right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings to demonstrate the interest protected by the limitation and the need for protecting that interest.

This bill would limit access to information and records of an ongoing independent security assessment and would make findings to demonstrate the interest protected by the limitation and the need for protecting that interest.