AB 1022: Information technology: Technology Recovery Plans: inventory.

The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law establishes the Department of Technology under the supervision of the Director of Technology who is also known as the State Chief Information Officer, and generally requires the Department of Technology to be responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs. Existing law establishes the Office of Information Security, within the Department of Technology, under the direction of a chief who reports to the Director of Technology. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. Existing law requires each state agency to provide its updated Technology Recovery Plan and report on its compliance with these updated standards to the department, as specified, and authorizes the department, in consultation with the Office of Emergency Services, to provide suggestions for a state agency to improve compliance with these standards. Existing law prohibits public disclosure of reports and public records relating to the cybersecurity strategies of state agencies, as specified.

This bill would require each state agency, as part of its Technology Recovery Plan, to provide the department with an inventory of all critical infrastructure controls, and their associated assets, in the possession of the agency. The bill would authorize a local entity that receives state funds for the purposes of storing, sharing, or transmitting data, or in support of an information technology project with a state entity, upon the request of the department, to submit a Technology Recovery Plan, as specified, to the department. The bill would authorize the department to provide suggestions with regard to the plans. The bill would prohibit public disclosure of these plans.

Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.

This bill would make legislative findings to that effect.

The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.

This bill would make legislative findings to that effect.