Law:Title 10. General Government. Subtitle B. Information And Planning from Chapter 2059. Texas Computer Network Security System (Texas)

From Law Delta

Revision as of 21:07, 28 September 2011 by Admin (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Subtitle B. Information And Planning

Contents

Chapter 2059. Texas Computer Network Security System

Subchapter A. General Provisions

Section 2059.001.  Definitions.

In this chapter:

(1)  "Center" means the network security center established under this chapter.

(2)  "Department" means the Department of Information Resources.

(3)  "Network security" means the protection of computer systems and technology assets from unauthorized external intervention or improper use.  The term includes detecting, identifying, and countering malicious network activity to prevent the acquisition of information or disruption of information technology operations.

(4)  "State agency" has the meaning assigned by Section 2151.002.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Subchapter B. General Powers And Duties

Section 2059.051.  Department Responsible For Providing Computer Network Security Services.

The department shall provide network security services to:

(1)  state agencies; and

(2)  other entities by agreement as provided by Section 2059.058.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.052.  Services Provided To Institutions Of Higher Education.

The department may provide network security services to an institution of higher education, and may include an institution of higher education in a center, only if and to the extent approved by the Information Technology Council for Higher Education.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.053.  Rules.

The department may adopt rules necessary to implement this chapter.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.054.  Ownership Or Lease Of Necessary Equipment.

The department may purchase in accordance with Chapters 2155, 2156, 2157, and 2158 any facilities or equipment necessary to provide network security services to state agencies.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.055.  Restricted Information.

(a) Confidential network security information may be released only to officials responsible for the network, law enforcement, the state auditor's office, and agency or elected officials designated by the department.

(b)  Network security information is confidential under this section if the information is:

(1)  related to passwords, personal identification numbers, access codes, encryption, or other components of the security system of a state agency;

(2)  collected, assembled, or maintained by or for a governmental entity to prevent, detect, or investigate criminal activity; or

(3)  related to an assessment, made by or for a governmental entity or maintained by a governmental entity, of the vulnerability of a network to criminal activity.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.056.  Responsibility For External And Internal Security Threats.

If the department provides network security services for a state agency or other entity under this chapter, the department is responsible for network security from external threats for that agency or entity.  Network security management for that state agency or entity regarding internal threats remains the responsibility of that state agency or entity.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.057.  Biennial Report.

(a) The department shall biennially prepare a report on:

(1)  the department's accomplishment of service objectives and other performance measures under this chapter; and

(2)  the status, including the financial performance, of the consolidated network security system provided through the center.

(b)  The department shall submit the report to:

(1)  the governor;

(2)  the lieutenant governor;

(3)  the speaker of the house of representatives; and

(4)  the state auditor's office.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.058.  Agreement To Provide Network Security Services To Entities Other Than State Agencies.

(a) In this section, a "special district" means:

(1)  a school district;

(2)  a hospital district;

(3)  a water district; or

(4)  a district or special water authority, as defined by Section 49.001, Water Code.

(b)  In addition to the department's duty to provide network security services to state agencies under this chapter, the department by agreement may provide network security to:

(1)  each house of the legislature;

(2)  an agency that is not a state agency, including  a legislative agency;

(3)  a political subdivision of this state, including a county, municipality, or special district; and

(4)  an independent organization, as defined by Section 39.151, Utilities Code.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.060.  Vulnerability Testing Of Network Hardware And Software.

(a) The department shall adopt rules requiring, in state agency contracts for network hardware and software, a statement by the vendor certifying that the network hardware or software, as applicable, has undergone independent certification testing for known and relevant vulnerabilities.

(b)  Rules adopted under Subsection (a) may:

(1)  provide for vendor exemptions; and

(2)  establish certification standards for testing network hardware and software for known and relevant vulnerabilities.

(c)  Unless otherwise provided by rule, the required certification testing must be conducted under maximum load conditions in accordance with published performance claims of a hardware or software manufacturer, as applicable.

Added by Acts 2009, 81st Leg., R.S., Ch. 183, Sec. 7, eff. September 1, 2009.



Subchapter C. Network Security Center

Section 2059.101.  Network Security Center.

The department shall establish a network security center to provide network security services to state agencies.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.102.  Management And Use Of Network Security System.

(a) The department shall manage the operation of network security system services for all state agencies at the center.

(b)  The department shall fulfill the network security requirements of each state agency to the extent practicable.  However, the department shall protect criminal justice and homeland security networks of this state to the fullest extent possible in accordance with federal criminal justice and homeland security network standards.

(c)  All state agencies shall use the network security services provided through the center to the fullest extent possible.

(d)  A state agency may not purchase network security services unless the department determines that the agency's requirement for network security services cannot be met at a comparable cost through the center.  The department shall develop an efficient process for this determination.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.103.  Center Location And Physical Security.

(a) The department shall locate the center at a location that has an existing secure and restricted facility, cyber-security infrastructure, available trained workforce, and supportive educational capabilities.

(b)  The department shall control and monitor all entrances and critical areas to prevent unauthorized entry.  The department shall limit access to authorized individuals.

(c)  Local law enforcement or security agencies shall monitor security alarms at the center according to service availability.

(d)  The department shall restrict operational information to personnel at the center, except as provided by Chapter 321.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.104.  Center Services And Support.

(a) The department shall provide the following managed security services through the center:

(1)  real-time network security monitoring to detect and respond to network security events that may jeopardize this state and the residents of this state, including vulnerability assessment services consisting of a comprehensive security posture assessment, external and internal threat analysis, and penetration testing;

(2)  continuous, 24-hour alerts and guidance for defeating network security threats, including firewall preconfiguration, installation, management and monitoring, intelligence gathering, protocol analysis, and user authentication;

(3)  immediate incident response to counter network security activity that exposes this state and the residents of this state to risk, including complete intrusion detection systems installation, management, and monitoring and a network operations call center;

(4)  development, coordination, and execution of statewide cyber-security operations to isolate, contain, and mitigate the impact of network security incidents at state agencies;

(5)  operation of a central authority for all statewide information assurance programs; and

(6)  the provision of educational services regarding network security.

(b)  The department may provide:

(1)  implementation of best-of-breed information security architecture engineering services, including public key infrastructure development, design, engineering, custom software development, and secure web design; or

(2)  certification and accreditation to ensure compliance with the applicable regulatory requirements for cyber-security and information technology risk management, including the use of proprietary tools to automate the assessment and enforcement of compliance.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.105.  Network Security Guidelines And Standard Operating Procedures.

(a) The department shall adopt and provide to all state agencies appropriate network security guidelines and standard operating procedures to ensure efficient operation of the center with a maximum return on investment for the state.

(b)  The department shall revise the standard operating procedures as necessary to confirm network security.

(c)  Each state agency shall comply with the network security policies, guidelines, and standard operating procedures.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.106.  Private Vendor.

The department may contract with a private vendor to build and operate the center and act as an authorized agent to acquire, install, integrate, maintain, configure, and monitor the network security services and security infrastructure elements.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Subchapter D. Financial Provisions

Section 2059.151.  Payment For Services.

The department shall develop a system of billings and charges for services provided in operating and administering the network security system that allocates the total state cost to each state agency or other entity served by the system based on proportionate usage.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.152.  Revolving Fund Account.

(a) The comptroller shall establish in the state treasury a revolving fund account for the administration of this chapter.  The account must be used as a depository for money received from state agencies and other entities served under this chapter.  Receipts attributable to the centralized network security system must be deposited into the account and separately identified within the account.

(b)  The legislature may appropriate money for operating the system directly to the department, in which case the revolving fund account must be used to receive money due from local governmental entities and other agencies to the extent that their money is not subject to legislative appropriation.

(c)  The department shall maintain in the revolving fund account sufficient amounts to pay the liabilities of the center and related network security services.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.



Section 2059.153.  Grants.

The department may apply for and use for purposes of this chapter the proceeds from grants offered by any federal agency or other source.

Added by Acts 2005, 79th Leg., Ch. 760, Sec. 1, eff. September 1, 2005.


Personal tools
Laws
Variants
Actions
Navigation
Toolbox