BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
AB 670 (Irwin) - Information technology security
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: June 23, 2015 |Policy Vote: G.O. 12 - 0 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: August 17, 2015 |Consultant: Mark McKenzie |
| | |
-----------------------------------------------------------------
This bill meets the criteria for referral to the Suspense File.
Bill
Summary: AB 670 would require the Office of Information
Security (OIS), within the Department of Technology, to conduct
an independent security assessment of every state agency at
least once every two years, as specified.
Fiscal
Impact:
The Department of Technology would incur costs of
approximately $2 million in 2016-17, and ongoing costs of
approximately $1.9 million for 12 PY of staff to conduct
security assessments. Staff estimates that OIS would have
additional costs in the hundreds of thousands annually for
travel and other associated charges. (Technology Services
�
AB 670 (Irwin) Page 1 of
?
Revolving Fund)
Ongoing, potentially significant cost pressures for state
entities to make necessary IT improvements to address
vulnerabilities identified through security assessments.
However, these improvements would decrease the likelihood that
agencies would experience a future data breach, thereby
avoiding related costs in future years. (General Fund and/or
Special Funds)
Estimated Department of Technology costs in the range of
$100,000 to $150,000 to develop and adopt standards for the
OIS, Military Department, or entity conducting a security
assessment to follow when conducting those assessments and
reporting results. These costs include necessary updates to
the State Administrative Manual. (Technology Services
Revolving Fund)
Background: Existing law provides that the Department of Technology is
generally responsible for the approval and oversight of state
information technology (IT) projects. The OIS within the
Department of Technology is responsible for ensuring the
confidentiality and integrity of state data systems. The OIS is
required to establish policies, standards, and procedures for
state agencies to manage security and risk. Existing law
authorizes the OIS to conduct independent security assessments
of any state agency, department, or office, and requires the
state entity whose systems are being assessed to pay for the
security assessment. Existing state policy outlined in the
State Administrative Manual requires each state agency to
conduct a comprehensive IT risk assessment once every two years
and document the results in a risk assessment report.
In 2013, the Governor administratively directed the Office of
Emergency Services (OES) and the Department of Technology to
create a Cyber Security Task Force comprised of specified
stakeholders, subject matter experts, and cyber security
professionals from public, private, academic, and law
enforcement sectors. The mission of the Task Force is to
enhance the security of California's digital infrastructure and
to create a culture of cybersecurity through collaboration,
information sharing, and education and awareness.
�
AB 670 (Irwin) Page 2 of
?
Existing law provides that the California Military Department
manages the Computer Network Defense Team (CND-T) to assist
Department of Defense, federal, state, local government
partners, and critical infrastructure providers to provide
confidentiality, integrity, and availability of critical network
infrastructure. The CND-T also provides support and assistance
through established partnerships with cyber security vendors,
academia, and government entities. The 2014 Budget Act provided
6 PY of staff and $774,000 in ongoing funding to support the
CND-T with the goal of assisting agencies by providing
actionable products, assistance, and services designed to
improve overall cyber security compliance, reduce risk, and
protect the public.
Proposed Law:
AB 670 would require the OIS to conduct, or cause to be
conducted, an independent security assessment of every state
agency, department, and office at least once every two years,
the cost of which is funded by the state entity being assessed.
Specifically, this bill would:
Require the assessment to be conducted in compliance with
specified national standards and include, to the extent
practicable, vulnerability scanning, penetration testing, and
a report on the number, severity, and nature of identified
vulnerabilities and recommendations for remediation and risk
mitigation.
Authorize the Military Department to perform required
independent security assessments, respond to a security
incident, or mitigate the impacts of a cyber attack, upon the
request of OES.
Require OIS to report to the Department of Technology any
state agency found to be noncompliant with information
security program requirements.
Authorize the Department of Technology to require an agency to
redirect any authorized funds within its budget to pay costs
of coming into compliance with recommendations made in a
security assessment.
Require OIS, the Military Department, or any entity conducting
an assessment to transmit the results only to the agency being
that was the subject of the assessment, and to transmit
aggregated results of the assessment to the Department of
�
AB 670 (Irwin) Page 3 of
?
Technology.
Require the Department of Technology to adopt standards that
prescribe the manner in which the aggregate results of an
assessment are transmitted to the Department of Technology.
The standards must include specified information and must be
incorporated into the State Administrative Manual.
Specify that transmission of the results of an independent
security assessment results must be restricted to state
government employees and approved contractors, but those
results, the aggregate of the results, and any related
information are subject to all disclosure and confidentiality
provisions of state law, as specified.
Require that any data produced during the creation of a
security assessment be destroyed within one year, unless OES
determines it should be retained for a longer period for state
security purposes.
Staff
Comments: AB 670 is intended to increase the overall security
of state IT systems and networks by requiring OIS, within the
Department of Technology, to perform an independent security
assessment of every state agency under its jurisdiction every
two years. While state policy, as outlined in the State
Administrative Manual, currently requires agencies to conduct
security assessments once every two years, there is no statutory
requirement, and many agencies have failed to comply.
The bill requires OIS to conduct, or require to be conducted, an
independent security assessment of every state agency every two
years, and authorizes the Military Department to conduct
assessments, when directed by the Office of Emergency Services.
Since the bill mandates OIS to conduct the assessments, the
Department of Technology estimates it will need an additional 12
PY of staff, at an ongoing cost of approximately $1.9 million
annually, to conduct security assessments of approximately 75
state agencies each year. There would be additional costs and
charges related to travel, meals, and lodging, as well as vendor
costs and project management and oversight charges. All costs
would be charged to the agencies being assessed, so the bill
would result in costs to the funds of various agency budgets,
the revenues of which would be transferred to the Technology
Services Revolving Fund to support the OIS activities.
�
AB 670 (Irwin) Page 4 of
?
The costs to each individual agency would vary, depending on the
number of systems and critical applications, the complexity of
those systems, and the locations of facilities around the state
that would need to be accessed. The Military Department
estimates that security assessments range in cost from $11,000
to $35,000, although it is unclear that these costs include all
required components specified in the bill. Individual state
entities that have reported costs to the Committee, based on
previous assessments, indicate that costs can range from the low
tens of thousands to the low hundreds of thousands for each
department's security assessment. In addition, the Department
of Technology has provided information with a sampling of recent
costs incurred by state agencies related to outsourcing
independent risk assessments to contractors, with smaller
agencies having total costs of $30,000 to $50,000 per
assessment, and large agencies having security assessment costs
ranging from $200,000 to $500,000. Using these samples of
costs, total statewide costs could be as high as $10 million
annually, if security assessments were performed solely through
contracts with private vendors. These costs are only presented
for illustrative and comparative purposes.
-- END --