State of Illinois
2017 and 2018


Introduced , by Rep. Jaime M. Andrade, Jr.


New Act

    Creates the Illinois Information Security Improvement Act. Creates the Office of the Statewide Chief Information Security Officer within the Department of Innovation and Technology. Provides for the duties and powers of the Office. Creates the position of Statewide Chief Information Security Officer to serve as the head of the Office. Provides for the qualifications, powers, and duties of the Statewide Chief Information Security Officer, and for the appointment of the Statewide Chief Information Security Officer by the Secretary of Innovation and Technology. Defines terms. Effective January 1, 2019.

LRB100 20465 RJF 35821 b





HB5093LRB100 20465 RJF 35821 b

1    AN ACT concerning government.
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4    Section 1. Short title. This Act may be cited as the
5Illinois Information Security Improvement Act.
6    Section 5. Definitions. As used in this Act:
7    "Critical information system" means any information system
8(including any telecommunications system) used or operated by a
9State agency or by a contractor of a State agency or other
10organization or entity on behalf of a State agency: that
11contains health insurance information, medical information, or
12personal information as defined in the Personal Information
13Protection Act; where the unauthorized disclosure,
14modification, destruction of information in the information
15system could be expected to have a serious, severe, or
16catastrophic adverse effect on State agency operations,
17assets, or individuals; or where the disruption of access to or
18use of the information or information system could be expected
19to have a serious, severe, or catastrophic adverse effect on
20State operations, assets, or individuals.
21    "Department" means the Department of Innovation and
23    "Information security" means protecting information and



HB5093- 2 -LRB100 20465 RJF 35821 b

1information systems from unauthorized access, use, disclosure,
2disruption, modification, or destruction in order to provide:
3integrity, which means guarding against improper information
4modification or destruction, and includes ensuring information
5nonrepudiation and authenticity; confidentiality, which means
6preserving authorized restrictions on access and disclosure,
7including means for protecting personal privacy and
8proprietary information; and availability, which means
9ensuring timely and reliable access to and use of information.
10    "Incident" means an occurrence that: actually or
11imminently jeopardizes, without lawful authority, the
12confidentiality, integrity, or availability of information or
13an information system; or constitutes a violation or imminent
14threat of violation of law, security policies, security
15procedures, or acceptable use policies or standard security
17    "Information system" means a discrete set of information
18resources organized for the collection, processing,
19maintenance, use, sharing, dissemination, or disposition of
20information created or maintained by or for the State of
22    "Office" means the Office of the Statewide Chief
23Information Security Officer.
24    "Secretary" means the Secretary of Innovation and
26    "Security controls" means the management, operational, and



HB5093- 3 -LRB100 20465 RJF 35821 b

1technical controls (including safeguards and countermeasures)
2for an information system that protect the confidentiality,
3integrity, and availability of the system and its information.
4    "State agency" means any agency under the jurisdiction of
5the Governor.
6    Section 10. Purpose. The purposes of this Act are to:
7        (1) provide a comprehensive framework for ensuring the
8    effectiveness of information security controls over
9    information resources that support State agency operations
10    and assets;
11        (2) recognize the critical role of information and
12    information systems in the provision of life, health,
13    safety, and other crucial services to the citizens of the
14    State of Illinois and the risk posed to these services due
15    to the ever-evolving cybersecurity threat;
16        (3) recognize the highly networked nature of the
17    current State of Illinois working environment and provide
18    effective statewide management and oversight of the
19    related information security risks, including coordination
20    of information security efforts across State agencies;
21        (4) provide for the development and maintenance of
22    minimum security controls required to protect State of
23    Illinois information and information systems;
24        (5) provide a mechanism for improved oversight of State
25    agency information security programs, including through



HB5093- 4 -LRB100 20465 RJF 35821 b

1    automated security tools to continuously diagnose and
2    improve security;
3        (6) recognize that information security risk is both a
4    business and public safety issue, and the acceptance of
5    risk is a decision to be made at the executive levels of
6    State government; and
7        (7) ensure a continued and deliberate effort to reduce
8    the risk posed to the State by cyberattacks and other
9    information security incidents that could impact the
10    information security of the State.
11    Section 15. Office of the Statewide Chief Information
12Security Officer.
13    (a) The Office of the Statewide Chief Information Security
14Officer is established within the Department of Innovation and
15Technology. The Office is directly subordinate to the Secretary
16of Innovation and Technology.
17    (b) The Office shall:
18        (1) serve as the strategic planning, facilitation, and
19    coordination office for information technology security in
20    this State and as the lead and central coordinating entity
21    to guide and oversee the information security functions of
22    State agencies;
23        (2) provide information security services to support
24    the secure delivery of State agency services that utilize
25    information systems and to assist State agencies with



HB5093- 5 -LRB100 20465 RJF 35821 b

1    fulfilling their responsibilities under this Act;
2        (3) conduct information and cybersecurity strategic,
3    operational, and resource planning and facilitating an
4    effective enterprise information security architecture
5    capable of protecting the State;
6        (4) identify information security risks to each State
7    agency, to third-party providers, and to key supply chain
8    partners, including an assessment of the extent to which
9    information resources or processes are vulnerable to
10    unauthorized access or harm, including the extent to which
11    the agency's or contractor's electronically stored
12    information is vulnerable to unauthorized access, use,
13    disclosure, disruption, modification, or destruction, and
14    recommend risk mitigation strategies, methods, and
15    procedures to reduce those risks. These assessments shall
16    also include, but not be limited to, assessments of
17    information systems, computers, printers, software,
18    computer networks, interfaces to computer systems, mobile
19    and peripheral device sensors, and other devices or systems
20    which access the State's network, computer software, and
21    information processing or operational procedures of the
22    agency or of a contractor of the agency.
23        (5) manage the response to information security and
24    information security incidents involving State of Illinois
25    information systems and ensure the completeness of
26    information system security plans for critical information



HB5093- 6 -LRB100 20465 RJF 35821 b

1    systems;
2        (6) conduct pre-deployment information security
3    assessments for critical information systems and submit
4    findings and recommendations to the Secretary and State
5    agency heads;
6        (7) develop and conduct targeted operational
7    evaluations, including threat and vulnerability
8    assessments on information systems;
9        (8) monitor and report compliance of each State agency
10    with State information security policies, standards, and
11    procedures;
12        (9) coordinate statewide information security
13    awareness and training programs; and
14        (10) develop and execute other strategies as necessary
15    to protect this State's information technology
16    infrastructure and the data stored on or transmitted by
17    such infrastructure.
18    (c) The Office may temporarily suspend operation of an
19information system or information technology infrastructure
20that is owned, leased, outsourced, or shared by one or more
21State agencies in order to isolate the source of, or stop the
22spread of, an information security breach or other similar
23information security incident. State agencies shall comply
24with directives to temporarily discontinue or suspend
25operations of information systems or information technology



HB5093- 7 -LRB100 20465 RJF 35821 b

1    Section 20. Statewide Chief Information Security Officer.
2The position of Statewide Chief Information Security Officer is
3established within the Office. The Secretary shall appoint a
4Statewide Chief Information Security Officer who shall serve at
5the pleasure of the Secretary. The Statewide Chief Information
6Security Officer shall report to and be under the supervision
7of the Secretary. The Statewide Chief Information Security
8Officer shall exhibit a background and experience in
9information security, information technology, or risk
10management, or exhibit other appropriate expertise required to
11fulfill the duties of the Statewide Chief Information Security
12Officer. If the Statewide Chief Information Security Officer is
13unable or unavailable to perform the duties and
14responsibilities under Section 25, all powers and authority
15granted to the Statewide Chief Information Security Officer may
16be exercised by the Secretary or his or her designee.
17    Section 25. Responsibilities.
18    (a) The Secretary shall:
19        (1) appoint a Statewide Chief Information Security
20    Officer pursuant to Section 20;
21        (2) provide the Office with the staffing and resources
22    deemed necessary by the Secretary to fulfill the
23    responsibilities of the Office;
24        (3) oversee statewide information security policies



HB5093- 8 -LRB100 20465 RJF 35821 b

1    and practices, including:
2            (A) directing and overseeing the development,
3        implementation, and communication of statewide
4        information security policies, standards, and
5        guidelines;
6            (B) overseeing the education of State agency
7        personnel regarding the requirement to identify and
8        provide information security protections commensurate
9        with the risk and magnitude of the harm resulting from
10        the unauthorized access, use, disclosure, disruption,
11        modification, or destruction of information in a
12        critical information system;
13            (C) overseeing the development and implementation
14        of a statewide information security risk management
15        program;
16            (D) overseeing State agency compliance with the
17        requirements of this Section;
18            (E) coordinating Information Security policies and
19        practices with related information and personnel
20        resources management policies and procedures; and
21            (F) providing an effective and efficient process
22        to assist State agencies with complying with the
23        requirements of this Act.
24    (b) The Statewide Chief Information Security Officer
26        (1) serve as the head of the Office and ensure the



HB5093- 9 -LRB100 20465 RJF 35821 b

1    execution of the responsibilities of the Office as set
2    forth in subsection (c) of Section 15, the Statewide Chief
3    Information Security Officer shall also oversee State
4    agency personnel with significant responsibilities for
5    information security and ensure a competent workforce that
6    keeps pace with the changing information security
7    environment;
8        (2) develop and recommend information security
9    policies, standards, procedures, and guidelines to the
10    Secretary for statewide adoption and monitor compliance
11    with these policies, standards, guidelines, and procedures
12    through periodic testing;
13        (3) develop and maintain risk-based, cost-effective
14    information security programs and control techniques to
15    address all applicable security and compliance
16    requirements throughout the life cycle of State agency
17    information systems;
18        (4) establish the procedures, processes, and
19    technologies to rapidly and effectively identify threats,
20    risks, and vulnerabilities to State information systems,
21    and ensure the prioritization of the remediation of
22    vulnerabilities that pose risk to the State;
23        (5) develop and implement capabilities and procedures
24    for detecting, reporting, and responding to information
25    security incidents;
26        (6) establish and direct a statewide information



HB5093- 10 -LRB100 20465 RJF 35821 b

1    security risk management program to identify information
2    security risks in State agencies and deploy risk mitigation
3    strategies, processes, and procedures;
4        (7) establish the State's capability to sufficiently
5    protect the security of data through effective information
6    system security planning, secure system development,
7    acquisition, and deployment, the application of protective
8    technologies and information system certification,
9    accreditation, and assessments;
10        (8) ensure that State agency personnel, including
11    contractors, are appropriately screened and receive
12    information security awareness training;
13        (9) convene meetings with agency heads and other State
14    officials to help ensure:
15            (A) the ongoing communication of risk and risk
16        reduction strategies,
17            (B) effective implementation of information
18        security policies and practices, and
19            (C) the incorporation of and compliance with
20        information security policies, standards, and
21        guidelines into the policies and procedures of the
22        agencies;
23        (10) provide operational and technical assistance to
24    State agencies in implementing policies, principles,
25    standards, and guidelines on information security,
26    including implementation of standards promulgated under



HB5093- 11 -LRB100 20465 RJF 35821 b

1    subparagraph (A) of paragraph (3) of subsection (a) of this
2    Section, and provide assistance and effective and
3    efficient means for State agencies to comply with the State
4    agency requirements under this Act;
5        (11) in coordination and consultation with the
6    Secretary and the Governor's Office of Management and
7    Budget, review State agency budget requests related to
8    Information Security systems and provide recommendations
9    to the Governor's Office of Management and Budget;
10        (12) ensure the preparation and maintenance of plans
11    and procedures to provide cyber resilience and continuity
12    of operations for critical information systems that
13    support the operations of the State; and
14        (13) take such other actions as the Secretary may
15    direct.
16    Section 99. Effective date. This Act takes effect January
171, 2019.