(20 ILCS 1375/Art. 1 heading) Article 1. Department of Innovation and Technology (The Department of Innovation and Technology Act is compiled at 20 ILCS 1370/)(Source: P.A. 100-611, eff. 7-20-18.)

(20 ILCS 1375/Art. 5 heading) Article 5. Illinois Information Security Improvement (Source: P.A. 100-611, eff. 7-20-18.)

(20 ILCS 1375/5-1)     Sec. 5-1. Short title. This Article may be cited as the Illinois Information Security Improvement Act. References in this Article to "this Act" mean this Article. (Source: P.A. 100-611, eff. 7-20-18.)

(20 ILCS 1375/5-5)     Sec. 5-5. Definitions. As used in this Act:     "Critical information system" means any information system (including any telecommunications system) used or operated by a State agency or by a contractor of a State agency or other organization or entity on behalf of a State agency: that contains health insurance information, medical information, or personal information as defined in the Personal Information Protection Act; where the unauthorized disclosure, modification, destruction of information in the information system could be expected to have a serious, severe, or catastrophic adverse effect on State agency operations, assets, or individuals; or where the disruption of access to or use of the information or information system could be expected to have a serious, severe, or catastrophic adverse effect on State operations, assets, or individuals.     "Department" means the Department of Innovation and Technology.     "Information security" means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and availability, which means ensuring timely and reliable access to and use of information.     "Incident" means an occurrence that: actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies or standard security practices.     "Information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information created or maintained by or for the State of Illinois.     "Office" means the Office of the Statewide Chief Information Security Officer.     "Secretary" means the Secretary of Innovation and Technology.     "Security controls" means the management, operational, and technical controls (including safeguards and countermeasures) for an information system that protect the confidentiality, integrity, and availability of the system and its information.     "State agency" means any agency under the jurisdiction of the Governor. (Source: P.A. 100-611, eff. 7-20-18.)

(20 ILCS 1375/5-10)     Sec. 5-10. Purpose. The purposes of this Act are to:         (1) provide a comprehensive framework for ensuring

the effectiveness of information security controls over information resources that support State agency operations and assets;

(2) recognize the critical role of information and

information systems in the provision of life, health, safety, and other crucial services to the citizens of the State of Illinois and the risk posed to these services due to the ever-evolving cybersecurity threat;

(3) recognize the highly networked nature of the

current State of Illinois working environment and provide effective statewide management and oversight of the related information security risks, including coordination of information security efforts across State agencies;

(4) provide for the development and maintenance of

minimum security controls required to protect State of Illinois information and information systems;

(5) provide a mechanism for improved oversight of

State agency information security programs, including through automated security tools to continuously diagnose and improve security;

(6) recognize that information security risk is both

a business and public safety issue, and the acceptance of risk is a decision to be made at the executive levels of State government; and

(7) ensure a continued and deliberate effort to

reduce the risk posed to the State by cyberattacks and other information security incidents that could impact the information security of the State.

(Source: P.A. 100-611, eff. 7-20-18.)

(20 ILCS 1375/5-15)     Sec. 5-15. Office of the Statewide Chief Information Security Officer.     (a) The Office of the Statewide Chief Information Security Officer is established within the Department of Innovation and Technology. The Office is directly subordinate to the Secretary of Innovation and Technology.     (b) The Office shall:         (1) serve as the strategic planning, facilitation,

and coordination office for information technology security in this State and as the lead and central coordinating entity to guide and oversee the information security functions of State agencies;

(2) provide information security services to support

the secure delivery of State agency services that utilize information systems and to assist State agencies with fulfilling their responsibilities under this Act;

(3) conduct information and cybersecurity strategic,

operational, and resource planning and facilitating an effective enterprise information security architecture capable of protecting the State;

(4) identify information security risks to each State

agency, to third-party providers, and to key supply chain partners, including an assessment of the extent to which information resources or processes are vulnerable to unauthorized access or harm, including the extent to which the agency's or contractor's electronically stored information is vulnerable to unauthorized access, use, disclosure, disruption, modification, or destruction, and recommend risk mitigation strategies, methods, and procedures to reduce those risks. These assessments shall also include, but not be limited to, assessments of information systems, computers, printers, software, computer networks, interfaces to computer systems, mobile and peripheral device sensors, and other devices or systems which access the State's network, computer software, and information processing or operational procedures of the agency or of a contractor of the agency.

(5) manage the response to information security and

information security incidents involving State of Illinois information systems and ensure the completeness of information system security plans for critical information systems;

(6) conduct pre-deployment information security

assessments for critical information systems and submit findings and recommendations to the Secretary and State agency heads;

(7) develop and conduct targeted operational

evaluations, including threat and vulnerability assessments on information systems;

(8) monitor and report compliance of each State

agency with State information security policies, standards, and procedures;

(9) coordinate statewide information security

awareness and training programs; and

(10) develop and execute other strategies as

necessary to protect this State's information technology infrastructure and the data stored on or transmitted by such infrastructure.

(c) The Office may temporarily suspend operation of an information system or information technology infrastructure that is owned, leased, outsourced, or shared by one or more State agencies in order to isolate the source of, or stop the spread of, an information security breach or other similar information security incident. State agencies shall comply with directives to temporarily discontinue or suspend operations of information systems or information technology infrastructure. (Source: P.A. 100-611, eff. 7-20-18.)

(20 ILCS 1375/5-20)     Sec. 5-20. Statewide Chief Information Security Officer. The position of Statewide Chief Information Security Officer is established within the Office. The Secretary shall appoint a Statewide Chief Information Security Officer who shall serve at the pleasure of the Secretary. The Statewide Chief Information Security Officer shall report to and be under the supervision of the Secretary. The Statewide Chief Information Security Officer shall exhibit a background and experience in information security, information technology, or risk management, or exhibit other appropriate expertise required to fulfill the duties of the Statewide Chief Information Security Officer. If the Statewide Chief Information Security Officer is unable or unavailable to perform the duties and responsibilities under Section 5-25, all powers and authority granted to the Statewide Chief Information Security Officer may be exercised by the Secretary or his or her designee. (Source: P.A. 100-611, eff. 7-20-18; 101-81, eff. 7-12-19.)