HB3737sam001 100TH GENERAL ASSEMBLY

Sen. Iris Y. Martinez

Filed: 5/4/2017

 

 


 

 


 
10000HB3737sam001LRB100 10533 JWD 25838 a

1
AMENDMENT TO HOUSE BILL 3737

2    AMENDMENT NO. ______. Amend House Bill 3737 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the
5Illinois Information Security Improvement Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Critical information system" means any information system
8(including any telecommunications system) used or operated by a
9State agency or by a contractor of a State agency or other
10organization or entity on behalf of a State agency: that
11contains health insurance information, medical information, or
12personal information as defined in the Personal Information
13Protection Act; where the unauthorized disclosure,
14modification, destruction of information in the information
15system could be expected to have a serious, severe, or
16catastrophic adverse effect on State agency operations,

 

 

10000HB3737sam001- 2 -LRB100 10533 JWD 25838 a

1assets, or individuals; or where the disruption of access to or
2use of the information or information system could be expected
3to have a serious, severe, or catastrophic adverse effect on
4State operations, assets, or individuals.
5    "Department" means the Department of Innovation and
6Technology.
7    "Information security" means protecting information and
8information systems from unauthorized access, use, disclosure,
9disruption, modification, or destruction in order to provide:
10integrity, which means guarding against improper information
11modification or destruction, and includes ensuring information
12nonrepudiation and authenticity; confidentiality, which means
13preserving authorized restrictions on access and disclosure,
14including means for protecting personal privacy and
15proprietary information; and availability, which means
16ensuring timely and reliable access to and use of information.
17    "Incident" means an occurrence that: actually or
18imminently jeopardizes, without lawful authority, the
19confidentiality, integrity, or availability of information or
20an information system; or constitutes a violation or imminent
21threat of violation of law, security policies, security
22procedures, or acceptable use policies or standard security
23practices.
24    "Information system" means a discrete set of information
25resources organized for the collection, processing,
26maintenance, use, sharing, dissemination, or disposition of

 

 

10000HB3737sam001- 3 -LRB100 10533 JWD 25838 a

1information created or maintained by or for the State of
2Illinois.
3    "Office" means the Office of the Statewide Chief
4Information Security Officer.
5    "Secretary" means the Secretary of Innovation and
6Technology.
7    "Security controls" means the management, operational, and
8technical controls (including safeguards and countermeasures)
9for an information system that protect the confidentiality,
10integrity, and availability of the system and its information.
11    "State agency" means any agency under the jurisdiction of
12the Governor.
 
13    Section 10. Purpose. The purposes of this Act are to:
14        (1) provide a comprehensive framework for ensuring the
15    effectiveness of information security controls over
16    information resources that support State agency operations
17    and assets;
18        (2) recognize the critical role of information and
19    information systems in the provision of life, health,
20    safety, and other crucial services to the citizens of the
21    State of Illinois and the risk posed to these services due
22    to the ever-evolving cybersecurity threat;
23        (3) recognize the highly networked nature of the
24    current State of Illinois working environment and provide
25    effective statewide management and oversight of the

 

 

10000HB3737sam001- 4 -LRB100 10533 JWD 25838 a

1    related information security risks, including coordination
2    of information security efforts across State agencies;
3        (4) provide for the development and maintenance of
4    minimum security controls required to protect State of
5    Illinois information and information systems;
6        (5) provide a mechanism for improved oversight of State
7    agency information security programs, including through
8    automated security tools to continuously diagnose and
9    improve security;
10        (6) recognize that information security risk is both a
11    business and public safety issue, and the acceptance of
12    risk is a decision to be made at the executive levels of
13    State government; and
14        (7) ensure a continued and deliberate effort to reduce
15    the risk posed to the State by cyberattacks and other
16    information security incidents that could impact the
17    information security of the State.
 
18    Section 15. Office of the Statewide Chief Information
19Security Officer.
20    (a) The Office of the Statewide Chief Information Security
21Officer is established within the Department of Innovation and
22Technology. The Office is directly subordinate to the Secretary
23of Innovation and Technology.
24    (b) The Office shall:
25        (1) serve as the strategic planning, facilitation, and

 

 

10000HB3737sam001- 5 -LRB100 10533 JWD 25838 a

1    coordination office for information technology security in
2    this State and as the lead and central coordinating entity
3    to guide and oversee the information security functions of
4    State agencies;
5        (2) provide information security services to support
6    the secure delivery of State agency services that utilize
7    information systems and to assist State agencies with
8    fulfilling their responsibilities under this Act;
9        (3) conduct information and cybersecurity strategic,
10    operational, and resource planning and facilitating an
11    effective enterprise information security architecture
12    capable of protecting the State;
13        (4) identify information security risks in each State
14    agency and recommend risk mitigation strategies, methods,
15    and procedures to reduce these risks;
16        (5) manage the response to information security and
17    information security incidents involving State of Illinois
18    information systems and ensure the completeness of
19    information system security plans for critical information
20    systems;
21        (6) conduct pre-deployment information security
22    assessments for critical information systems and submit
23    findings and recommendations to the Secretary and State
24    agency heads;
25        (7) develop and conduct targeted operational
26    evaluations, including threat and vulnerability

 

 

10000HB3737sam001- 6 -LRB100 10533 JWD 25838 a

1    assessments on information systems;
2        (8) monitor and report compliance of each State agency
3    with State information security policies, standards, and
4    procedures;
5        (9) coordinate statewide information security
6    awareness and training programs; and
7        (10) develop and execute other strategies as necessary
8    to protect this State's information technology
9    infrastructure and the data stored on or transmitted by
10    such infrastructure.
11    (c) The Office may temporarily suspend operation of an
12information system or information technology infrastructure
13that is owned, leased, outsourced, or shared by one or more
14State agencies in order to isolate the source of, or stop the
15spread of, an information security breach or other similar
16information security incident. State agencies shall comply
17with directives to temporarily discontinue or suspend
18operations of information systems or information technology
19infrastructure.
 
20    Section 20. Statewide Chief Information Security Officer.
21The position of Statewide Chief Information Security Officer is
22established within the Office. The Secretary shall appoint a
23Statewide Chief Information Security Officer who shall serve at
24the pleasure of the Secretary. The Statewide Chief Information
25Security Officer shall report to and be under the supervision

 

 

10000HB3737sam001- 7 -LRB100 10533 JWD 25838 a

1of the Secretary. The Statewide Chief Information Security
2Officer shall exhibit a background and experience in
3information security, information technology, or risk
4management, or exhibit other appropriate expertise required to
5fulfill the duties of the Statewide Chief Information Security
6Officer. If the Statewide Chief Information Security Officer is
7unable or unavailable to perform the duties and
8responsibilities under Section 25, all powers and authority
9granted to the Statewide Chief Information Security Officer may
10be exercised by the Secretary or his or her designee.
 
11    Section 25. Responsibilities.
12    (a) The Secretary shall:
13        (1) appoint a Statewide Chief Information Security
14    Officer pursuant to Section 20;
15        (2) provide the Office with the staffing and resources
16    deemed necessary by the Secretary to fulfill the
17    responsibilities of the Office;
18        (3) oversee statewide information security policies
19    and practices, including:
20            (A) directing and overseeing the development,
21        implementation, and communication of statewide
22        information security policies, standards, and
23        guidelines;
24            (B) overseeing the education of State agency
25        personnel regarding the requirement to identify and

 

 

10000HB3737sam001- 8 -LRB100 10533 JWD 25838 a

1        provide information security protections commensurate
2        with the risk and magnitude of the harm resulting from
3        the unauthorized access, use, disclosure, disruption,
4        modification, or destruction of information in a
5        critical information system;
6            (C) overseeing the development and implementation
7        of a statewide information security risk management
8        program;
9            (D) overseeing State agency compliance with the
10        requirements of this Section;
11            (E) coordinating Information Security policies and
12        practices with related information and personnel
13        resources management policies and procedures; and
14            (F) providing an effective and efficient process
15        to assist State agencies with complying with the
16        requirements of this Act.
17    (b) The Statewide Chief Information Security Officer
18shall:
19        (1) serve as the head of the Office and ensure the
20    execution of the responsibilities of the Office as set
21    forth in subsection (c) of Section 15, the Statewide Chief
22    Information Security Officer shall also oversee State
23    agency personnel with significant responsibilities for
24    information security and ensure a competent workforce that
25    keeps pace with the changing information security
26    environment;

 

 

10000HB3737sam001- 9 -LRB100 10533 JWD 25838 a

1        (2) develop and recommend information security
2    policies, standards, procedures, and guidelines to the
3    Secretary for statewide adoption and monitor compliance
4    with these policies, standards, guidelines, and procedures
5    through periodic testing;
6        (3) develop and maintain risk-based, cost-effective
7    information security programs and control techniques to
8    address all applicable security and compliance
9    requirements throughout the life cycle of State agency
10    information systems;
11        (4) establish the procedures, processes, and
12    technologies to rapidly and effectively identify threats,
13    risks, and vulnerabilities to State information systems,
14    and ensure the prioritization of the remediation of
15    vulnerabilities that pose risk to the State;
16        (5) develop and implement capabilities and procedures
17    for detecting, reporting, and responding to information
18    security incidents;
19        (6) establish and direct a statewide information
20    security risk management program to identify information
21    security risks in State agencies and deploy risk mitigation
22    strategies, processes, and procedures;
23        (7) establish the State's capability to sufficiently
24    protect the security of data through effective information
25    system security planning, secure system development,
26    acquisition, and deployment, the application of protective

 

 

10000HB3737sam001- 10 -LRB100 10533 JWD 25838 a

1    technologies and information system certification,
2    accreditation, and assessments;
3        (8) ensure that State agency personnel, including
4    contractors, are appropriately screened and receive
5    information security awareness training;
6        (9) convene meetings with agency heads and other State
7    officials to help ensure:
8            (A) the ongoing communication of risk and risk
9        reduction strategies,
10            (B) effective implementation of information
11        security policies and practices, and
12            (C) the incorporation of and compliance with
13        information security policies, standards, and
14        guidelines into the policies and procedures of the
15        agencies;
16        (10) provide operational and technical assistance to
17    State agencies in implementing policies, principles,
18    standards, and guidelines on information security,
19    including implementation of standards promulgated under
20    subparagraph (A) of paragraph (3) of subsection (a) of this
21    Section, and provide assistance and effective and
22    efficient means for State agencies to comply with the State
23    agency requirements under this Act;
24        (11) in coordination and consultation with the
25    Secretary and the Governor's Office of Management and
26    Budget, review State agency budget requests related to

 

 

10000HB3737sam001- 11 -LRB100 10533 JWD 25838 a

1    Information Security systems and provide recommendations
2    to the Governor's Office of Management and Budget;
3        (12) ensure the preparation and maintenance of plans
4    and procedures to provide cyber resilience and continuity
5    of operations for critical information systems that
6    support the operations of the State; and
7        (13) take such other actions as the Secretary may
8    direct.
 
9    Section 99. Effective date. This Act takes effect January
101, 2018, but this Act does not take effect at all unless Senate
11Bill 1606 of the 100th General Assembly becomes law.".