Section 282.318, Florida Statutes 2009
282.318 Enterprise security of data and information technology.--
(1) This section may be cited as the "Enterprise Security of Data and Information Technology Act."
(2) Information technology security is established as an enterprise information technology service as defined in 1s. 282.0041.
(3) The Office of Information Security within the Agency for Enterprise Information Technology is responsible for establishing rules and publishing guidelines for ensuring an appropriate level of security for all data and information technology resources for executive branch agencies. The office shall also perform the following duties and responsibilities:
(a) Develop, and annually update by February 1, an enterprise information security strategic plan that includes security goals and objectives for the strategic issues of information security policy, risk management, training, incident management, and survivability planning.
(b) Develop enterprise security rules and published guidelines for:
1. Comprehensive risk analyses and information security audits conducted by state agencies.
2. Responding to suspected or confirmed information security incidents, including suspected or confirmed breaches of personal information or exempt data.
3. Agency security plans, including strategic security plans and security program plans.
4. The recovery of information technology and data following a disaster.
5. The managerial, operational, and technical safeguards for protecting state government data and information technology resources.
(c) Assist agencies in complying with the provisions of this section.
(d) Pursue appropriate funding for the purpose of enhancing domestic security.
(e) Provide training for agency information security managers.
(f) Annually review the strategic and operational information security plans of executive branch agencies.
(4) To assist the Office of Information Security in carrying out its responsibilities, each agency head shall, at a minimum:
(a) Designate an information security manager to administer the security program of the agency for its data and information technology resources. This designation must be provided annually in writing to the office by January 1.
(b) Submit to the office annually by July 31, the agency's strategic and operational information security plans developed pursuant to the rules and guidelines established by the office.
1. The agency strategic information security plan must cover a 3-year period and define security goals, intermediate objectives, and projected agency costs for the strategic issues of agency information security policy, risk management, security training, security incident response, and survivability. The plan must be based on the enterprise strategic information security plan created by the office. Additional issues may be included.
2. The agency operational information security plan must include a progress report for the prior operational information security plan and a project plan that includes activities, timelines, and deliverables for security objectives that, subject to current resources, the agency will implement during the current fiscal year. The cost of implementing the portions of the plan which cannot be funded from current resources must be identified in the plan.
(c) Conduct, and update every 3 years, a comprehensive risk analysis to determine the security threats to the data, information, and information technology resources of the agency. The risk analysis information is confidential and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology for performing postauditing duties.
(d) Develop, and periodically update, written internal policies and procedures, which include procedures for notifying the office when a suspected or confirmed breach, or an information security incident, occurs. Such policies and procedures must be consistent with the rules and guidelines established by the office to ensure the security of the data, information, and information technology resources of the agency. The internal policies and procedures that, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology for performing postauditing duties.
(e) Implement appropriate cost-effective safeguards to address identified risks to the data, information, and information technology resources of the agency.
(f) Ensure that periodic internal audits and evaluations of the agency's security program for the data, information, and information technology resources of the agency are conducted. The results of such audits and evaluations are confidential information and exempt from s. 119.07(1), except that such information shall be available to the Auditor General and the Agency for Enterprise Information Technology for performing postauditing duties.
(g) Include appropriate security requirements in the written specifications for the solicitation of information technology and information technology resources and services, which are consistent with the rules and guidelines established by the office.
(h) Provide security awareness training to employees and users of the agency's communication and information resources concerning information security risks and the responsibility of employees and users to comply with policies, standards, guidelines, and operating procedures adopted by the agency to reduce those risks.
(i) Develop a process for detecting, reporting, and responding to suspected or confirmed security incidents, including suspected or confirmed breaches consistent with the security rules and guidelines established by the office.
1. Suspected or confirmed information security incidents and breaches must be immediately reported to the office.
2. For incidents involving breaches, agencies shall provide notice in accordance with s. 817.5681 and to the office in accordance with this subsection.
(5) Each state agency shall include appropriate security requirements in the specifications for the solicitation of contracts for procuring information technology or information technology resources or services which are consistent with the rules and guidelines established by the Office of Information Security.
(6) The Agency for Enterprise Information Technology may adopt rules relating to information security and to administer the provisions of this section.
(7) By December 31, 2010, the Agency for Enterprise Information Technology shall develop, and submit to the Governor, the President of the Senate, and the Speaker of the House of Representatives a proposed implementation plan for information technology security. The agency shall describe the scope of operation, conduct costs and requirements analyses, conduct an inventory of all existing security information technology resources, and develop strategies, timeframes, and resources necessary for statewide migration.
History.--ss. 1, 2, 3, ch. 84-236; s. 28, ch. 87-137; s. 1, ch. 89-14; s. 7, ch. 90-160; s. 13, ch. 91-171; s. 234, ch. 92-279; s. 55, ch. 92-326; s. 22, ch. 94-340; s. 863, ch. 95-148; s. 131, ch. 96-406; s. 15, ch. 97-286; s. 25, ch. 2000-164; s. 26, ch. 2001-261; s. 18, ch. 2006-26; s. 10, ch. 2007-105; s. 12, ch. 2009-80.
1Note.--Substituted by the editors for a reference to s. 287.0041, which does not exist; the term "enterprise information technology service" is defined in s. 282.0041.