|
HOUSE OF REPRESENTATIVES |
H.B. NO. |
2755 |
|
TWENTY-EIGHTH LEGISLATURE, 2016 |
H.D. 1 |
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
RELATING TO INCIDENT RESPONSE.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The legislature finds that the State is under constant threat of security breaches and cyber-attacks. The State's executive branch department computer networks provide and control critical services to all of the State's residents. These networks are responsible for operations of the State's financial services, telecommunications, agricultural operations, legal affairs, transportation system, educational and career development programs, health care systems, and public safety response. Protection of these systems is of the utmost importance for the State.
The legislature further finds that an incident response plan for each state department prepares the departments to respond in the event a cyber-attack occurs. The chief information officer oversees cybersecurity and cyber resiliency matters within the state government. The legislature further finds that the chief information officer must protect the State through an incident response plan for each executive branch department in the State that shall work in concert as a comprehensive statewide plan.
The purpose of this Act is to require the chief information officer to work with each executive branch department in the State to develop and maintain an incident response plan against cyber-attacks.
SECTION 2. Section 27-43.5, Hawaii Revised Statutes, is amended to read as follows:
"[[]§27-43.5[]]
Additional duties of the chief
information officer relating to security of government information. (a) The chief information officer shall provide for
periodic security audits of all executive branch departments and agencies
regarding the protection of government information and data communication
infrastructure.
(b) Security audits may include on-site audits as well as reviews of all written security procedures and documented practices. The chief information officer may contract with a private firm or firms that specialize in conducting security audits; provided that information protected from disclosure by federal or state law, including confidential tax information, shall not be disclosed. All executive branch departments, agencies, boards, or commissions subject to the security audits authorized by this section shall fully cooperate with the entity designated to perform the audit. The chief information officer may direct specific remedial actions to mitigate findings of insufficient administrative, technical, and physical controls necessary to protect state government information or data communication infrastructure.
(c) This section shall not infringe upon responsibilities assigned to the comptroller or the auditor by any state or federal law.
(d) The chief information officer shall develop and maintain an incident response plan for each executive branch department. As used in this subsection, "incident response plan" means a plan that provides for practices and activities that do not compromise the security of the systems being protected and the ability to:
(1) Complete vulnerability assessments;
(2) Identify potential cyber-attacks;
(3) Mitigate losses from cyber-attacks; and
(4) Recover quickly and efficiently from cyber-attacks.
(e) The chief information officer may request the assistance of other departments, agencies, and private companies, both inside and outside of the State, to carry out the duties of the chief information officer."
SECTION 3. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 4. This Act shall take effect upon its approval.
Report Title:
Cybersecurity; Incident Response Plan
Description:
Requires the Chief Information Officer to develop and maintain an incident response plan to cyber-attacks for each executive branch department in the State. Sets out the scope of an incident response plan. (HB2755 HD1)
The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.