Bill Text - HB519 (2023)

Relative to establishing a chief information security officer for the department of information technology.


Revision: Jan. 11, 2023, 1:46 p.m.

HB 519-FN - AS INTRODUCED

 

 

2023 SESSION

23-0488

06/10

 

HOUSE BILL 519-FN

 

AN ACT relative to establishing a chief information security officer for the department of information technology.

 

SPONSORS: Rep. Edwards, Rock. 31; Rep. Spillane, Rock. 2; Sen. Lang, Dist 2

 

COMMITTEE: Executive Departments and Administration

 

─────────────────────────────────────────────────────────────────

 

ANALYSIS

 

This bill establishes a chief information security officer for the department of information technology.

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

23-0488

06/10

 

STATE OF NEW HAMPSHIRE

 

In the Year of Our Lord Two Thousand Twenty Three

 

AN ACT relative to establishing a chief information security officer for the department of information technology.

 

Be it Enacted by the Senate and House of Representatives in General Court convened:

 

1  New Subparagraph; Department of Information Technology; Commissioner; Directors; Chief Information Security Officer.  Amend RSA 21-R:3 by inserting after subparagraph I-a the following new subparagraph:

I-b.  The commissioner shall appoint a chief information security officer, who shall be qualified to hold that position by reason of education and experience.  The chief information security officer shall perform such duties described in RSA 21-R:4-a and as may be assigned by the commissioner, which may include, but not be limited to, the authority and power with approval of the commissioner to direct the formulation and implementation of cybersecurity and information security strategy, direction, policy, procedures, and standards across the executive branch of the state government.

2  Department of Information Technology; Commissioner; Directors; Compensation; Chief Information Security Officer.  Amend RSA 21-R:3, III to read as follows:

III.  The salaries of the commissioner, deputy commissioner, chief information security officer, and division directors shall be as specified in RSA 94:1-a.

3  New Paragraph; Department of Information Technology; Duties of the Commissioner; Establishing Cybersecurity Integration Center.  Amend RSA 21-R:4 by inserting after paragraph XX the following new paragraph:

XXI.  Establish and maintain within the department a cybersecurity integration center to serve as the unified state center for coordinating cybersecurity monitoring, sharing information, distributing cybersecurity threat analysis, and enabling situational awareness between and among executive branch agencies and departments.

4  New Section; Duties of the Chief Information Security Officer.  Amend RSA 21-R by inserting after section 4 the following new section:

21-R:4-a  Duties of the Chief Information Security Officer.  The chief information security officer shall be responsible for the following:

I.  Chairing the cybersecurity advisory committee.

II.  Developing, publishing maintaining, and interpreting the statewide information security manual’s policies and standards.

III.  Developing, managing, and executing the statewide cyber disruption plan and an information security event response process.

IV.  Staffing and training members of ESF-17 under the state emergency operations plan.

V.  Identifying security requirements to limit the risks associated with identified executive branch business objectives as defined by the governor and the heads of state agencies.

VI.  Providing information security subject matter expertise to the executive branch of the New Hampshire state government.

VII.  Drafting and implementing an information security awareness and training program to be used by all state agencies.

VIII.  Providing security metrics to track the performance of the information security program.

IX.  Developing an information security governance and risk program, including, but not limited to:

(a)  Coordinating and conducting risk assessments of agencies and their information assets.

(b)  Conducting and managing vulnerability assessments of agency networks, applications, databases, and systems.

(c)  Conducting penetration tests of agency networks, applications, databases, and systems.

(d)  Conducting information security risk assessments of third parties with access to state of New Hampshire information assets.

X.  Serving as the chief of the New Hampshire cyber integration center.

5  Effective Date.  This act shall take effect 60 days after its passage.

 

LBA

23-0488

Revised 1/11/23

 

HB 519-FN- FISCAL NOTE

AS INTRODUCED

 

AN ACT relative to establishing a chief information security officer for the department of information technology.

 

FISCAL IMPACT: [   ] State [   ] County [   ] Local [ X ] None

 

METHODOLOGY:

The Department of Information Technology states this bill has no fiscal impact on state, county and local expenditures or revenue.

 

 

AGENCIES CONTACTED:

Department of Information Technology