2005 Texas Government Code CHAPTER 2059. TEXAS COMPUTER NETWORK SECURITY SYSTEM

GOVERNMENT CODE

CHAPTER 2059. TEXAS COMPUTER NETWORK SECURITY SYSTEM

SUBCHAPTER A. GENERAL PROVISIONS


	§ 2059.001. DEFINITIONS.  In this chapter:                                  
		(1)  "Center" means the network security center 
established under this chapter.
		(2)  "Department" means the Department of Information 
Resources.            
		(3)  "Network security" means the protection of 
computer systems and technology assets from unauthorized external 
intervention or improper use.  The term includes detecting, 
identifying, and countering malicious network activity to prevent 
the acquisition of information or disruption of information 
technology operations.
		(4)  "State agency" has the meaning assigned by Section 
2151.002.           

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           

SUBCHAPTER B. GENERAL POWERS AND DUTIES


	§ 2059.051. DEPARTMENT RESPONSIBLE FOR PROVIDING COMPUTER 
NETWORK SECURITY SERVICES.  The department shall provide network 
security services to:
		(1)  state agencies;  and                                                     
		(2)  other entities by agreement as provided by Section 
2059.058.           

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.052. SERVICES PROVIDED TO INSTITUTIONS OF HIGHER 
EDUCATION.  The department may provide network security services 
to an institution of higher education, and may include an 
institution of higher education in a center, only if and to the 
extent approved by the Information Technology Council for Higher 
Education.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.053. RULES.  The department may adopt rules 
necessary to implement this chapter.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.054. OWNERSHIP OR LEASE OF NECESSARY 
EQUIPMENT.  The department may purchase in accordance with 
Chapters 2155, 2156, 2157, and 2158 any facilities or equipment 
necessary to provide network security services to state agencies.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.055. RESTRICTED INFORMATION.  (a) Confidential 
network security information may be released only to officials 
responsible for the network, law enforcement, the state auditor's 
office, and agency or elected officials designated by the 
department.
	(b)  Network security information is confidential under this 
section if the information is:
		(1)  related to passwords, personal identification 
numbers, access codes, encryption, or other components of the 
security system of a state agency;
		(2)  collected, assembled, or maintained by or for a 
governmental entity to prevent, detect, or investigate criminal 
activity;  or
		(3)  related to an assessment, made by or for a 
governmental entity or maintained by a governmental entity, of the 
vulnerability of a network to criminal activity.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.056. RESPONSIBILITY FOR EXTERNAL AND INTERNAL 
SECURITY THREATS.  If the department provides network security 
services for a state agency or other entity under this chapter, the 
department is responsible for network security from external 
threats for that agency or entity.  Network security management for 
that state agency or entity regarding internal threats remains the 
responsibility of that state agency or entity.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.057. BIENNIAL REPORT.  (a) The department shall 
biennially prepare a report on:
		(1)  the department's accomplishment of service 
objectives and other performance measures under this chapter;  and
		(2)  the status, including the financial performance, 
of the consolidated network security system provided through the 
center.
	(b)  The department shall submit the report to:                                
		(1)  the governor;                                                            
		(2)  the lieutenant governor;                                                 
		(3)  the speaker of the house of representatives;  and                        
		(4)  the state auditor's office.                                              

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.058. AGREEMENT TO PROVIDE NETWORK SECURITY 
SERVICES TO ENTITIES OTHER THAN STATE AGENCIES.  (a) In this 
section, a "special district" means:
		(1)  a school district;                                                       
		(2)  a hospital district;                                                     
		(3)  a water district;  or                                                    
		(4)  a district or special water authority, as defined 
by Section 49.001, Water Code.
	(b)  In addition to the department's duty to provide network 
security services to state agencies under this chapter, the 
department by agreement may provide network security to:
		(1)  each house of the legislature;                                           
		(2)  an agency that is not a state agency, including a 
legislative agency;  
		(3)  a political subdivision of this state, including a 
county, municipality, or special district;  and
		(4)  an independent organization, as defined by Section 
39.151, Utilities Code.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.059. TRANSITION TO THE CENTER.                                       

Text of section effective until September 1, 2011
	(a)  The department shall provide network security services 
for a state agency if the department makes that state agency's 
network a part of the consolidated state network through the 
center.
	(b)  Before the construction and operation of the center, the 
department may provide network security services through 
agreements with entities that provide those services using existing 
network security centers or operations.
	(c)  If the state agency or entity pays its proportional 
share of the network security services costs under this chapter, 
the department shall provide network security services to that 
state agency or other entity before the department makes the state 
agency's network a part of the consolidated state network.
	(d)  This section expires September 1, 2011.                                   

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           

SUBCHAPTER C. NETWORK SECURITY CENTER


	§ 2059.101. NETWORK SECURITY CENTER.  The department 
shall establish a network security center to provide network 
security services to state agencies.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.102. MANAGEMENT AND USE OF NETWORK SECURITY 
SYSTEM.  (a) The department shall manage the operation of network 
security system services for all state agencies at the center.
	(b)  The department shall fulfill the network security 
requirements of each state agency to the extent practicable.  
However, the department shall protect criminal justice and homeland 
security networks of this state to the fullest extent possible in 
accordance with federal criminal justice and homeland security 
network standards.
	(c)  All state agencies shall use the network security 
services provided through the center to the fullest extent 
possible.
	(d)  A state agency may not purchase network security 
services unless the department determines that the agency's 
requirement for network security services cannot be met at a 
comparable cost through the center.  The department shall develop 
an efficient process for this determination.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.103. CENTER LOCATION AND PHYSICAL SECURITY.  (a) 
The department shall locate the center at a location that has an 
existing secure and restricted facility, cyber-security 
infrastructure, available trained workforce, and supportive 
educational capabilities.
	(b)  The department shall control and monitor all entrances 
and critical areas to prevent unauthorized entry.  The department 
shall limit access to authorized individuals.
	(c)  Local law enforcement or security agencies shall 
monitor security alarms at the center according to service 
availability.
	(d)  The department shall restrict operational information 
to personnel at the center, except as provided by Chapter 321.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.104. CENTER SERVICES AND SUPPORT.  (a) The 
department shall provide the following managed security services 
through the center:
		(1)  real-time network security monitoring to detect 
and respond to network security events that may jeopardize this 
state and the residents of this state, including vulnerability 
assessment services consisting of a comprehensive security posture 
assessment, external and internal threat analysis, and penetration 
testing;
		(2)  continuous, 24-hour alerts and guidance for 
defeating network security threats, including firewall 
preconfiguration, installation, management and monitoring, 
intelligence gathering, protocol analysis, and user 
authentication;
		(3)  immediate incident response to counter network 
security activity that exposes this state and the residents of this 
state to risk, including complete intrusion detection systems 
installation, management, and monitoring and a network operations 
call center;
		(4)  development, coordination, and execution of 
statewide cyber-security operations to isolate, contain, and 
mitigate the impact of network security incidents at state 
agencies;
		(5)  operation of a central authority for all statewide 
information assurance programs;  and
		(6)  the provision of educational services regarding 
network security.      
	(b)  The department may provide:                                               
		(1)  implementation of best-of-breed information 
security architecture engineering services, including public key 
infrastructure development, design, engineering, custom software 
development, and secure web design;  or
		(2)  certification and accreditation to ensure 
compliance with the applicable regulatory requirements for 
cyber-security and information technology risk management, 
including the use of proprietary tools to automate the assessment 
and enforcement of compliance.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.105. NETWORK SECURITY GUIDELINES AND STANDARD 
OPERATING PROCEDURES.  (a) The department shall adopt and provide 
to all state agencies appropriate network security guidelines and 
standard operating procedures to ensure efficient operation of the 
center with a maximum return on investment for the state.
	(b)  The department shall revise the standard operating 
procedures as necessary to confirm network security.
	(c)  Each state agency shall comply with the network security 
policies, guidelines, and standard operating procedures.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.106. PRIVATE VENDOR.  The department may contract 
with a private vendor to build and operate the center and act as an 
authorized agent to acquire, install, integrate, maintain, 
configure, and monitor the network security services and security 
infrastructure elements.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           

SUBCHAPTER D. FINANCIAL PROVISIONS


	§ 2059.151. PAYMENT FOR SERVICES.  The department shall 
develop a system of billings and charges for services provided in 
operating and administering the network security system that 
allocates the total state cost to each state agency or other entity 
served by the system based on proportionate usage.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.152. REVOLVING FUND ACCOUNT.  (a) The comptroller 
shall establish in the state treasury a revolving fund account for 
the administration of this chapter.  The account must be used as a 
depository for money received from state agencies and other 
entities served under this chapter.  Receipts attributable to the 
centralized network security system must be deposited into the 
account and separately identified within the account.
	(b)  The legislature may appropriate money for operating the 
system directly to the department, in which case the revolving fund 
account must be used to receive money due from local governmental 
entities and other agencies to the extent that their money is not 
subject to legislative appropriation.
	(c)  The department shall maintain in the revolving fund 
account sufficient amounts to pay the liabilities of the center and 
related network security services.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.           


	§ 2059.153. GRANTS.  The department may apply for and use 
for purposes of this chapter the proceeds from grants offered by any 
federal agency or other source.

Added by Acts 2005, 79th Leg., ch. 760, § 1, eff. Sept. 1, 2005.