Texas passed House Bill 8 relating to cybersecurity for state agency information resources. The bill sets mandatory practices for state agencies, institutes continuous monitoring and auditing of network systems, adds protections for student data privacy, and updates the penalties for cybercrimes.
As Texas House Speaker, Joe Straus, commented, state agencies are now expected to be “good stewards of private data.” There is a cybersecurity council that oversees the state agencies to ensure that the agencies are following all new requirements and researching and reporting back on cybersecurity threats on a regular basis. Cybersecurity practices are now considered by the Sunset Advisory Commission, an agency of the Texas Legislature, when determining whether to reform, continue, or abolish a Texas state agency.
The bill also requires the Department of Information Resources, or DIR, to implement a five-year plan to address cybersecurity risks. The DIR will establish an information sharing and analysis center (ISAC) to share news regarding cybersecurity threats, best practices, and remediation advice. It will also provide mandatory training for state agencies.
According to Texas Government Code § 2054.515(a-b), state agencies are now required to “conduct an information security assessment of the agency’s network systems, data storage systems, data security measures, and information resources vulnerabilities at least once every two years and to report the results to the DIR.” State agencies are also required to submit a data security plan and show proof of penetration tests of their website and mobile applications every other year. Colleges and Universities in Texas are also required to protect the confidentiality of information on their website or mobile applications. If an agency or institution experiences a data breach, they are mandated to inform all affected parties of the incident.
Lastly, the Texas secretary of state is required to test the election infrastructure for vulnerabilities and report back on findings. The findings need to be made publicly available.
Veracode can help.
If you are a state agency or educational institution operating in Texas, Veracode can provide you with the application security testing tools necessary to remain compliant with state regulations. As Nikki Veit, Director of Application Development for the State of Missouri expressed, “When we first started scanning, there were a lot of non-compliant applications. But Veracode was really easy to use, and developers were able to go in and scan early and often. In the first eight months, we had 18,000 flaws fixed. It was just phenomenal.”
Check out our success story for the State of Missouri to see how we helped them scale an AppSec program across 365 applications and 14 state agencies.