77(R) HB 249 House committee report

HBA-SEP C.S.H.B. 249 77(R)BILL ANALYSIS


Office of House Bill AnalysisC.S.H.B. 249
By: Pitts
State Affairs
4/6/2001
Committee Report (Substituted)



BACKGROUND AND PURPOSE 

Under current law, the findings of a computer system vulnerability report
conducted on or by a state agency may be  required to be made accessible to
the public, a practice that could compromise the safety of the state
agency's electronically stored sensitive and confidential information.
C.S.H.B. 249 provides that a vulnerability report is not subject to
disclosure and requires a state agency, whose manager has prepared a
vulnerability report, to prepare a summary of the report that excludes
information that might compromise security to be made available to the
public on request.  

RULEMAKING AUTHORITY

It is the opinion of the Office of House Bill Analysis that this bill does
not expressly delegate any additional rulemaking authority to a state
officer, department, agency, or institution. 

ANALYSIS

C.S.H.B. 249 amends the Government Code to authorize the information
resources manager (manager) of a state agency to prepare a report assessing
the extent to which a computer, a computer program, a computer network, a
computer system, computer software, or data processing (computer
technology) of the agency or agency's contractor is vulnerable to
unauthorized access or harm, including the extent to which the
electronically stored information is vulnerable to alteration, damage, or
erasure.  A vulnerability report or information gathered in preparation of
a vulnerability report is confidential and is not subject to disclosure
except on request from the Department of Information Resources, the state
auditor, or any other information technology security oversight group
specifically authorized by the legislature to receive the report.  The bill
requires a state agency whose manager has prepared a vulnerability report
to prepare a summary of the report that does not contain information that
might compromise the security of the state agency's or agency contractor's
computer technology, or electronically stored information.  The summary is
required to be made available to the public on request.  

EFFECTIVE DATE

On passage, or if the Act does not receive the necessary vote, the Act
takes effect September 1, 2001. 

COMPARISON OF ORIGINAL TO SUBSTITUTE

C.S.H.B. 249 modifies the original by requiring the information resources
manager to provide a copy of the vulnerability report to the state auditor,
on request.