|
| | 104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
HB1631 Introduced 1/28/2025, by Rep. Abdelnasser Rashid SYNOPSIS AS INTRODUCED:
| | 20 ILCS 1370/1-5 | | 20 ILCS 1370/1-10 | | 20 ILCS 1370/1-15 | | 20 ILCS 1370/1-25 | | 20 ILCS 1370/1-75 rep. | | 20 ILCS 1375/5-5 | | 20 ILCS 1375/5-15 | | 20 ILCS 1375/5-25 | | 20 ILCS 1375/5-35 new | |
| Amends the Department of Innovation and Technology Act. Repeals the definition of "client agency" and makes changes in the definitions of "dedicated unit", "State agency", and "transferring agency". Replaces references to "transferring agency" with references to "transferred agency". Makes changes in provisions concerning the powers and duties of the Department of Innovation and Technology, including changes in the scope of services provided by the Department and in the classes of persons to whom those services are to be provided. Authorizes the Department to charge fees for service to all State agencies under the jurisdiction of the Governor (rather than only client agencies). Repeals from the Department of Innovation and Technology Act and adds to the Illinois Information Security Improvement Act a provision requiring the principal executive officer of specified units of local government to designate a local official or employee as the primary point of contact for local cybersecurity issues. Requires the name and contact information for the specified individual to be provided to the Statewide Chief Information Security Officer. Further amends the Illinois Information Security Improvement Act. Makes changes concerning the duties of the Office of the Statewide Chief Information Security Officer and the Secretary of Innovation and Technology. Changes the definition of "State agency". |
| |
| | A BILL FOR |
|
|
| | HB1631 | | LRB104 07727 BDA 17772 b |
|
|
| 1 | | AN ACT concerning State government.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The Department of Innovation and Technology Act |
| 5 | | is amended by changing Sections 1-5, 1-10, 1-15, and 1-25 as |
| 6 | | follows:
|
| 7 | | (20 ILCS 1370/1-5) |
| 8 | | Sec. 1-5. Definitions. In this Act: |
| 9 | | "Client agency" means each transferring agency, or its |
| 10 | | successor, and any other public agency to which the Department |
| 11 | | provides service to the extent specified in an interagency |
| 12 | | agreement with the public agency. |
| 13 | | "Dedicated unit" means the dedicated bureau, division, |
| 14 | | office, or other unit within a transferred transferring agency |
| 15 | | that is responsible for the information technology functions |
| 16 | | of the transferred transferring agency. |
| 17 | | "Department" means the Department of Innovation and |
| 18 | | Technology. |
| 19 | | "Information technology" means technology, |
| 20 | | infrastructure, equipment, systems, software, networks, and |
| 21 | | processes used to create, send, receive, and store electronic |
| 22 | | or digital information, including, without limitation, |
| 23 | | computer systems and telecommunication services and systems. |
|
| | HB1631 | - 2 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | "Information technology" shall be construed broadly to |
| 2 | | incorporate future technologies that change or supplant those |
| 3 | | in effect as of the effective date of this Act. |
| 4 | | "Information technology functions" means the development, |
| 5 | | procurement, installation, retention, maintenance, operation, |
| 6 | | possession, storage, and related functions of all information |
| 7 | | technology. |
| 8 | | "Secretary" means the Secretary of Innovation and |
| 9 | | Technology. |
| 10 | | "State agency" means each State agency, department, board, |
| 11 | | and commission under the jurisdiction of the Governor to which |
| 12 | | the Department provides services. |
| 13 | | "Transferred Transferring agency" means the Department on |
| 14 | | Aging; the Departments of Agriculture, Central Management |
| 15 | | Services, Children and Family Services, Commerce and Economic |
| 16 | | Opportunity, Corrections, Employment Security, Financial and |
| 17 | | Professional Regulation, Healthcare and Family Services, Human |
| 18 | | Rights, Human Services, Insurance, Juvenile Justice, Labor, |
| 19 | | Lottery, Military Affairs, Natural Resources, Public Health, |
| 20 | | Revenue, Transportation, and Veterans' Affairs; the Illinois |
| 21 | | State Police; the Capital Development Board; the Deaf and Hard |
| 22 | | of Hearing Commission; the Environmental Protection Agency; |
| 23 | | the Governor's Office of Management and Budget; the |
| 24 | | Guardianship and Advocacy Commission; the Abraham Lincoln |
| 25 | | Presidential Library and Museum; the Illinois Arts Council; |
| 26 | | the Illinois Council on Developmental Disabilities; the |
|
| | HB1631 | - 3 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | Illinois Emergency Management Agency; the Illinois Gaming |
| 2 | | Board; the Illinois Liquor Control Commission; the Office of |
| 3 | | the State Fire Marshal; the Prisoner Review Board; and the |
| 4 | | Department of Early Childhood. |
| 5 | | (Source: P.A. 102-376, eff. 1-1-22; 102-538, eff. 8-20-21; |
| 6 | | 102-813, eff. 5-13-22; 102-870, eff. 1-1-23; 103-588, eff. |
| 7 | | 6-5-24.)
|
| 8 | | (20 ILCS 1370/1-10) |
| 9 | | Sec. 1-10. Transfer of functions. On and after March 25, |
| 10 | | 2016 (the effective date of Executive Order 2016-001): |
| 11 | | (a) (Blank). |
| 12 | | (b) (Blank). |
| 13 | | (c) The personnel of each transferred transferring agency |
| 14 | | designated by the Governor are transferred to the Department. |
| 15 | | The status and rights of the employees and the State of |
| 16 | | Illinois or its transferred transferring agencies under the |
| 17 | | Personnel Code, the Illinois Public Labor Relations Act, and |
| 18 | | applicable collective bargaining agreements or under any |
| 19 | | pension, retirement, or annuity plan shall not be affected by |
| 20 | | this Act. Under the direction of the Governor, the Secretary, |
| 21 | | in consultation with the transferred transferring agencies and |
| 22 | | labor organizations representing the affected employees, shall |
| 23 | | identify each position and employee who is engaged in the |
| 24 | | performance of functions transferred to the Department, or |
| 25 | | engaged in the administration of a law the administration of |
|
| | HB1631 | - 4 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | which is transferred to the Department, to be transferred to |
| 2 | | the Department. An employee engaged primarily in providing |
| 3 | | administrative support for information technology functions |
| 4 | | may be considered engaged in the performance of functions |
| 5 | | transferred to the Department. |
| 6 | | (d) All books, records, papers, documents, property (real |
| 7 | | and personal), contracts, causes of action, and pending |
| 8 | | business pertaining to the powers, duties, rights, and |
| 9 | | responsibilities relating to dedicated units and information |
| 10 | | technology functions transferred under this Act to the |
| 11 | | Department, including, but not limited to, material in |
| 12 | | electronic or magnetic format and necessary computer hardware |
| 13 | | and software, shall be transferred to the Department. |
| 14 | | (e) All unexpended appropriations and balances and other |
| 15 | | funds available for use relating to dedicated units and |
| 16 | | information technology functions transferred under this Act |
| 17 | | shall be transferred for use by the Department at the |
| 18 | | direction of the Governor. Unexpended balances so transferred |
| 19 | | shall be expended only for the purpose for which the |
| 20 | | appropriations were originally made. |
| 21 | | (f) The powers, duties, rights, and responsibilities |
| 22 | | relating to dedicated units and information technology |
| 23 | | functions transferred by this Act shall be vested in and shall |
| 24 | | be exercised by the Department. |
| 25 | | (g) Whenever reports or notices are now required to be |
| 26 | | made or given or papers or documents furnished or served by any |
|
| | HB1631 | - 5 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | person to or upon each dedicated unit in connection with any of |
| 2 | | the powers, duties, rights, and responsibilities relating to |
| 3 | | information technology functions transferred by this Act, the |
| 4 | | same shall be made, given, furnished, or served in the same |
| 5 | | manner to or upon the Department. |
| 6 | | (h) This Act does not affect any act done, ratified, or |
| 7 | | canceled or any right occurring or established or any action |
| 8 | | or proceeding had or commenced in an administrative, civil, or |
| 9 | | criminal cause by each dedicated unit relating to information |
| 10 | | technology functions before the transfer of responsibilities |
| 11 | | under this Act; such actions or proceedings may be prosecuted |
| 12 | | and continued by the Department. |
| 13 | | (i) (Blank). |
| 14 | | (j) (Blank). |
| 15 | | (Source: P.A. 102-376, eff. 1-1-22.)
|
| 16 | | (20 ILCS 1370/1-15) |
| 17 | | Sec. 1-15. Powers and duties. |
| 18 | | (a) The head officer of the Department is the Secretary, |
| 19 | | who shall be the chief information officer for the State and |
| 20 | | the steward of State data with respect to those transferred |
| 21 | | agencies under the jurisdiction of the Governor. The Secretary |
| 22 | | shall be appointed by the Governor, with the advice and |
| 23 | | consent of the Senate. The Department may employ or retain |
| 24 | | other persons to assist in the discharge of its functions, |
| 25 | | subject to the Personnel Code. |
|
| | HB1631 | - 6 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (b) The Department shall promote best-in-class innovation |
| 2 | | and technology to transferred client agencies to foster |
| 3 | | collaboration among client agencies, empower client agencies |
| 4 | | to provide better service to residents of Illinois, and |
| 5 | | maximize the value of taxpayer resources. The Department shall |
| 6 | | be responsible for information technology functions on behalf |
| 7 | | of transferred client agencies. |
| 8 | | (c) When requested and when in the best interest of the |
| 9 | | State, the The Department may shall provide for and assist |
| 10 | | with coordinate information technology for non-transferred |
| 11 | | State agencies, and, when requested and when in the best |
| 12 | | interests of the State, for State constitutional offices, |
| 13 | | units of federal or local governments, and public and |
| 14 | | not-for-profit institutions of primary, secondary, and higher |
| 15 | | education, or other parties not associated with State |
| 16 | | government. The Department shall establish charges for |
| 17 | | information technology for State agencies, and, when |
| 18 | | requested, for State constitutional offices, units of federal |
| 19 | | or local government, and public and not-for-profit |
| 20 | | institutions of primary, secondary, or higher education and |
| 21 | | for use by other parties not associated with State government |
| 22 | | for any services requested or provided. Entities charged for |
| 23 | | these services shall make payment to the Department. The |
| 24 | | Department may instruct all State agencies to report their |
| 25 | | usage of information technology regularly to the Department in |
| 26 | | the manner the Secretary may prescribe. |
|
| | HB1631 | - 7 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (d) The Department shall establish principles develop and |
| 2 | | implement standards for the protection of , policies, and |
| 3 | | procedures to protect the security and interoperability of |
| 4 | | State data with respect to State those agencies under the |
| 5 | | jurisdiction of the Governor, including in particular data |
| 6 | | that are confidential, sensitive, or protected from disclosure |
| 7 | | by privacy or other laws, while recognizing and balancing the |
| 8 | | need for collaboration and public transparency. |
| 9 | | (e) The Department shall be responsible for providing the |
| 10 | | Governor with timely, comprehensive, and meaningful |
| 11 | | information pertinent to the formulation and execution of |
| 12 | | fiscal policy. In performing this responsibility, the |
| 13 | | Department shall have the power to do the following: |
| 14 | | (1) Control the procurement, retention, installation, |
| 15 | | maintenance, and operation, as specified by the |
| 16 | | Department, of information technology equipment used by |
| 17 | | State client agencies in such a manner as to achieve |
| 18 | | maximum economy and provide appropriate assistance in the |
| 19 | | development of information suitable for management |
| 20 | | analysis. |
| 21 | | (2) Establish principles and standards for the |
| 22 | | implementation of information technology-related |
| 23 | | reporting by State client agencies and priorities for |
| 24 | | completion of research by those agencies in accordance |
| 25 | | with the requirements for management analysis specified by |
| 26 | | the Department. State agencies shall work with the |
|
| | HB1631 | - 8 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | Department to follow the principles and standards |
| 2 | | developed by the Department. |
| 3 | | (3) Establish charges for information technology and |
| 4 | | related services requested by transferred client agencies |
| 5 | | and rendered by the Department. The Department is likewise |
| 6 | | empowered to establish prices or charges for all |
| 7 | | information technology reports purchased by State agencies |
| 8 | | and governmental entities individuals not connected with |
| 9 | | State government using the Department's services. |
| 10 | | (4) Instruct all State client agencies to report |
| 11 | | regularly to the Department, in the manner the Department |
| 12 | | may prescribe, their usage of information technology, the |
| 13 | | cost incurred, the information produced, and the |
| 14 | | procedures followed in obtaining the information. All |
| 15 | | State client agencies shall request from the Department |
| 16 | | assistance and consultation in securing any necessary |
| 17 | | information technology to support their requirements. |
| 18 | | (5) Examine the accounts and information |
| 19 | | technology-related data of any organization, body, or |
| 20 | | agency receiving appropriations from the General Assembly, |
| 21 | | except for a State constitutional office, the Office of |
| 22 | | the Executive Inspector General, or any office of the |
| 23 | | legislative or judicial branches of State government. For |
| 24 | | a State constitutional office, the Office of the Executive |
| 25 | | Inspector General, or any office of the legislative or |
| 26 | | judicial branches of State government, the Department |
|
| | HB1631 | - 9 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | shall have the power to examine the accounts and |
| 2 | | information technology-related data of the State |
| 3 | | constitutional office, the Office of the Executive |
| 4 | | Inspector General, or any office of the legislative or |
| 5 | | judicial branches of State government when requested by |
| 6 | | those offices. |
| 7 | | (6) Install and operate a modern information |
| 8 | | technology system for State agencies using equipment |
| 9 | | adequate to satisfy the requirements for analysis and |
| 10 | | review as specified by the Department. Expenditures for |
| 11 | | information technology and related services rendered shall |
| 12 | | be reimbursed by the recipients. The reimbursement shall |
| 13 | | be determined by the Department as amounts sufficient to |
| 14 | | reimburse the Technology Management Revolving Fund for |
| 15 | | expenditures incurred in rendering the services. |
| 16 | | (f) In addition to the other powers and duties listed in |
| 17 | | subsection (e), the Department shall analyze the present and |
| 18 | | future aims, needs, and requirements of information |
| 19 | | technology, research, and planning for State agencies in order |
| 20 | | to provide for the formulation of overall policy relative to |
| 21 | | the use of information technology and related equipment by the |
| 22 | | State of Illinois. In making this analysis, the Department |
| 23 | | shall formulate a master plan for information technology, |
| 24 | | using information technology most advantageously, and advising |
| 25 | | whether information technology should be leased or purchased |
| 26 | | by the State. The Department shall prepare and submit interim |
|
| | HB1631 | - 10 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | reports of meaningful developments and proposals for |
| 2 | | legislation to the Governor on or before January 30 each year. |
| 3 | | The Department shall engage in a continuing analysis and |
| 4 | | evaluation of the master plan so developed, and it shall be the |
| 5 | | responsibility of the Department to recommend from time to |
| 6 | | time any needed amendments and modifications of any master |
| 7 | | plan enacted by the General Assembly. |
| 8 | | (g) The Department may make information technology and the |
| 9 | | use of information technology available to units of local |
| 10 | | government, elected State officials, State educational |
| 11 | | institutions, the judicial branch, the legislative branch, and |
| 12 | | all other governmental units of the State requesting them. The |
| 13 | | Department shall establish prices and charges for the |
| 14 | | information technology so furnished and for the use of the |
| 15 | | information technology. The prices and charges shall be |
| 16 | | sufficient to reimburse the cost of furnishing the services |
| 17 | | and use of information technology. |
| 18 | | (h) The Department may establish principles and standards |
| 19 | | to provide consistency in the operation and use of information |
| 20 | | technology by State agencies. State agencies shall work with |
| 21 | | the Department to follow the principles and standards |
| 22 | | developed by the Department. |
| 23 | | (i) The Department may adopt rules under the Illinois |
| 24 | | Administrative Procedure Act necessary to carry out its |
| 25 | | responsibilities under this Act. |
| 26 | | (Source: P.A. 102-376, eff. 1-1-22.)
|
|
| | HB1631 | - 11 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (20 ILCS 1370/1-25) |
| 2 | | Sec. 1-25. Charges for services; non-State funding. The |
| 3 | | Department may establish charges for services rendered by the |
| 4 | | Department to State client agencies from funds provided |
| 5 | | directly to the State client agency by appropriation or |
| 6 | | otherwise. In establishing charges, the Department shall |
| 7 | | consult with State client agencies to make charges transparent |
| 8 | | and clear and seek to minimize or avoid charges for costs for |
| 9 | | which the Department has other funding sources available. |
| 10 | | State Client agencies shall continue to apply for and |
| 11 | | otherwise seek federal funds and other capital and operational |
| 12 | | resources for technology for which the agencies are eligible |
| 13 | | and, subject to compliance with applicable laws, regulations, |
| 14 | | and grant terms, make those funds available for use by the |
| 15 | | Department. |
| 16 | | (Source: P.A. 102-870, eff. 1-1-23.)
|
| 17 | | (20 ILCS 1370/1-75 rep.) |
| 18 | | Section 10. The Department of Innovation and Technology |
| 19 | | Act is amended by repealing Section 1-75.
|
| 20 | | Section 15. The Illinois Information Security Improvement |
| 21 | | Act is amended by changing Sections 5-5, 5-15, and 5-25 and by |
| 22 | | adding Section 5-35 as follows:
|
|
| | HB1631 | - 12 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (20 ILCS 1375/5-5) |
| 2 | | Sec. 5-5. Definitions. As used in this Act: |
| 3 | | "Critical information system" means any information system |
| 4 | | (including any telecommunications system) used or operated by |
| 5 | | a State agency or by a contractor of a State agency or other |
| 6 | | organization or entity on behalf of a State agency: that |
| 7 | | contains health insurance information, medical information, or |
| 8 | | personal information as defined in the Personal Information |
| 9 | | Protection Act; where the unauthorized disclosure, |
| 10 | | modification, destruction of information in the information |
| 11 | | system could be expected to have a serious, severe, or |
| 12 | | catastrophic adverse effect on State agency operations, |
| 13 | | assets, or individuals; or where the disruption of access to |
| 14 | | or use of the information or information system could be |
| 15 | | expected to have a serious, severe, or catastrophic adverse |
| 16 | | effect on State operations, assets, or individuals. |
| 17 | | "Department" means the Department of Innovation and |
| 18 | | Technology. |
| 19 | | "Information security" means protecting information and |
| 20 | | information systems from unauthorized access, use, disclosure, |
| 21 | | disruption, modification, or destruction in order to provide: |
| 22 | | integrity, which means guarding against improper information |
| 23 | | modification or destruction, and includes ensuring information |
| 24 | | non-repudiation and authenticity; confidentiality, which means |
| 25 | | preserving authorized restrictions on access and disclosure, |
| 26 | | including means for protecting personal privacy and |
|
| | HB1631 | - 13 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | proprietary information; and availability, which means |
| 2 | | ensuring timely and reliable access to and use of information. |
| 3 | | "Incident" means an occurrence that: actually or |
| 4 | | imminently jeopardizes, without lawful authority, the |
| 5 | | confidentiality, integrity, or availability of information or |
| 6 | | an information system; or constitutes a violation or imminent |
| 7 | | threat of violation of law, security policies, security |
| 8 | | procedures, or acceptable use policies or standard security |
| 9 | | practices. |
| 10 | | "Information system" means a discrete set of information |
| 11 | | resources organized for the collection, processing, |
| 12 | | maintenance, use, sharing, dissemination, or disposition of |
| 13 | | information created or maintained by or for the State of |
| 14 | | Illinois. |
| 15 | | "Office" means the Office of the Statewide Chief |
| 16 | | Information Security Officer. |
| 17 | | "Secretary" means the Secretary of Innovation and |
| 18 | | Technology. |
| 19 | | "Security controls" means the management, operational, and |
| 20 | | technical controls (including safeguards and countermeasures) |
| 21 | | for an information system that protect the confidentiality, |
| 22 | | integrity, and availability of the system and its information. |
| 23 | | "State agency" means any State agency, department, board, |
| 24 | | and commission under the jurisdiction of the Governor to which |
| 25 | | the Department provides services. |
| 26 | | (Source: P.A. 100-611, eff. 7-20-18.)
|
|
| | HB1631 | - 14 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (20 ILCS 1375/5-15) |
| 2 | | Sec. 5-15. Office of the Statewide Chief Information |
| 3 | | Security Officer. |
| 4 | | (a) The Office of the Statewide Chief Information Security |
| 5 | | Officer is established within the Department of Innovation and |
| 6 | | Technology. The Office is directly subordinate to the |
| 7 | | Secretary of Innovation and Technology. |
| 8 | | (b) The Office shall: |
| 9 | | (1) serve as the strategic planning, facilitation, and |
| 10 | | coordination office for information technology security in |
| 11 | | this State and as the lead and central coordinating entity |
| 12 | | to guide and oversee the information security functions of |
| 13 | | State agencies; |
| 14 | | (2) provide information security services to support |
| 15 | | the secure delivery of State agency services that utilize |
| 16 | | information systems and to assist State agencies with |
| 17 | | fulfilling their responsibilities under this Act; |
| 18 | | (3) conduct information and cybersecurity strategic, |
| 19 | | operational, and resource planning and facilitating an |
| 20 | | effective enterprise information security architecture |
| 21 | | capable of protecting the State; |
| 22 | | (4) identify information security risks to each State |
| 23 | | agency, to third-party providers, and to key supply chain |
| 24 | | partners, including an assessment of the extent to which |
| 25 | | information resources or processes are vulnerable to |
|
| | HB1631 | - 15 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | unauthorized access or harm, including the extent to which |
| 2 | | the State agency's or contractor's electronically stored |
| 3 | | information is vulnerable to unauthorized access, use, |
| 4 | | disclosure, disruption, modification, or destruction, and |
| 5 | | recommend risk mitigation strategies, methods, and |
| 6 | | procedures to reduce those risks. These assessments shall |
| 7 | | also include, but not be limited to, assessments of |
| 8 | | information systems, computers, printers, software, |
| 9 | | computer networks, interfaces to computer systems, mobile |
| 10 | | and peripheral device sensors, and other devices or |
| 11 | | systems which access the State's network, computer |
| 12 | | software, and information processing or operational |
| 13 | | procedures of the State agency or of a contractor of the |
| 14 | | State agency. |
| 15 | | (5) manage the response to information security and |
| 16 | | information security incidents involving State agency |
| 17 | | State of Illinois information systems and ensure the |
| 18 | | completeness of information system security plans for |
| 19 | | critical information systems; |
| 20 | | (6) conduct pre-deployment information security |
| 21 | | assessments for critical information systems and submit |
| 22 | | findings and recommendations to the Secretary and State |
| 23 | | agency heads; |
| 24 | | (7) develop and conduct targeted operational |
| 25 | | evaluations, including threat and vulnerability |
| 26 | | assessments on State agency information systems; |
|
| | HB1631 | - 16 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (8) monitor and report compliance of each State |
| 2 | | agency's compliance agency with State information security |
| 3 | | policies, standards, and procedures; |
| 4 | | (9) coordinate statewide information security |
| 5 | | awareness and training programs; and |
| 6 | | (10) develop and execute other strategies as necessary |
| 7 | | to protect State agency's this State's information |
| 8 | | technology infrastructure and the data stored on or |
| 9 | | transmitted by such infrastructure. |
| 10 | | (c) The Office may temporarily suspend operation of an |
| 11 | | information system or information technology infrastructure |
| 12 | | that is owned, leased, outsourced, or shared by one or more |
| 13 | | State agencies in order to isolate the source of, or stop the |
| 14 | | spread of, an information security breach or other similar |
| 15 | | information security incident. State agencies shall comply |
| 16 | | with directives to temporarily discontinue or suspend |
| 17 | | operations of information systems or information technology |
| 18 | | infrastructure. |
| 19 | | (Source: P.A. 100-611, eff. 7-20-18.)
|
| 20 | | (20 ILCS 1375/5-25) |
| 21 | | Sec. 5-25. Responsibilities. |
| 22 | | (a) The Secretary shall: |
| 23 | | (1) appoint a Statewide Chief Information Security |
| 24 | | Officer pursuant to Section 5-20; |
| 25 | | (2) provide the Office with the staffing and resources |
|
| | HB1631 | - 17 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | deemed necessary by the Secretary to fulfill the |
| 2 | | responsibilities of the Office; |
| 3 | | (3) oversee statewide information security policies |
| 4 | | and practices for State agencies, including: |
| 5 | | (A) directing and overseeing the development, |
| 6 | | implementation, and communication of statewide |
| 7 | | information security policies, standards, and |
| 8 | | guidelines; |
| 9 | | (B) overseeing the education of State agency |
| 10 | | personnel regarding the requirement to identify and |
| 11 | | provide information security protections commensurate |
| 12 | | with the risk and magnitude of the harm resulting from |
| 13 | | the unauthorized access, use, disclosure, disruption, |
| 14 | | modification, or destruction of information in a |
| 15 | | critical information system; |
| 16 | | (C) overseeing the development and implementation |
| 17 | | of a statewide information security risk management |
| 18 | | program; |
| 19 | | (D) overseeing State agency compliance with the |
| 20 | | requirements of this Section; |
| 21 | | (E) coordinating Information Security policies and |
| 22 | | practices with related information and personnel |
| 23 | | resources management policies and procedures; and |
| 24 | | (F) providing an effective and efficient process |
| 25 | | to assist State agencies with complying with the |
| 26 | | requirements of this Act; and |
|
| | HB1631 | - 18 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (4) subject to appropriation, establish a |
| 2 | | cybersecurity liaison program to advise and assist units |
| 3 | | of local government in identifying cyber threats, |
| 4 | | performing risk assessments, sharing best practices, and |
| 5 | | responding to cyber incidents. |
| 6 | | (b) The Statewide Chief Information Security Officer |
| 7 | | shall: |
| 8 | | (1) serve as the head of the Office and ensure the |
| 9 | | execution of the responsibilities of the Office as set |
| 10 | | forth in subsection (c) of Section 5-15, the Statewide |
| 11 | | Chief Information Security Officer shall also oversee |
| 12 | | State agency personnel with significant responsibilities |
| 13 | | for information security and ensure a competent workforce |
| 14 | | that keeps pace with the changing information security |
| 15 | | environment; |
| 16 | | (2) develop and recommend information security |
| 17 | | policies, standards, procedures, and guidelines to the |
| 18 | | Secretary for statewide adoption and monitor compliance |
| 19 | | with these policies, standards, guidelines, and procedures |
| 20 | | through periodic testing; |
| 21 | | (3) develop and maintain risk-based, cost-effective |
| 22 | | information security programs and control techniques to |
| 23 | | address all applicable security and compliance |
| 24 | | requirements throughout the life cycle of State agency |
| 25 | | information systems; |
| 26 | | (4) establish the procedures, processes, and |
|
| | HB1631 | - 19 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | technologies for State agencies to rapidly and effectively |
| 2 | | identify threats, risks, and vulnerabilities to State |
| 3 | | information systems, and ensure the prioritization of the |
| 4 | | remediation of vulnerabilities that pose risk to the |
| 5 | | State; |
| 6 | | (5) develop and implement capabilities and procedures |
| 7 | | for detecting, reporting, and responding to information |
| 8 | | security incidents; |
| 9 | | (6) establish and direct a statewide information |
| 10 | | security risk management program to identify information |
| 11 | | security risks in State agencies and deploy risk |
| 12 | | mitigation strategies, processes, and procedures; |
| 13 | | (7) establish the State's capability to sufficiently |
| 14 | | protect the security of data through effective information |
| 15 | | system security planning, secure system development, |
| 16 | | acquisition, and deployment, the application of protective |
| 17 | | technologies and information system certification, |
| 18 | | accreditation, and assessments; |
| 19 | | (8) ensure that State agency personnel, including |
| 20 | | contractors, are appropriately screened and receive |
| 21 | | information security awareness training; |
| 22 | | (9) convene meetings with State agency heads and other |
| 23 | | State officials to help ensure: |
| 24 | | (A) the ongoing communication of risk and risk |
| 25 | | reduction strategies, |
| 26 | | (B) effective implementation of information |
|
| | HB1631 | - 20 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | security policies and practices, and |
| 2 | | (C) the incorporation of and compliance with |
| 3 | | information security policies, standards, and |
| 4 | | guidelines into the policies and procedures of the |
| 5 | | State agencies; |
| 6 | | (10) provide operational and technical assistance to |
| 7 | | State agencies in implementing policies, principles, |
| 8 | | standards, and guidelines on information security, |
| 9 | | including implementation of standards promulgated under |
| 10 | | subparagraph (A) of paragraph (3) of subsection (a) of |
| 11 | | this Section, and provide assistance and effective and |
| 12 | | efficient means for State agencies to comply with the |
| 13 | | State agency requirements under this Act; |
| 14 | | (11) in coordination and consultation with the |
| 15 | | Secretary and the Governor's Office of Management and |
| 16 | | Budget, review State agency budget requests related to |
| 17 | | Information Security systems and provide recommendations |
| 18 | | to the Governor's Office of Management and Budget; |
| 19 | | (12) ensure the preparation and maintenance of plans |
| 20 | | and procedures to provide cyber resilience and continuity |
| 21 | | of operations for critical information systems that |
| 22 | | support the operations of the State; and |
| 23 | | (13) take such other actions as the Secretary may |
| 24 | | direct. |
| 25 | | (Source: P.A. 101-81, eff. 7-12-19; 102-753, eff. 1-1-23.)
|
|
| | HB1631 | - 21 - | LRB104 07727 BDA 17772 b |
|
|
| 1 | | (20 ILCS 1375/5-35 new) |
| 2 | | Sec. 5-35. Local government cybersecurity designee. The |
| 3 | | principal executive officer, or his or her designee, of each |
| 4 | | municipality with a population of 35,000 or greater and of |
| 5 | | each county shall designate a local official or employee as |
| 6 | | the primary point of contact for local cybersecurity issues. |
| 7 | | Each jurisdiction must provide the name and contact |
| 8 | | information of the cybersecurity designee to the Statewide |
| 9 | | Chief Information Security Officer and update the information |
| 10 | | as necessary. |