8592.30.
As used in this article, the following definitions shall apply:(a) “Critical infrastructure controls” means networks and systems controlling assets so vital to the state that the incapacity or destruction of those
networks, systems, or assets would have a debilitating impact on public health, safety, economic security, or any combination thereof.
(b) “Critical infrastructure information” means information not customarily in the public domain pertaining to any of the following:
(1) Actual, potential, or threatened interference with, or an attack on, compromise of, or incapacitation of critical infrastructure controls
by either physical or computer-based attack or other similar conduct, including, but not limited to, the misuse of, or unauthorized access to, all types of communications and data transmission systems, that violates federal, state, or local law or harms public health, safety, or economic security, or any combination thereof.
(2) The ability of critical infrastructure controls to resist any interference, compromise, or incapacitation, including, but not limited to, any planned or past
assessment or estimate of the vulnerability of critical
infrastructure.
(3) Any planned or past operational problem or solution
regarding critical infrastructure controls, including, but not limited to, repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to interference, compromise, or incapacitation of critical infrastructure controls.
(c) “Department” means the Department of Technology.
(d) “Office” means the Office of Emergency Services.
(e) “Secretary” means the secretary of each state agency as set forth in subdivision (a) of Section 12800.
(f) “State agency” or “state agencies” means the
same as “state agency” as set forth in Section 11000.
8592.35.
(a) (1) On or before July 1, 2018,
the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:
(A) Costs to implement the standards.
(B) Security of critical infrastructure information.
(C) Centralized management of risk.
(D) Industry best practices.
(E) Continuity of operations.
(F) Protection of personal information.
(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.
8592.40.
(a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the
department in the manner and at the time directed by the department, but no later than July 1, 2019.(b) The department, in conjunction with the
office, may provide suggestions for a state agency to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor.
8592.45.
The information required by subdivision (b) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (b) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).