| |||||
| |
| | | |
(1) On or before July 1, 2007, each public agency shall develop an information security plan utilizing the information security policies, standards, and guidelines developed by the chief information security officer. The information security plan shall provide information security for the communication and information resources that support the operations and assets of the public agency. |
||||
(2) The information security plan shall include: |
||||
(a) Periodic assessments of the risk and magnitude of the harm that could result from a security incident; |
||||
(b) A process for providing adequate information security for the communication and information resources of the public agency; |
||||
(c) Regularized security awareness training to inform the employees and users of the public agency's communication and information resources about information security risks and the responsibility of employees and users to comply with agency policies, standards, and procedures designed to reduce those risks; |
||||
(d) Periodic testing and evaluation of the effectiveness of information security for the public agency, which shall be performed not less than annually; |
||||
(e) A process for detecting, reporting, and responding to security incidents consistent with the information security standards, policies, and guidelines issued by the chief information security officer; and |
||||
(f) Plans and procedures to ensure the continuity of operations for information resources that support the operations and assets of the public agency in the event of a security incident. |
||||
(3) On or before July 15, 2007, each public agency shall submit the information security plan developed pursuant to this section to the chief information security officer for approval. |
||||
(4) In the event that a public agency fails to submit to the chief information security officer an information security plan on or before July 15, 2007, or such plan is disapproved by the chief information security officer, the officer shall notify the governor and the head and chief information officer of the public agency of noncompliance with this section. If no plan has been approved by September 15, 2007, the officer shall be authorized to temporarily discontinue or suspend the operation of a public agency's communication and information resources until such plan has been submitted to or is approved by the officer. |
||||
(5) An information security plan may provide for a phase-in period not to exceed three years. An implementation schedule for the phase-in period shall be included in such a plan. Any phase-in period pursuant to this subsection (5) shall be completed by July 1, 2009. |
||||
(6) On or before July 1, 2008, and on or before July 1 of each subsequent year, the executive director or head of each public agency shall report to the chief information security officer on the development, implementation, and, if applicable, compliance with the phase-in schedule of the public agency's information security plan. |
||||
Source: L. 2006: Entire part added, p. 1716, § 1, effective June 6. |
||||
| ||||
| | | | |