2-15-114. Security responsibilities of departments for data and information technology resources. Each department head is responsible for ensuring an adequate level of security for all data and information technology resources within that department and shall:
     (1) develop and maintain written internal policies and procedures to ensure security of data and information technology resources. The internal policies and procedures are confidential information and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
     (2) designate an information security manager to administer the department's security program for data and information technology resources;
     (3) implement appropriate cost-effective safeguards to reduce, eliminate, or recover from identified threats to data and information technology resources;
     (4) ensure that internal evaluations of the security program for data and information technology resources are conducted. The results of the internal evaluations are confidential and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
     (5) include appropriate security requirements, as determined by the department, in the written specifications for the department's solicitation of data and information technology resources; and
     (6) include a general description of the existing security program and future plans for ensuring security of data and information technology resources in the agency information technology plan as provided for in 2-17-523.

     History: En. Sec. 2, Ch. 592, L. 1987; amd. Sec. 22, Ch. 313, L. 2001.