2-15-114. Security responsibilities of departments for data and information technology resources. Each department head is responsible for assuring an adequate level of security for all data and information technology resources within his department and shall:
     (1) develop and maintain written internal policies and procedures to assure security of data and information technology resources. The internal policies and procedures are confidential information and exempt from public inspection, except that such information must be available to the legislative auditor in performing his postauditing duties.
     (2) designate an information security manager to administer the department's security program for data and information technology resources;
     (3) implement appropriate cost-effective safeguards to reduce, eliminate, or recover from identified threats to data and information technology resources;
     (4) ensure internal evaluations of the security program for data and information technology resources are conducted. The results of such internal evaluations are confidential and exempt from public inspection, except that such information must be available to the legislative auditor in performing his postauditing duties.
     (5) include appropriate security requirements, as determined by the department, in the written specifications for the department's solicitation of data and information technology resources; and
     (6) maintain an information technology plan, including a general description of the existing security program and future plans for assuring security of data and information technology resources.

     History: En. Sec. 2, Ch. 592, L. 1987.