2-15-114. Security responsibilities of departments for data. Each department head is responsible for ensuring an adequate level of security for all data within that department and shall:
(1) develop and maintain written internal policies and procedures to ensure security of data. The internal policies and procedures are confidential information and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
(2) designate an information security manager to administer the department's security program for data;
(3) implement appropriate cost-effective safeguards to reduce, eliminate, or recover from identified threats to data;
(4) ensure that internal evaluations of the security program for data are conducted. The results of the internal evaluations are confidential and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
(5) include appropriate security requirements, as determined by the department, in the written specifications for the department's solicitation of data and information technology resources; and
(6) include a general description of the existing security program and future plans for ensuring security of data in the agency information technology plan as provided for in 2-17-523.