A. The Information Services Division of the Office of Management and Enterprise Services shall create a standard security risk assessment for state agency information technology systems that complies with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Information Technology - Code of Practice for Security Management (ISO/IEC 27002).
B. Each state agency that has an information technology system shall obtain an information security risk assessment to identify vulnerabilities associated with the information system. The Information Services Division of the Office of Management and Enterprise Services shall approve not less than two firms which state agencies may choose from to conduct the information security risk assessment.
C. A state agency with an information technology system that is not consolidated under the Information Technology Consolidation and Coordination Act or that is otherwise retained by the agency shall additionally be required to have an information security audit conducted by a firm approved by the Information Services Division that is based upon the most current version of the NIST Cyber-Security Framework, and shall submit a final report of the information security risk assessment and information security audit findings to the Information Services Division each year on a schedule set by the Information Services Division. Agencies shall also submit a list of remedies and a timeline for the repair of any deficiencies to the Information Services Division within ten (10) days of the completion of the audit. The final information security risk assessment report shall identify, prioritize, and document information security vulnerabilities for each of the state agencies assessed. The Information Services Division may assist agencies in repairing any vulnerabilities to ensure compliance in a timely manner.
D. Subject to the provisions of subsection C of Section 34.12 of this title, the Information Services Division shall report the results of the state agency assessments and information security audit findings required pursuant to this section to the Governor, the Speaker of the House of Representatives, and the President Pro Tempore of the Senate by the first day of January of each year. Any state agency with an information technology system that is not consolidated under the Information Technology Consolidation and Coordination Act that cannot comply with the provisions of this section shall consolidate under the Information Technology Consolidation and Coordination Act.
E. This act shall not apply to state agencies subject to mandatory North American Electric Reliability Corporation (NERC) cybersecurity standards and institutions within The Oklahoma State System of Higher Education, the Oklahoma State Regents for Higher Education and the telecommunications network known as OneNet that follow the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)-Security techniques-Code of Practice for Information Security Controls or National Institute of Standards and Technology.
Added by Laws 2006, c. 266, § 15, eff. July 1, 2006. Renumbered from § 41.5v of this title by Laws 2009, c. 441, § 64, eff. July 1, 2009. Amended by Laws 2009, c. 451, § 20, eff. April 5, 2010; Laws 2012, c. 304, § 364; Laws 2014, c. 285, § 1; Laws 2019, c. 331, § 1, eff. Nov. 1, 2019.
NOTE: Laws 2009, c. 451, § 26, provides: "The provisions of Sections 3 through 15, 17 through 20, 22 and 23 of this act shall be effective and shall become operative on the effective date of the appointment of the first Chief Information Officer by the Governor as provided for in Section 2 of this act." The first Chief Information Officer was appointed by the Governor on April 5, 2010.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.