Session Laws of Colorado 2006
Second Regular Session, 65th General Assembly

 

 

 

CHAPTER 344


_______________


GOVERNMENT - STATE

_______________



HOUSE BILL 06-1157 [Digest]


BY REPRESENTATIVE(S) Coleman, Buescher, Garcia, Marshall, Romanoff, Stengel, White, Frangas, Hall, McFadyen, Paccione, Penry, Rose, Stafford, Berens, and Green;

also SENATOR(S) May R., Williams, Entz, Fitz-Gerald, Jones, Owen, Taylor, and Teck.




AN ACT


Concerning the security of communication and information resources in public agencies, and making an appropriation in connection therewith.



Be it enacted by the General Assembly of the State of Colorado:

 

  SECTION 1.  Article 37.5 of title 24, Colorado Revised Statutes, is amended BY THE ADDITION OF A NEW PART to read:

 

PART 4

INFORMATION SECURITY

 

  24-37.5-401.  Legislative declaration. (1)  The general assembly hereby finds, determines, and declares that:

 

  (a)  Communication and information resources in the various public agencies of the state are strategic and vital assets belonging to the people of Colorado. Coordinated efforts and a sense of urgency are necessary to protect these assets against unauthorized access, disclosure, use, and modification or destruction, whether accidental or deliberate, as well as to assure the confidentiality, integrity, and availability of information.

 

  (b)  State government has a duty to Colorado's citizens to ensure that the information the citizens have entrusted to public agencies is safe, secure, and protected from unauthorized access, unauthorized use, or destruction.

 

  (c)  Securing the state's communication and information resources is a statewide imperative requiring a coordinated and shared effort from all departments, agencies, and political subdivisions of the state and a long term commitment to state funding that ensures the success of such efforts.

 

  (d)  Risks to communication and information resources must be managed, and the integrity of data and the source, destination, and processes applied to data must be assured.

 

  (e)  Information security standards, policies, and guidelines must be promulgated and implemented throughout public agencies to ensure the development and maintenance of minimum information security controls to protect communication and information resources that support the operations and assets of those agencies.

 

  (f)  The extensive information security expertise in Colorado's private sector should be utilized for the long-term benefit of Colorado's citizens and public agencies.

 

  24-37.5-402.  Definitions. As used in this part 4, unless the context otherwise requires:

 

  (1)  "Availability" means the timely and reliable access to and use of information created, generated, collected, or maintained by a public agency.

 

  (2)  "Communication and information resources" shall have the same meaning as provided in section 24-37.5-102 (1).

 

  (3)  "Confidentiality" means the preservation of authorized restrictions on information access and disclosure, including the means for protecting personal privacy and proprietary information.

 

  (4)  "Department of higher education" means the Colorado commission on higher education, collegeinvest, the Colorado student loan program, the Colorado college access network, the private occupational school division, the state historical society, and the state council on the arts.

 

  (5)  "Information security" means the protection of communication and information resources from unauthorized access, use, disclosure, disruption, modification, or destruction in order to:

 

  (a)  Prevent improper information modification or destruction;

 

  (b)  Preserve authorized restrictions on information access and disclosure;

 

  (c)  Ensure timely and reliable access to and use of information; and

 

  (d)  Maintain the confidentiality, integrity, and availability of information.

 

  (6)  "Information security plan" means the plan developed by a public agency pursuant to section 24-37.5-404.

 

  (7)  "Institution of higher education" means a state-supported institution of higher education.

 

  (8)  "Integrity" means the prevention of improper information modification or destruction and ensuring information nonrepudiation and authenticity.

 

  (9)  "Public agency" means every state office, whether legislative, executive, or judicial, and all of its respective offices, departments, divisions, commissions, boards, bureaus, and institutions. "Public agency" does not include institutions of higher education or the department of higher education.

 

  (10)  "Security incident" means an accidental or deliberate event that results in or constitutes an imminent threat of the unauthorized access, loss, disclosure, modification, disruption, or destruction of communication and information resources.

 

  24-37.5-403.  Chief information security officer - duties and responsibilities. (1)  The governor shall appoint a chief information security officer who shall serve at the pleasure of the governor. The officer shall exhibit a background and expertise in security and risk management for communications and information resources. In the event the officer is unavailable to perform the duties and responsibilities under this part 4, all powers and authority granted to the officer may be exercised by the chief technology officer in the office of innovation and technology.

 

  (2)  The chief information security officer shall:

 

  (a)  Develop and update information security policies, standards, and guidelines for public agencies;

 

  (b)  Promulgate rules pursuant to article 4 of this title containing information security policies, standards, and guidelines for such agencies on or before December 31, 2006;

 

  (c)  Ensure the incorporation of and compliance with information security policies, standards, and guidelines in the information security plans developed by public agencies pursuant to section 24-37.5-404;

 

  (d)  Direct information security audits and assessments in public agencies in order to ensure program compliance and adjustments;

 

  (e)  Establish and direct a risk management process to identify information security risks in public agencies and deploy risk mitigation strategies, processes, and procedures;

 

  (f)  Approve or disapprove and review annually the information security plans of public agencies;

 

  (g)  Conduct information security awareness and training programs;

 

  (h)  In coordination and consultation with the office of state planning and budgeting and the chief technology officer, review public agency budget requests related to information security systems and approve such budget requests for state agencies other than the legislative department; and

 

  (i)  Coordinate with the Colorado commission on higher education for purposes of reviewing and commenting on information security plans adopted by institutions of higher education that are submitted pursuant to section 24-37.5-404.5 (3).

 

  (3)  For the state fiscal year commencing on July 1, 2006, the cost of the services provided by the chief information security officer to public agencies in administering this part 4 shall be paid from federal funds received by the state for such purposes. It is the intent of the general assembly that the cost of the services provided by the chief information security officer to a public agency be adequately funded in fiscal years commencing on and after July 1, 2007, through an appropriation to the public agency to pay for such services.

 

  24-37.5-404.  Public agencies - information security plans. (1)  On or before July 1, 2007, each public agency shall develop an information security plan utilizing the information security policies, standards, and guidelines developed by the chief information security officer. The information security plan shall provide information security for the communication and information resources that support the operations and assets of the public agency.

 

  (2)  The information security plan shall include:

 

  (a)  Periodic assessments of the risk and magnitude of the harm that could result from a security incident;

 

  (b)  A process for providing adequate information security for the communication and information resources of the public agency;

 

  (c)  Regularized security awareness training to inform the employees and users of the public agency's communication and information resources about information security risks and the responsibility of employees and users to comply with agency policies, standards, and procedures designed to reduce those risks;

 

  (d)  Periodic testing and evaluation of the effectiveness of information security for the public agency, which shall be performed not less than annually;

 

  (e)  A process for detecting, reporting, and responding to security incidents consistent with the information security standards, policies, and guidelines issued by the chief information security officer; and

 

  (f)  Plans and procedures to ensure the continuity of operations for information resources that support the operations and assets of the public agency in the event of a security incident.

 

  (3)   On or before July 15, 2007, each public agency shall submit the information security plan developed pursuant to this section to the chief information security officer for approval.

 

  (4)  In the event that a public agency fails to submit to the chief information security officer an information security plan on or before July 15, 2007, or such plan is disapproved by the chief information security officer, the officer shall notify the governor and the head and chief information officer of the public agency of noncompliance with this section. If no plan has been approved by September 15, 2007, the officer shall be authorized to temporarily discontinue or suspend the operation of a public agency's communication and information resources until such plan has been submitted to or is approved by the officer.

 

  (5)  An information security plan may provide for a phase-in period not to exceed three years. An implementation schedule for the phase-in period shall be included in such a plan. Any phase-in period pursuant to this subsection (5) shall be completed by July 1, 2009.

 

  (6)  On or before July 1, 2008, and on or before July 1 of each subsequent year, the executive director or head of each public agency shall report to the chief information security officer on the development, implementation, and, if applicable, compliance with the phase-in schedule of the public agency's information security plan.

 

  24-37.5-404.5.  Institutions of higher education - information security plans. (1)  On or before July 1, 2007, each institution of higher education, in coordination with the Colorado commission on higher education, shall develop an information security plan. The information security plan shall provide information security for the communication and information resources that support the operations and assets of the institution of higher education.

 

  (2)  The information security plan shall include:

 

  (a)  Periodic assessments of the risk and magnitude of the harm that could result from a security incident;

 

  (b)  A process for providing adequate information security for the communication and information resources of the institution of higher education;

 

  (c)  Information security awareness training for employees of the institution of higher education;

 

  (d)  Periodic testing and evaluation of the effectiveness of information security for the institution of higher education, which shall be performed not less than annually;

 

  (e)  A process for detecting, reporting, and responding to security incidents consistent with the information security policy of the institution of higher education. The institutions of higher education, the Colorado commission on higher education, and the chief information security officer shall establish the terms and conditions by which the institutions of higher education and the department of higher education shall report information security incidents to the chief information security officer.

 

  (f)  Plans and procedures to ensure the continuity of operations for information resources that support the operations and assets of the institution of higher education in the event of a security incident.

 

  (3)  On or before July 15, 2007, each institution of higher education shall submit the information security plan developed pursuant to this section to the Colorado commission on higher education for review and comment. The commission shall submit such plans to the chief information security officer.

 

  (4)  Nothing in this section shall be construed to require any institution of higher education or the department of higher education to adopt policies or standards that conflict with federal law, rules, or regulations or with contractual arrangements governed by federal laws, rules, or regulations.

 

  (5)  An information security plan may provide for a phase-in period not to exceed three years. An implementation schedule for the phase-in period shall be included in such a plan. Any phase-in period pursuant to this subsection (5) shall be completed by July 1, 2009.

 

  (6)  On or before July 1, 2008, and on or before July 1 of each subsequent year, the executive director of the department of higher education shall report to the chief information security officer on the development, implementation, and, if applicable, compliance with the phase-in schedule of the information security plan for each institution of higher education.

 

  (7)  The Colorado commission on higher education shall require the institutions of higher education to provide regularized security awareness training to inform the employees, administrators, and users in those institutions about the information security risks and the responsibility of employees, administrators, and users to comply with the institution's information security plan and the policies, standards, and procedures designed to reduce those risks.

 

  24-37.5-405.  Security incidents - authority of chief information security officer. (1)  A security incident in a public agency shall be reported to the chief information security officer in accordance with state incident reporting policies, standards, and guidelines.

 

  (2)  The chief information security officer shall be authorized to temporarily discontinue or suspend the operation of a public agency's communication and information resources in order to isolate the source of a security incident. The officer shall give notice to the governor, or the lieutenant governor in the event the governor is not available, and the head and chief information officer of the public agency concurrent with such discontinuation or suspension of operations. The officer shall ensure, to the extent possible, the continuity of operations for the communication and information resources that support the operations and assets of the public agency.

 

  (3)  The chief information security officer may enter into contracts with a private person or entity to assist with resolving a security incident in a public agency. The officer shall establish an approved list of certified private persons and entities that may provide contract services in the event of a security incident. The officer shall establish criteria for the placement of private persons and entities on the list and shall select such persons and entities for placement on the list utilizing a request for proposals containing such criteria.

 

  (4)  Public agencies shall comply and cooperate with a directive of the chief information security officer pursuant to subsection (2) of this section to temporarily discontinue or suspend the operation of a public agency's communication and information resources.

 

  24-37.5-406.  Reporting. The chief information security officer shall report to the governor and the commission on information management on a quarterly basis concerning the implementation of the provisions of this part 4.

 

  SECTION 2.  24-72-202 (6) (b), Colorado Revised Statutes, is amended BY THE ADDITION OF THE FOLLOWING NEW SUBPARAGRAPHS to read:

 

  24-72-202.  Definitions. As used in this part 2, unless the context otherwise requires:

 

  (6) (b)  "Public records" does not include:

 

  (X)  The information security plan of a public agency developed pursuant to section 24-37.5-404;

 

  (XI)  Information security incident reports prepared pursuant to section 24-37.5-404 (2) (e); or

 

  (XII)  Information security audit and assessment reports prepared pursuant to section 24-37.5-403 (2) (d).

 

  SECTION 3.  Appropriation. The general assembly anticipates that, for the fiscal year beginning July 1, 2006, the office of the governor will receive the sum of four million two hundred thousand dollars ($4,200,000) in federal funds and 1.0 FTE, for the implementation of this act. Although these funds are not appropriated in this act, they are noted for the purpose of indicating the assumptions used relative to these funds.

 

  SECTION 4.  Safety clause. The general assembly hereby finds, determines, and declares that this act is necessary for the immediate preservation of the public peace, health, and safety.

 

Approved: June 6, 2006

 

----------

Capital letters indicate new material added to existing statutes; dashes through words indicate deletions from existing statutes and such material not part of act.


Session Laws of Colorado Digest of Bills General Assembly State of Colorado


Office of Legislative Legal Services, State Capitol Building, Room 091, Denver, Colorado 80203-1782
Telephone: 303-866-2045 | Facsimile: 303-866-4157
Send comments about this web page to: olls.ga@state.co.us
 

The information on this page is presented as an informational service only and should not be relied upon as an official record of action or legal position of the State of Colorado, the Colorado General Assembly, or the Office of Legislative Legal Services.