No. 27597 (New Rule): R365-300. Organization and Accountability for the Security of State Information Resources  

DAR File No.: 27597
Filed: 12/22/2004, 07:28
Received by: NL

 

RULE ANALYSIS

Purpose of the rule or reason for the change:

This new rule re-establishes the State Information Security Committee (SISC) in rule, including membership and responsibilities.

 

Summary of the rule or change:

This rule formally defines the role and responsibilities of the Chief Information Security Officer within Information Technology Services (ITS), and the SISC.

 

State statutory or constitutional authorization for this rule:

Sections 63D-1a-305 and 63-46a-3

 

Anticipated cost or savings to:

the state budget:

These functions currently exist in operations. This proposed new rule will have no budget impact.

 

local governments:

Local government is not affected by this rule. Therefore, there is no anticipated cost or savings to local government.

 

other persons:

This rule applies to executive branch agencies. No other person will be impacted.

 

Compliance costs for affected persons:

The roles implemented by this rule will have no compliance cost impact. These functions currently exist in operations.

 

Comments by the department head on the fiscal impact the rule may have on businesses:

Security is one of the most important issues we must deal with across the enterprise. The establishment of the SISC will help guide security policy for the State.

 

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

Governor
Planning and Budget, Chief Information Officer
Room 116 STATE CAPITOL
350 N STATE ST
SALT LAKE CITY UT 84114-1103

 

Direct questions regarding this rule to:

Randy Hughes at the above address, by phone at 801-537-9071, by FAX at 801-538-1547, or by Internet E-mail at randyhughes@utah.gov

 

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

02/14/2005

 

This rule may become effective on:

02/15/2005

 

Authorized by:

Val Oveson, Chief Information Officer

 

 

RULE TEXT

R365. Governor, Planning and Budget, Chief Information Officer.

R365-300. Organization and Accountability for the Security of State Information Resources.

R365-300-1. Purpose.

Define organization and accountability related to Security of information resources for the State of Utah.

The state of Utah's electronic information resources are vital assets, which require appropriate safeguards. Computer systems, networks, and data are vulnerable to a variety of threats. These threats have the potential to compromise the integrity, availability, and confidentiality of the information.

Effective security management programs must be employed to appropriately eliminate or mitigate the risks posed by potential threats to state information resources. Measures shall be taken to protect these resources against unauthorized access, disclosure, modification, or destruction, whether accidental or deliberate.

 

R365-300-2. Authority.

This rule is issued by the Chief Information Officer under the authority of Section 63D-1a-305 of the Information Technology Act, and Section 63-46a-3 of the Utah Rulemaking Act, Utah Code.

 

R365-300-3. Definitions.

(1) "Confidential Information" means information that is protected from disclosure under the provisions of the Government Records and Management Act (GRAMA) or other applicable state or federal laws.

(2) "Mission Critical Information" means information that is defined by any data owner to be essential to its function, and its loss or untimely restoration would result in severe detrimental impact.

(3) "Owner" means an agency, which has statutory authority over information or data.

(4) "Custodian" means an agency, which provides operational support for an information system. The custodian has responsibility for implementing owner-defined controls and access privileges.

 

R365-300-4. Scope of Application.

(1) All agencies of the executive branch of state government including its administrative sub-units, except the State Board of Education, the Board of Regents, and institutions of higher education, are included within the scope of this rule.

 

R365-300-5. Responsibilities and Authorities.

(1) The CIO, in cooperation with the Director of Information Technology Services, shall designate a staff member to serve in the role of the Chief Information Security Officer (CISO) for the State.

(2) The CISO shall have the following responsibilities:

(a) Promote sharing of security information and alerts among state agencies;

(b) Serve as the central point of contact on information security issues;

(c) Create, maintain, and oversee the implementation of an information security strategy, which is approved by the CIO;

(d) Review or recommend policy changes to address compliance with state and federal statutory, regulatory and contractual requirements;

(e) Develop and administer guidelines, standards, and procedures on system and information classification and ownership;

(f) Develop, establish, and maintain standards, procedures and guidelines to promote information security;

(g) Provide at least quarterly, a written information security report to the Director of ITS and the Chief Information Officer;

(2) The Executive Director of each department or highest ranking official within an agency shall designate one person to serve as the agency information security officer (AISO) within 30 days following the effective date of this rule.

(3) A State Information Security Committee (SISC) is created.

(a) The SISC shall be composed of the following eight(8) representatives:

(i) The CISO;

(ii) The CIO, or designee;

(iii) Three (3) members from the State IT Council selected by the CIO; one member will be rotated each year;

(iv) Three(3) members from The Utah Security Users Group (USUG) selected by the CIO to three year terms; One member shall rotate each year.

(b) The CISO, or designee, shall chair the SISC.

(c) ITS shall provide staff support to the SISC.

(d) The SISC shall perform the following duties:

(i) Promote sharing of security information and alerts among state agencies;

(ii) Provide a mechanism for reviewing and providing coordination for resolving security issues among state agencies;

(iii) Coordinate statewide efforts for development of security rules, policies, and guidelines;

(iv) Assist agencies in the development of written security plans and incident management procedures;

(v) Identify opportunities to improve security operations and best practices across the enterprise;

(vi) Establish an overall statewide security plan and incident response plan;

(vii) Submit an annual report on state information security to the CIO no later than September 30 of each year;

 

R365-300-7. Rule Compliance Management.

A state executive branch agency's executive director, upon becoming aware of a violation or this rule, shall institute measures designed to enforce this rule. The CIO may, where appropriate, monitor compliance and report to an agency's executive director any findings or violations of this rule.

 

KEY: agency information security officer, chief information security officer, state information security committee

2005

63D-1a-305

63-46a-3