§ 24-37.5-404 — Public agencies - information security plans

Colorado § 24-37.5-404

• Jurisdiction: Colorado
• Title 24: Government
• Art.: Office of Information Technology

Text

(1) On or before
July 1 of each year, in accordance with the rules promulgated by the office in
support of this part 4, each public agency shall develop an information security
plan utilizing the information security policies, standards, and guidelines developed
by the chief information security officer. The information security plan shall provide
information security for the communication and information resources that support
the operations and assets of the public agency.

(2) The information security plan shall include:

(a) Periodic assessments of the risk and magnitude of the harm that could
result from a security incident;

(b) A process for providing adequate information security for the
communication and information resources of the public agency;

(c) Regularized security awareness training to inform the employees and
users of the public agency's communication and information resources about
information security risks and the responsibility of employees and users to comply
with agency policies, standards, and procedures designed to reduce those risks;

(d) Periodic testing and evaluation of the effectiveness of information
security for the public agency, which shall be performed not less than annually;

(e) A process for detecting, reporting, and responding to security incidents
consistent with the information security standards, policies, and guidelines issued
by the chief information security officer; and

(f) Plans and procedures to ensure the continuity of operations for
information resources that support the operations and assets of the public agency
in the event of a security incident.

(3) On or before July 15 of each year, each public agency shall submit the
information security plan developed pursuant to this section to the chief
information security officer for approval.

(4) In the event that a public agency fails to submit to the chief information
security officer an information security plan on or before July 15 of each year or
such plan is disapproved by the chief information security officer, the officer shall
notify the governor, the chief information officer, and the head of the public agency
of noncompliance with this section. If no plan has been approved by September 15
of each year, the chief information security officer shall be authorized to
temporarily discontinue or suspend the operation of a public agency's
communication and information resources until such plan has been submitted to or
is approved by the officer.

(5) and (6) (Deleted by amendment, L. 2011, (SB 11-062), ch. 128, p. 430, � 7,
effective April 22, 2011.)

Legislative History

Source: L. 2006: Entire part added, p. 1716, � 1, effective June 6. L. 2011: (1), (3), (4), (5), and (6) amended, (SB 11-062), ch. 128, p. 430, � 7, effective April 22. L. 2021: (1) amended, (HB 21-1236), ch. 211, p. 1109, � 11, effective September 7.