§ 54-10-29 — Audits of computer systems - Penalty

North Dakota § 54-10-29

• Jurisdiction: North Dakota
• Title 54: State Government
• Ch. 54-10: State Auditor

Text

1. The state auditor may:
a. Pursuant to the powers and duties outlined in this chapter, conduct a review and
assessment of computer systems and related security systems. Computer
systems subject to this section include the computer systems of a state agency or
political subdivision that is subject to audit by the state auditor. Tests conducted in
connection with this review and assessment may include an assessment of
system vulnerability, network penetration, potential security breach, and
susceptibility to cyber attack or cyber fraud.
b. Disclose any findings to the chief information officer of the state or to any state
official or legislative committee. Working papers and preliminary drafts of reports
created in connection with the review of computer systems and the security of the
systems are exempt from section 44-04-18. Those parts of findings and working
papers that identify the methods of the state auditor or that may cause or
perpetuate vulnerability of the computer system reviewed are exempt from
section 44-04-18 and protected from disclosure until the state auditor directs
otherwise.
c. Procure the services of a specialist in information security systems or other
contractors deemed necessary in conducting a review under this section. The
procurement of these services is exempt from the requirements of chapter
54-44.4.
2. An outside contractor hired to provide services in the review of the security of a
computer system is subject to the confidentiality provisions of this section and section
44-04-27. Any individual who knowingly discloses confidential information is subject to
the provisions of section 12.1-13-01.
3. The state auditor shall notify the executive officer of any state agency of the date, time,
and location of any test conducted in connection with a review and assessment of
computer systems or related security systems. The executive officer or the officer's
designee may attend and observe any test during which confidential information may
be accessed or controlled.
4. The state auditor shall notify the attorney general of the date, time, and location of any
test conducted in connection with a review and assessment of computer systems or
related security systems. The attorney general may designate an individual to
participate in the test. The designee of the attorney general may order the test to be
terminated if the individual believes a sensitive system is being breached, a sensitive
system may be breached, or sensitive information may be revealed.
5. Notwithstanding any provision in chapter 32-12.2 to the contrary, if the attorney
general and the director of the office of management and budget determine it is in the
best interest of the state, the state auditor may agree to limit the liability of a contractor
performing a review and assessment under this section. The liability limitation must be
approved by the attorney general and director of the office of management and budget
in writing. For any uninsured losses, the director of the office of management and
budget may approve the risk management fund to assume all or part of the
contractor's liability to the state in excess of the limitation.
6. A state agency receiving federal tax information under section 6103 of the Internal
Revenue Code, as amended [26 U.S.C. 6103], in conjunction with the state auditor,
may enter a contract with the vendor selected by the state auditor under subdivision c
of subsection 1 to conduct a review and assessment of the state agency's computer
systems and related security systems, including an assessment of system

vulnerability, network penetration, potential security breach, and susceptibility to cyber
attack or cyber fraud.