§ 22-13-10. Audit of information security systems.
(a) The general assembly recognizes that the security of government computer systems is
essential to ensuring the stability and integrity of vital information gathered and
stored by government for the benefit of the citizenry and the breach of security over
computer systems presents a risk to the health, safety, and welfare of the public.
It is the intent of the legislature to insure that government computer systems and
information residing on these systems are protected from unauthorized access, compromise,
sabotage, hacking, viruses, destruction, illegal use, cyber attack or any other act
which might jeopardize or harm the computer systems and the information stored on
them.
(b) In conjunction with the powers and duties outlined in this chapter, the auditor general
may conduct reviews and assessments of the various government computer systems and
the security systems established to safeguard these computer systems. Computer systems
subject to this section shall include systems which pertain to federal, state, or
local programs, and quasi-governmental bodies, and the computer systems of any entity
or program which is subject to audit by the office of the auditor general. The auditor
general's review may include an assessment of system vulnerability, network penetration,
potential security breaches, and susceptibility to cyber attack and cyber fraud.
(c) In the event the review by the auditor general indicates a computer system is vulnerable,
or security over the system is lacking, those findings shall not be disclosed publicly
and shall not be considered public records. Notwithstanding any other provision of
law to the contrary, the workpapers developed in connection with the review of the
computer system and the security over the system shall not be deemed public records
and are not subject to disclosure. The auditor general's findings may be disclosed
at the discretion of the auditor general to the chief information officer of the state
as well as the joint committee on legislative services. Unless the auditor general
authorizes the release of information or findings gathered in the conduct of a review
of computer system security, all such information shall be deemed classified, confidential,
secret, and non-public.
(d) In order to maintain the integrity of the computer system, the auditor general may
procure the services of specialists in information security systems or other contractors
deemed necessary in conducting reviews under this section, and in procuring those
services shall be exempt from the requirements of the state purchasing law or regulation.
(e) Any outside contractor or vendor hired to provide services in the review of the security
of a computer system shall be bound by the confidentiality provisions of this section.