Okla. Stat. tit. 62, § 34.32
Security Risk Assessment - Reports - Exceptions
Effective Apr 5, 2010Laws 2006, HB 2935, c. 266, § 15, emerg. eff. July 1, 2006; Renumbered from 62 O.S. § 41.5v by Laws 2009, HB 2015, c. 441, § 64, emerg. eff. July 1, 2009; Amended by Laws 2009, HB 1170, c. 451, § 20, effective and operative on the effective date of the appointment of the first Chief Information Officer by the Governor as provided in Section 2 of Laws 2009, HB 1170, c. 451 [the Governor appointed the first Chief Information Officer effective April 5, 2010] (superseded document available); Amended by Laws 2012, HB 3079, c. 304, § 364 (superseded document available); Amended by Laws 2014, HB 2669, c. 285, § 1 (superseded document available).
- A. The Information Services Division of the Office of Management and Enterprise Services shall create a standard security risk assessment for state agency information technology systems that complies with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Information Technology - Code of Practice for Security Management (ISO/IEC 27002).
- B. Each state agency that has an information technology system shall obtain an information security risk assessment to identify vulnerabilities associated with the information system. Unless a state agency has internal expertise to conduct the risk assessment and can submit certification of such expertise along with the annual information security risk assessment, the risk assessment shall be conducted by a third party. The Information Services Division of the Office of Management and Enterprise Services shall approve not less than two firms which state agencies may choose from to conduct the information security risk assessment. A state agency with an information technology system that is not consolidated under the Information Technology Consolidation and Coordination Act or that is otherwise retained by the agency shall submit a final report of the information security risk assessment to the Information Services Division by the first day of December of each year. The final information security risk assessment report shall identify, prioritize, and document information security vulnerabilities for each of the state agencies assessed.
- C. The Information Services Division shall report the results of the state agency assessments required pursuant to this section to the Governor, the Speaker of the House of Representatives, and the President Pro Tempore of the Senate by the first day of January of each year.
Laws 2006, HB 2935, c. 266, § 15, emerg. eff. July 1, 2006; Renumbered from 62 O.S. § 41.5v by Laws 2009, HB 2015, c. 441, § 64, emerg. eff. July 1, 2009; Amended by Laws 2009, HB 1170, c. 451, § 20, effective and operative on the effective date of the appointment of the first Chief Information Officer by the Governor as provided in Section 2 of Laws 2009, HB 1170, c. 451 [the Governor appointed the first Chief Information Officer effective April 5, 2010] (superseded document available); Amended by Laws 2012, HB 3079, c. 304, § 364 (superseded document available); Amended by Laws 2014, HB 2669, c. 285, § 1 (superseded document available).