Okla. Stat. tit. 62, § 34.32
Security Risk Assessment - Reports - Exceptions
Effective Apr 5, 2010Laws 2006, HB 2935, c. 266, § 15, emerg. eff. July 1, 2006; Renumbered from 62 O.S. § 41.5v by Laws 2009, HB 2015, c. 441, § 64, emerg. eff. July 1, 2009; Amended by Laws 2009, HB 1170, c. 451, § 20, effective and operative on the effective date of the appointment of the first Chief Information Officer by the Governor as provided in Section 2 of Laws 2009, HB 1170, c. 451 [the Governor appointed the first Chief Information Officer effective April 5, 2010] (superseded document available).
- A. The Information Services Division of the Office of State Finance shall create a standard security risk assessment for state agency information technology systems that complies with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Information Technology - Code of Practice for Security Management (ISO/IEC 17799).
- B. Each state agency that has an information technology system shall annually conduct an information security risk assessment to identify vulnerabilities associated with the information system. A final report of the information security risk assessment shall be submitted by each state agency to the Information Services Division by the first day of December of each year. The final information security risk assessment report shall identify, prioritize, and document information security vulnerabilities for each of the state agencies assessed. Failure to comply with the requirements of this subsection may result in funding being withheld from the agency. State agencies shall use either the standard security risk assessment created by the Information Services Division or a third-party risk assessment meeting the ISO/IEC 17799 standards and using the National Institute of Standards and Technology Special Publication 800-30 (NIST SP800-30) process and approved by the Information Services Division. The Information Services Division shall approve not less than two firms which state agencies may choose from to conduct the information security risk assessment.
- C. The Information Services Division shall report the results of the state agency assessments required pursuant to this section to the Governor, the Speaker of the House of Representatives, and the President Pro Tempore of the Senate by the first day of January of each year.
Laws 2006, HB 2935, c. 266, § 15, emerg. eff. July 1, 2006; Renumbered from 62 O.S. § 41.5v by Laws 2009, HB 2015, c. 441, § 64, emerg. eff. July 1, 2009; Amended by Laws 2009, HB 1170, c. 451, § 20, effective and operative on the effective date of the appointment of the first Chief Information Officer by the Governor as provided in Section 2 of Laws 2009, HB 1170, c. 451 [the Governor appointed the first Chief Information Officer effective April 5, 2010] (superseded document available).