Okla. Stat. tit. 62, § 34.32
Security Risk Assessment - Reports - Exceptions
Effective Jul 1, 2009Laws 2006, HB 2935, c. 266, § 15, emerg. eff. July 1, 2006; Renumbered from 62 O.S. § 41.5v by Laws 2009, HB 2015, c. 441, § 64, emerg. eff. July 1, 2009.
- A. The Office of State Finance shall create a standard security risk assessment for state agency information technology systems that complies with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Information Technology - Code of Practice for Security Management (ISO/IEC 17799).
- B. Each state agency that has an information technology system shall annually conduct an information security risk assessment to identify vulnerabilities associated with the information system. A final report of the information security risk assessment shall be submitted by each state agency to the Office of State Finance by the first day of December of each year. The final information security risk assessment report shall identify, prioritize, and document information security vulnerabilities for each of the state agencies assessed. Failure to comply with the requirements of this subsection may result in funding being withheld from the agency. State agencies shall use either the standard security risk assessment created by the Office of State Finance or a third-party risk assessment meeting the ISO/IEC 17799 standards and using the National Institute of Standards and Technology Special Publication 800-30 (NIST SP800-30) process and approved by the Office of State Finance. The Office of State Finance shall approve not less than two firms which state agencies may choose from to conduct the information security risk assessment.
- C. The Office of State Finance shall report the results of the state agency assessments required pursuant to this section to the Governor, the Speaker of the House of Representatives, and the President Pro Tempore of the Senate by the first day of January of each year.
Laws 2006, HB 2935, c. 266, § 15, emerg. eff. July 1, 2006; Renumbered from 62 O.S. § 41.5v by Laws 2009, HB 2015, c. 441, § 64, emerg. eff. July 1, 2009.