Reprinted

February 3, 2004





HOUSE BILL No. 1156

_____


DIGEST OF HB 1156 (Updated February 2, 2004 7:10 pm - DI 103)



Citations Affected: IC 4-23.

Synopsis: State information security management. Requires the state information technology oversight commission to appoint a group of individuals to develop a state information security policy. Requires the commission to appoint a director of information security to implement the policy. Requires each state agency and branch of state government to designate an information security liaison. Requires each state agency and branch of state government to implement the information security policy. Provides that the executive director of the information and technology oversight commissions serves as the chief information officer of Indiana. Requires the chief information officer to serve as director of the state information security policy group.

Effective: July 1, 2004.





Hasler , Pierce , Thomas , Austin




    January 13, 2004, read first time and referred to Committee on Technology, Research and Development.
    January 15, 2004, reassigned to Committee on Ways and Means.
    January 29, 2004, reported _ Do Pass.
    February 2, 2004, read second time, amended, ordered engrossed.





Reprinted

February 3, 2004

Second Regular Session 113th General Assembly (2004)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2003 Regular Session of the General Assembly.

HOUSE BILL No. 1156



    A BILL FOR AN ACT concerning state offices and administration.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 4-23-16-4.1; (04)HB1156.2.1. -->     SECTION 1. IC 4-23-16-4.1 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2004]: Sec. 4.1. (a) The governor shall appoint an executive director of the commission who serves at the governor's pleasure. The commission shall advise the governor in the selection of the executive director. The executive director is the chief information officer of Indiana.
    (b) Subject to the approval of the commission, the executive director may do the following:
        (1) Employ staff necessary to advise and assist the commission as required by this chapter.
        (2) Fix compensation of staff according to the policies currently enforced by the budget agency and the state personnel department.
        (3) Engage experts and consultants to assist the commission.
        (4) Expend funds made available to the staff according to the policies established by the budget agency.
        (5) Establish policies, procedures, standards, and criteria necessary to carry out the duties of the staff of the commission.
SOURCE: IC 4-23-16-13; (04)HB1156.2.2. -->     SECTION 2. IC 4-23-16-13 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2004]: Sec. 13. (a) As used in this section, "director" refers to the director of information security designated under subsection (c).
    (b) The commission shall appoint a group to develop a state information security policy. The group appointed under this subsection must include the following:
        (1) A designee of the commissioner of the Indiana department of administration.
        (2) A designee of the director of the state personnel department.
        (3) A designee of the commission on public records.
        (4) An individual representing the separately elected state officials.
        (5) An individual representing state agencies.
        (6) The executive director of the legislative services agency.
        (7) An individual representing the judicial branch of state government.
        (8) The director.
The commission may appoint individuals to the group to represent other interests that the commission considers necessary for the development of the information security policy.
    (c) The commission shall designate the executive director of the commission as the director of information security for the state. The director shall do the following:
        (1) Direct the implementation of the information security policy.
        (2) Coordinate the information security policy with the information security liaisons.
        (3) Obtain resources and expertise relating to information security from state educational institutions.
        (4) Work with private sector telecommunications and technology companies to enhance the information security policy.
        (5) With the assistance of the state personnel department, develop and implement an education and awareness program to educate state employees about the state information security policy and how to implement the policy.
        (6) Apply for grants and other financial assistance relating to implementation of the information security policy.
        (7) Perform other duties relating to information security assigned by the commission.
    (d) Each state agency, the legislative branch of state government, and the judicial branch of state government shall appoint an employee to be the agency's or branch's information security liaison. The information security liaison is responsible for implementing the information security policy for the state agency or branch of government.
    (e) The information security policy must provide for the following:
        (1) Encryption of confidential information maintained by state government.
        (2) Specifications for software to provide daily audits and reports for each state agency and branch of state government to monitor compliance with the information security policy.
        (3) Requiring the purchase of information security products on a statewide basis rather than on an agency basis.
        (4) Recruiting to state employment individuals who have education in information security.
        (5) Contracting for professional services relating to information security.
        (6) Sharing information security expertise and resources with political subdivisions.
The information security policy must recognize the independence of each of the three (3) branches of state government.
    (f) Notwithstanding any other law, the information security policy developed under this section applies to the executive, including the administrative, the legislative, and the judicial branches of state government.