Reprinted
February 3, 2004
HOUSE BILL No. 1156
_____
DIGEST OF HB 1156
(Updated February 2, 2004 7:10 pm - DI 103)
Citations Affected: IC 4-23.
Synopsis: State information security management. Requires the state
information technology oversight commission to appoint a group of
individuals to develop a state information security policy. Requires the
commission to appoint a director of information security to implement
the policy. Requires each state agency and branch of state government
to designate an information security liaison. Requires each state agency
and branch of state government to implement the information security
policy. Provides that the executive director of the information and
technology oversight commissions serves as the chief information
officer of Indiana. Requires the chief information officer to serve as
director of the state information security policy group.
Effective: July 1, 2004.
January 13, 2004, read first time and referred to Committee on Technology, Research and
Development.
January 15, 2004, reassigned to Committee on Ways and Means.
January 29, 2004, reported _ Do Pass.
February 2, 2004, read second time, amended, ordered engrossed.
Reprinted
February 3, 2004
Second Regular Session 113th General Assembly (2004)
PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana
Constitution) is being amended, the text of the existing provision will appear in this style type,
additions will appear in
this style type, and deletions will appear in
this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional
provision adopted), the text of the new provision will appear in
this style type. Also, the
word
NEW will appear in that style type in the introductory clause of each SECTION that adds
a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in
this style type or
this style type reconciles conflicts
between statutes enacted by the 2003 Regular Session of the General Assembly.
HOUSE BILL No. 1156
A BILL FOR AN ACT concerning state offices and administration.
Be it enacted by the General Assembly of the State of Indiana:
SOURCE: IC 4-23-16-4.1; (04)HB1156.2.1. -->
SECTION 1. IC 4-23-16-4.1 IS AMENDED TO READ AS
FOLLOWS [EFFECTIVE JULY 1, 2004]: Sec. 4.1. (a) The governor
shall appoint an executive director of the commission who serves at the
governor's pleasure. The commission shall advise the governor in the
selection of the executive director. The executive director is the chief
information officer of Indiana.
(b) Subject to the approval of the commission, the executive director
may do the following:
(1) Employ staff necessary to advise and assist the commission as
required by this chapter.
(2) Fix compensation of staff according to the policies currently
enforced by the budget agency and the state personnel
department.
(3) Engage experts and consultants to assist the commission.
(4) Expend funds made available to the staff according to the
policies established by the budget agency.
(5) Establish policies, procedures, standards, and criteria
necessary to carry out the duties of the staff of the commission.
SOURCE: IC 4-23-16-13; (04)HB1156.2.2. -->
SECTION 2. IC 4-23-16-13 IS ADDED TO THE INDIANA CODE
AS A
NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY
1, 2004]:
Sec. 13. (a) As used in this section, "director" refers to the
director of information security designated under subsection (c).
(b) The commission shall appoint a group to develop a state
information security policy. The group appointed under this
subsection must include the following:
(1) A designee of the commissioner of the Indiana department
of administration.
(2) A designee of the director of the state personnel
department.
(3) A designee of the commission on public records.
(4) An individual representing the separately elected state
officials.
(5) An individual representing state agencies.
(6) The executive director of the legislative services agency.
(7) An individual representing the judicial branch of state
government.
(8) The director.
The commission may appoint individuals to the group to represent
other interests that the commission considers necessary for the
development of the information security policy.
(c) The commission shall designate the executive director of the
commission as the director of information security for the state.
The director shall do the following:
(1) Direct the implementation of the information security
policy.
(2) Coordinate the information security policy with the
information security liaisons.
(3) Obtain resources and expertise relating to information
security from state educational institutions.
(4) Work with private sector telecommunications and
technology companies to enhance the information security
policy.
(5) With the assistance of the state personnel department,
develop and implement an education and awareness program
to educate state employees about the state information
security policy and how to implement the policy.
(6) Apply for grants and other financial assistance relating to
implementation of the information security policy.
(7) Perform other duties relating to information security
assigned by the commission.
(d) Each state agency, the legislative branch of state
government, and the judicial branch of state government shall
appoint an employee to be the agency's or branch's information
security liaison. The information security liaison is responsible for
implementing the information security policy for the state agency
or branch of government.
(e) The information security policy must provide for the
following:
(1) Encryption of confidential information maintained by
state government.
(2) Specifications for software to provide daily audits and
reports for each state agency and branch of state government
to monitor compliance with the information security policy.
(3) Requiring the purchase of information security products
on a statewide basis rather than on an agency basis.
(4) Recruiting to state employment individuals who have
education in information security.
(5) Contracting for professional services relating to
information security.
(6) Sharing information security expertise and resources with
political subdivisions.
The information security policy must recognize the independence
of each of the three (3) branches of state government.
(f) Notwithstanding any other law, the information security
policy developed under this section applies to the executive,
including the administrative, the legislative, and the judicial
branches of state government.