Introduced Version






HOUSE BILL No. 1156

_____


DIGEST OF INTRODUCED BILL



Citations Affected: IC 4-23-16-13.

Synopsis: State information security management. Requires the state information technology oversight commission to appoint a group of individuals to develop a state information security policy. Requires the commission to appoint a director of information security to implement the policy. Requires each state agency and branch of state government to designate an information security liaison. Requires each state agency and branch of state government to implement the information security policy.

Effective: July 1, 2004.





Hasler




    January 13, 2004, read first time and referred to Committee on Technology, Research and Development.







Introduced

Second Regular Session 113th General Assembly (2004)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2003 Regular Session of the General Assembly.

HOUSE BILL No. 1156



    A BILL FOR AN ACT concerning state offices and administration.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 4-23-16-13; (04)IN1156.1.1. -->     SECTION 1. IC 4-23-16-13 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2004]: Sec. 13. (a) As used in this section, "director" refers to the director of information security designated under subsection (c).
    (b) The commission shall appoint a group to develop a state information security policy. The group appointed under this subsection must include the following:
        (1) A designee of the commissioner of the Indiana department of administration.
        (2) A designee of the director of the state personnel department.
        (3) A designee of the commission on public records.
        (4) An individual representing the separately elected state officials.
        (5) An individual representing state agencies.
        (6) The executive director of the legislative services agency.
        (7) An individual representing the judicial branch of state government.
        (8) The director.
The commission may appoint individuals to the group to represent other interests that the commission considers necessary for the development of the information security policy.
    (c) The commission shall designate a member of the commission's staff as the director of information security for the state. The director shall do the following:
        (1) Direct the implementation of the information security policy.
        (2) Coordinate the information security policy with the information security liaisons.
        (3) Obtain resources and expertise relating to information security from state educational institutions.
        (4) Work with private sector telecommunications and technology companies to enhance the information security policy.
        (5) With the assistance of the state personnel department, develop and implement an education and awareness program to educate state employees about the state information security policy and how to implement the policy.
        (6) Apply for grants and other financial assistance relating to implementation of the information security policy.
        (7) Perform other duties relating to information security assigned by the commission.
    (d) Each state agency, the legislative branch of state government, and the judicial branch of state government shall appoint an employee to be the agency's or branch's information security liaison. The information security liaison is responsible for implementing the information security policy for the state agency or branch of government.
    (e) The information security policy must provide for the following:
        (1) Encryption of confidential information maintained by state government.
        (2) Specifications for software to provide daily audits and reports for each state agency and branch of state government to monitor compliance with the information security policy.
        (3) Requiring the purchase of information security products on a statewide basis rather than on an agency basis.
        (4) Recruiting to state employment individuals who have education in information security.
        (5) Contracting for professional services relating to

information security.
        (6) Sharing information security expertise and resources with political subdivisions.
The information security policy must recognize the independence of each of the three (3) branches of state government.
    (f) Notwithstanding any other law, the information security policy developed under this section applies to the executive, including the administrative, the legislative, and the judicial branches of state government.