 |
ARIZONA STATE SENATE
Fifty-Fifth Legislature, Second Regular Session
information technology; security; office
Purpose
Transfers administration of the Statewide Information Security and Privacy Office (Office) from the Arizona Department of Administration (ADOA) to the Arizona Department of Homeland Security (AZDOHS) and adjusts membership and requirements of the AZDOHS regional advisory councils.
Background
ADOA must develop, implement and maintain a coordinated statewide plan for information technology, monitor budget units and continuously study emergent technology and evaluate its impact on the state's system. The Office must serve as the strategic planning, facilitation and coordination office for information technology security and develop, implement, maintain and ensure compliance by each budget unit with a coordinated statewide assurance plan for information security and privacy (A.R.S §§ 18-104 and 18-105).
The AZDOHS must formulate policies, plans and programs to
enhance the ability to prevent and respond to acts of terrorism and other
critical hazards. The AZDOHS must establish five councils, representing the
north, east, south, west and central regions of Arizona. These regional
advising councils must support and assist in implementing Arizona's
comprehensive statewide risk assessment and an integrated regional approach to
homeland security (A.R.S.
§§ 41-4254
and 41-4258).
There is no anticipated fiscal impact to the state General Fund associated with this legislation.
Provisions
1. Establishes the Office within the AZDOHS to serve as the strategic planning, facilitation and coordination office.
2. Specifies that individual budget units must continue to maintain operational responsibility for information security.
3. Requires the Director of the AZDOHS to serve as or appoint the Statewide Chief Information Security Officer (CISO) to manage the Office.
4. Requires, if appointed, the CISO to report to the Director of the AZDOHS.
5. Requires the Office to:
a) develop, implement, maintain and ensure compliance for each budget unit with statewide information security policies and a coordinated statewide assurance plan for information security and privacy;
b) direct information security and privacy protection compliance reviews for each budget unit to ensure compliance with policies, standards and effectiveness of information security and privacy;
c) identify information security and privacy protection risks in each budget unit and direct agencies to adopt risk mitigation strategies, methods and procedures to minimize the risks;
d) monitor and report compliance of each budget unit with state information security and privacy protection policies, standards and procedures;
e) coordinate statewide information security and privacy protection awareness and training programs;
f) establish a State Security Operations Center for central detection, reporting and response efforts for security incidents and breaches across Arizona;
g) develop other strategies as necessary to protect Arizona's information technology infrastructure and the data that is stored on or transmitted by the infrastructure;
h) consult with ADOA for a full review of the security aspects for information technology projects; and
i) operate the information security aspects of the enterprise-level infrastructure managed by ADOA.
6. Allows the Office to temporarily suspend operation of information infrastructure that is owned, leased, outsourced or shared to isolate the source or spread of an information security system breach or other similar incident.
7. Requires, in the case of a breach, a budget unit and ADOA to comply with directives to temporarily discontinue or suspend operations of information infrastructure.
8. Requires each budget unit and its contractors to identify and report security incidents to the Office immediately on discovery and deploy mitigation strategies as directed.
9. Allows the AZDOHS to examine all books, papers, records and documents in the office of any budget unit and to require any state officer of the budget unit to provide the information or statements necessary.
10. Requires the budget units to demonstrate expertise to carry out security assurance plans, either by employing staff or contracting for outside services.
11. Allows a budget unit to enter into an agreement with ADOA or the AZDOHS.
AZDOHS
12. Adds background or experience in cybersecurity to the permissible eligibility requirements for appointment as Director of the AZDOHS.
13. Adds cybersecurity threats to the acts for which the AZDOHS must formulate prevention and response policies, plans and programs.
14. Requires the AZDOHS to adhere to all federal grant terms and conditions.
15. Removes the requirements that the AZDOHS:
a) develop a statewide homeland security strategy;
b) coordinate with other state and federal agencies to publish a guide for grantees that receive homeland security monies;
c) conduct preparedness training exercises to put state disaster plans into practice and identify shortcomings in the plans;
d) assist in the development of regional response plans; and
e) partner with and involve the private sector in preparedness efforts.
16. Requires, by June 30 of each year, the homeland security allocation and expenditure report to include awards and expenditures for open grant projects.
17. Repeals the AZDOHS Senior Advisory Committee and the Joint Legislative Committee on Border and Homeland Security.
CISO
18. Allows the Director of the AZDOHS to appoint additional deputy directors.
19. Exempts the CISO from covered service and the State Personnel Board.
20. Adds, to the Information Technology Authorization Committee, the CISO or the Officer's designee.
AZDOHS Regional Advisory Councils
21. Requires the AZDOHS to require reasonable distribution of area representation for a council.
22. Decreases membership of a council to 12 members, rather than 14 members.
23. Removes, from council membership, a mayor or mayor's proxy and a county supervisor or the supervisor's proxy.
24. Allows, by approval of the Director or the Deputy Director of the AZDOHS within a reasonable time frame before the meeting, for members to be represented on a council by a designated proxy.
25. Removes the requirement for a council member to submit a biographical sketch of experience and qualifications to the AZDOHS.
26. Requires a council to meet on an as needed basis to conduct business, rather than at least four times annually.
27. Removes the requirement for a council to develop, implement and maintain regional homeland security strategies.
28. Requires a council to encourage, rather than establish, baseline prevention and response capabilities through the region, rather than through anchor cities.
29. Allows all persons serving as members of a council on the general effective date to continue to serve until the expiration of their normal terms.
ADOA
30. Requires the ADOA to:
a) consult with the Office when evaluation projects relating to the approved budget unit and technology plans;
b) manage enterprise-level information technology infrastructure, except that the Office must manage the information security aspects of the infrastructure;
c) develop strategies to protect the information technology infrastructure of Arizona and the data that is stored on or transmitted by the infrastructure; and
d) temporarily suspend access to information technology infrastructure when directed by the AZDOHS and consult with the AZDOHS regarding security policies, standards and procedures.
31. Repeals the Office within the ADOA.
Miscellaneous
32. Removes security from the standards of information technology in the coordinated statewide plan for information technology.
33. Adds identifying risks in each budget unit and directing agencies to adopt risk mitigation strategies, methods and procedures to minimize the risks into the statewide disaster recovery plan.
34. Makes technical and conforming changes.
35. Becomes effective on the general effective date.
Prepared by Senate Research
February 3, 2022
RA/sr