| 30 | 27 | | |
|---|
| 31 | 28 | | STATE OF OKLAHOMA |
|---|
| 32 | 29 | | |
|---|
| 33 | 30 | | 2nd Session of the 58th Legislature (2022) |
|---|
| 34 | 31 | | |
|---|
| 35 | 32 | | HOUSE BILL 3067 By: Manger |
|---|
| 36 | 33 | | |
|---|
| 37 | 34 | | |
|---|
| 38 | 35 | | |
|---|
| 39 | 36 | | |
|---|
| 40 | 37 | | |
|---|
| 41 | 38 | | AS INTRODUCED |
|---|
| 42 | 39 | | |
|---|
| 43 | 40 | | An Act relating to public finance; amending 62 O.S. |
|---|
| 44 | 41 | | 2021, Section 34.32, which relates to state agency |
|---|
| 45 | 42 | | information technology systems; ma king certain |
|---|
| 46 | 43 | | provisions inapplicable to the Oklahoma State Bureau |
|---|
| 47 | 44 | | of Investigation; providing an effective date; and |
|---|
| 48 | 45 | | declaring an emergency. |
|---|
| 49 | 46 | | |
|---|
| 50 | 47 | | |
|---|
| 51 | 48 | | |
|---|
| 52 | 49 | | |
|---|
| 53 | 50 | | BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA: |
|---|
| 54 | 51 | | SECTION 1. AMENDATORY 62 O.S. 2021, Section 34.3 2, is |
|---|
| 55 | 52 | | amended to read as follo ws: |
|---|
| 56 | 53 | | Section 34.32 A. The Information Services Division of the |
|---|
| 57 | 54 | | Office of Management and Enterprise Services shall create a standard |
|---|
| 58 | 55 | | security risk assessment for st ate agency information technology |
|---|
| 59 | 56 | | systems that complies with t he International Organization for |
|---|
| 60 | 57 | | Standardization (ISO) and the International Electrotechnical |
|---|
| 61 | 58 | | Commission (IEC) Information Technology - Code of Practice for |
|---|
| 62 | 59 | | Security Management (ISO/IEC 27002). |
|---|
| 63 | 60 | | B. Each state agency that has an i nformation technology syst em |
|---|
| 64 | 61 | | shall obtain an information sec urity risk assessment to identify |
|---|
| 93 | 89 | | Information Services Division of the Office of Management and |
|---|
| 94 | 90 | | Enterprise Services shall approve not l ess than two firms which |
|---|
| 95 | 91 | | state agencies may choose from to c onduct the information security |
|---|
| 96 | 92 | | risk assessment. |
|---|
| 97 | 93 | | C. A state agency with an information technology system that is |
|---|
| 98 | 94 | | not consolidated under the Information Technol ogy Consolidation and |
|---|
| 99 | 95 | | Coordination Act or that is otherwise re tained by the agency shall |
|---|
| 100 | 96 | | additionally be required to have an information security audit |
|---|
| 101 | 97 | | conducted by a firm approved by the Information Services Division |
|---|
| 102 | 98 | | that is based upon the most current ve rsion of the NIST Cyber- |
|---|
| 103 | 99 | | Security Framework, and shall submit a final report of the |
|---|
| 104 | 100 | | information security risk assessment and information security audit |
|---|
| 105 | 101 | | findings to the Information Services Division each year on a |
|---|
| 106 | 102 | | schedule set by the Information Services Div ision. Agencies shall |
|---|
| 107 | 103 | | also submit a list of remedies and a ti meline for the repair of any |
|---|
| 108 | 104 | | deficiencies to the Information Services Division within ten (10) |
|---|
| 109 | 105 | | days of the completion of the audit. The final information security |
|---|
| 110 | 106 | | risk assessment report shall i dentify, prioritize, and document |
|---|
| 111 | 107 | | information security vulnera bilities for each of the state age ncies |
|---|
| 112 | 108 | | assessed. The Information Services Division may assist agencies in |
|---|
| 113 | 109 | | repairing any vulnerabilities to ensure compliance in a timely |
|---|
| 114 | 110 | | manner. |
|---|
| 144 | 139 | | results of the state agency assessments and information security |
|---|
| 145 | 140 | | audit findings required pursuant to this section to the Governor, |
|---|
| 146 | 141 | | the Speaker of the House of Representatives, and the President Pro |
|---|
| 147 | 142 | | Tempore of the Senate by the first day o f January of each year. Any |
|---|
| 148 | 143 | | state agency with an information technology system that is not |
|---|
| 149 | 144 | | consolidated under the Information Technology Consolidation and |
|---|
| 150 | 145 | | Coordination Act that cannot c omply with the provisions of this |
|---|
| 151 | 146 | | section shall consolidate under the Information Technology |
|---|
| 152 | 147 | | Consolidation and Coordination Act. |
|---|
| 153 | 148 | | E. This act shall not apply to state agencies subject to |
|---|
| 154 | 149 | | mandatory North American Electric Reliabili ty Corporation (NERC) |
|---|
| 155 | 150 | | cybersecurity standards and institutions within The Oklahoma State |
|---|
| 156 | 151 | | System of Higher Education, the Oklahoma State Bureau of |
|---|
| 157 | 152 | | Investigation (OSBI), the Oklahoma State Regents for Higher |
|---|
| 158 | 153 | | Education and the telecommunications network known as OneNet that |
|---|
| 159 | 154 | | follow the Internation al Organization for Stan dardization (ISO), the |
|---|
| 160 | 155 | | Oklahoma Military Department (OMD), and the International |
|---|
| 161 | 156 | | Electrotechnical Commission (IEC) -Security techniques-Code of |
|---|
| 162 | 157 | | Practice for Information Security Controls or Natio nal Institute of |
|---|
| 163 | 158 | | Standards and Technol ogy. |
|---|
| 164 | 159 | | SECTION 2. This act shall become eff ective July 1, 2022. |
|---|