Req. No. 1176 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
1st Session of the 58th Legislature (2021)
SENATE BILL 570 By: Newhouse
AS INTRODUCED
An Act relating to public finance; amending 62 O.S.
2011, Section 34.32, as last ame nded by Section 1,
Chapter 331, O.S.L. 2019 (62 O.S . Supp. 2020, Section
34.32), which relates to state agency information
technology systems; making certain provisions
inapplicable to the Military Department of the State
of Oklahoma; providing an effective date; and
declaring an emergency.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAH OMA:
SECTION 1. AMENDATORY 62 O.S. 2011, Section 34.32, as
last amended by Section 1, Chapter 331, O.S.L. 2019 (62 O.S. Sup p.
2020, Section 34.32), is amended to read as follows:
Section 34.32. A. The Information Services Divisio n of the
Office of Management and Enterprise Services shall create a standard
security risk assessment for state agency information technology
systems that complies with the International Organization for
Standardization (ISO) and the International Electro technical
Commission (IEC) Information Technology - Code of Practice for
Security Management (ISO/IEC 27002).
Req. No. 1176 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
B. Each state agency that has an info rmation technology system
shall obtain an information securit y risk assessment to identify
vulnerabilities associated with the information system. The
Information Services Division of the Office of Management and
Enterprise Services shall approve not less than two firms which
state agencies may choose from to condu ct the information security
risk assessment.
C. A state agency with an information technology system that is
not consolidated under the Information Technology Consolidation and
Coordination Act or that is otherwise retained by the agency shall
additionally be required to have an information security a udit
conducted by a firm approved by the Information Services Division
that is based upon the most current version of the NIST Cyber -
Security Framework, and shall submit a final report of the
information security risk assessment and information security au dit
findings to the Information Services Division each year on a
schedule set by the Information Services Division. Agencies shall
also submit a list of remedies and a timeline for the repair of any
deficiencies to the Information Services Division within ten (10)
days of the completion of the audit. The final information security
risk assessment report shall identify, prioritize, and document
information security vulnerabilities for each of the state agencie s
assessed. The Information Services Division may assist agencies in
Req. No. 1176 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
repairing any vulnerabilities to ensure compliance in a timely
manner.
D. Subject to the provisions of subsection C of Secti on 34.12
of this title, the Information Services Division sha ll report the
results of the state agency asses sments and information security
audit findings required pursuant to this section to the Governor,
the Speaker of the House of Representatives, and t he President Pro
Tempore of the Senate by the first day of Ja nuary of each year. Any
state agency with an i nformation technology system that is not
consolidated under the Information Technology Consolidation and
Coordination Act that cannot comply with th e provisions of this
section shall consolidate under the Info rmation Technology
Consolidation and Coordinati on Act.
E. This act shall not apply to state agencies subject to
mandatory North American Electric Reliability Corporation (NERC)
cybersecurity standards and institutions within The Oklahoma State
System of Higher Education, the Oklahoma State Regents for Higher
Education and the telecommunications network known as OneNet that
follow the International Organization for Standardization (ISO) , the
Military Department of the State of Oklahoma (OMD) and the
International Electrotechnical Commission (IEC) -Security techniques-
Code of Practice for Information Security Controls or National
Institute of Standards and Technology.
SECTION 2. This act shall become effective July 1, 20 21.
Req. No. 1176 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SECTION 3. It being immediately necessary for the preservation
of the public peace, health or safety, an emergency is hereby
declared to exist, by reason whereof this act shall take effect and
be in full force from and after its passage an d approval.
58-1-1176 MR 1/20/2021 6:50:14 PM