282.318  Security of data and information technology resources.--

(1)  This section may be cited as the "Security of Data and Information Technology Resources Act."

(2)(a)  The State Technology Office, in consultation with each agency head, is responsible and accountable for assuring an adequate level of security for all data and information technology resources of each agency and, to carry out this responsibility, shall, at a minimum:

1.  Designate an information security manager who shall administer the security program of each agency for its data and information technology resources.

2.  Conduct, and periodically update, a comprehensive risk analysis to determine the security threats to the data and information technology resources of each agency. The risk analysis information is confidential and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

3.  Develop, and periodically update, written internal policies and procedures to assure the security of the data and information technology resources of each agency. The internal policies and procedures which, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

4.  Implement appropriate cost-effective safeguards to reduce, eliminate, or recover from the identified risks to the data and information technology resources of each agency.

5.  Ensure that periodic internal audits and evaluations of each security program for the data and information technology resources of the agency are conducted. The results of such internal audits and evaluations are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

6.  Include appropriate security requirements, as determined by the State Technology Office, in consultation with each agency head, in the written specifications for the solicitation of information technology resources.

(b)  In those instances in which the State Technology Office develops state contracts for use by state agencies, the office shall include appropriate security requirements in the specifications for the solicitation for state contracts for procuring information technology resources.