282.318  Security of data and information technology resources.--

(1)  This section may be cited as the "Security of Data and Information Technology Resources Act."

(2)(a)  Each agency head is responsible and accountable for assuring an adequate level of security for all data and information technology resources of the agency and, to carry out this responsibility, shall, at a minimum:

1.  Designate an information security manager who shall administer the security program of the agency for its data and information technology resources.

2.  Conduct, and periodically update, a comprehensive risk analysis to determine the security threats to the data and information technology resources of the agency. The risk analysis information is confidential and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

3.  Develop, and periodically update, written internal policies and procedures to assure the security of the data and information technology resources of the agency. The internal policies and procedures which, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

4.  Implement appropriate cost-effective safeguards to reduce, eliminate, or recover from the identified risks to the data and information technology resources of the agency.

5.  Ensure that periodic internal audits and evaluations of the security program for the data and information technology resources of the agency are conducted. The results of such internal audits and evaluations are confidential information and exempt from the provisions of s. 119.07(1), except that such information shall be available to the Auditor General in performing his or her postauditing duties.

6.  Include appropriate security requirements, as determined by the agency, in the written specifications for the solicitation of information technology resources.

(b)  In those instances in which the Department of Management Services develops state contracts for use by state agencies, the department shall include appropriate security requirements in the specifications for the solicitation for state contracts for procuring information technology resources.