A. The statewide information security and privacy office is established in the Arizona department of homeland security. The statewide information security and privacy office shall serve as the strategic planning, facilitation and coordination office for information security in this state. Individual budget units shall continue to maintain operational responsibility for information security.

Have a question?
Click here to chat with a criminal defense lawyer and protect your rights.

B. The director shall serve as or appoint the statewide chief information security officer to manage the statewide information security and privacy office. If other than the director, the statewide chief information security officer shall report to the director pursuant to section 41-4252.

C. The statewide information security and privacy office shall:

1. Develop, implement, maintain and ensure compliance for each budget unit with statewide information security policies and a coordinated statewide assurance plan for information security and privacy.

2. Direct information security and privacy protection compliance reviews for each budget unit to ensure compliance with policies, standards and effectiveness of information security assurance plans as necessary.

3. Identify information security and privacy protection risks in each budget unit and direct agencies to adopt risk mitigation strategies, methods and procedures to minimize the risks.

4. Monitor and report compliance of each budget unit with state information security and privacy protection policies, standards and procedures.

5. Coordinate statewide information security and privacy protection awareness and training programs.

6. Establish a state security operations center for central detection, reporting and response efforts for security incidents and breaches across the state.

7. Develop other strategies as necessary to protect this state’s information technology infrastructure and the data that is stored on or transmitted by the infrastructure.

8. Consult with the department of administration for a full review of the security aspects for information technology projects prescribed in section 18-104.

9. Operate the information security aspects of the enterprise-level infrastructure managed by the department of administration.

D. The statewide information security and privacy office may temporarily suspend operation of information infrastructure that is owned, leased, outsourced or shared to isolate the source of, or stop the spread of, an information security system breach or other similar incident. A budget unit and the department of administration, as applicable, shall comply with directives to temporarily discontinue or suspend operations of information infrastructure.

E. Each budget unit and its contractors shall identify and report security incidents to the statewide information security and privacy office immediately on discovery and deploy mitigation strategies as directed.

F. The Arizona department of homeland security may examine all books, papers, records and documents in the office of any budget unit and may require any state officer of the budget unit to provide the information or statements necessary to carry out this section.

G. Budget units shall demonstrate expertise to carry out security assurance plans, either by employing staff or contracting for outside services.

H. A budget unit may enter into an agreement with the department of administration or the Arizona department of homeland security to meet the requirements of this section.