Sec. 17. A licensee shall conduct a risk assessment of its information systems and treatment of nonpublic information by doing the following:

(1) Designating one (1) or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee information security program.

Terms Used In Indiana Code 27-2-27-17

  • cybersecurity event: means an event resulting in unauthorized access to or a disruption or misuse of an information system or nonpublic information stored on the information system that has a reasonable likelihood of materially harming a consumer or any material part of the normal operations of the licensee. See Indiana Code 27-2-27-5
  • information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information. See Indiana Code 27-2-27-8
  • licensee: means a person that is:

    Indiana Code 27-2-27-10

  • nonpublic information: means electronic information that is not publicly available information and is described in either of the following subdivisions:

    Indiana Code 27-2-27-12

  • risk assessment: means the assessment a licensee is required to conduct under section 17 of this chapter. See Indiana Code 27-2-27-14
  • Year: means a calendar year, unless otherwise expressed. See Indiana Code 1-1-4-5
(2) Identifying reasonably foreseeable internal or external threats that could result in a cybersecurity event, including threats to information systems and nonpublic information held or accessed by third party service providers.

(3) Assessing the likelihood and potential damage of the threats identified in subdivision (2), taking into consideration the sensitivity of the nonpublic information.

(4) Assessing the sufficiency of the policies, procedures, information systems, and other safeguards currently in place to manage the threats identified in subdivision (2), including an assessment of threats in each relevant area of the licensee’s operations, including the following:

(A) Employee training and management.

(B) Information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal.

(C) Procedures for detecting, preventing, and responding to cybersecurity events or other systems failures.

(5) Implementing information safeguards to manage the threats identified under subdivision (2), and assessing the effectiveness of the safeguards’ key controls, systems, and procedures at least one (1) time each year.

As added by P.L.130-2020, SEC.10.

  Previous section
Next section  
 Chapter 27 Contents