Indiana Code 27-2-27-18. Actions required based on risk assessment results
(1) Design its information security program to mitigate the identified risks, commensurate with:
Terms Used In Indiana Code 27-2-27-18
- cybersecurity event: means an event resulting in unauthorized access to or a disruption or misuse of an information system or nonpublic information stored on the information system that has a reasonable likelihood of materially harming a consumer or any material part of the normal operations of the licensee. See Indiana Code 27-2-27-5
- information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information. See Indiana Code 27-2-27-8
- licensee: means a person that is:
Indiana Code 27-2-27-10
- multi-factor authentication: means authentication through verification of at least two (2) of the following types of authentication factors:
Indiana Code 27-2-27-11
- nonpublic information: means electronic information that is not publicly available information and is described in either of the following subdivisions:
Indiana Code 27-2-27-12
- risk assessment: means the assessment a licensee is required to conduct under section 17 of this chapter. See Indiana Code 27-2-27-14
(B) the nature and scope of the licensee’s activities; and
(C) the sensitivity of the nonpublic information in the licensee’s control.
(2) Determine and implement appropriate security measures, which may include the following:
(A) Placing access controls on information systems, including controls to authenticate and permit only authorized individuals to have access to nonpublic information.
(B) Identifying and managing the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and risk strategy.
(C) Restricting physical access to nonpublic information to authorized individuals only.
(D) Protecting by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media.
(E) Adopting secure development practices for in-house developed applications used by the licensee.
(F) Modifying information systems in accordance with the licensee’s information security program.
(G) Using effective controls, which may include multi-factor authentication procedures for any employees accessing nonpublic information.
(H) Regularly testing and monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems.
(I) Including audit trails within the information security program designed to detect and respond to a cybersecurity event and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee.
(J) Implementing measures to protect against destruction, loss, or damage of nonpublic information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures.
(K) Developing, implementing, and maintaining procedures for the secure disposal of nonpublic information in any format.
(3) Include cybersecurity risks in the licensee’s enterprise risk management process.
(4) Stay informed regarding emerging threats or vulnerabilities.
(5) Use reasonable security measures when sharing information, relative to the character of the sharing and the type of information shared.
(6) Provide personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified in the risk assessment.
As added by P.L.130-2020, SEC.10.