Montana Code 2-15-114. Security responsibilities of departments for data
2-15-114. Security responsibilities of departments for data. Each department head is responsible for ensuring an adequate level of security for all data within that department and shall:
Terms Used In Montana Code 2-15-114
- Agency: means an office, position, commission, committee, board, department, council, division, bureau, section, or any other entity or instrumentality of the executive branch of state government. See Montana Code 2-15-102
- Data: means any information stored on information technology resources. See Montana Code 2-15-102
- Department: means a principal functional and administrative entity that:
(a)is created by this chapter within the executive branch of state government;
(b)is one of the 20 principal departments permitted under the constitution; and
(c)includes its units. See Montana Code 2-15-102
- Information technology resources: means hardware, software, and associated services and infrastructure used to store or transmit information in any form, including voice, video, and electronic data. See Montana Code 2-15-102
(1)develop and maintain written internal policies and procedures to ensure security of data. The internal policies and procedures are confidential information and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
(2)designate an information security manager to administer the department’s security program for data;
(3)implement appropriate cost-effective safeguards to reduce, eliminate, or recover from identified threats to data;
(4)ensure that internal evaluations of the security program for data are conducted. The results of the internal evaluations are confidential and exempt from public inspection, except that the information must be available to the legislative auditor in performing postauditing duties.
(5)include appropriate security requirements, as determined by the department, in the written specifications for the department’s solicitation of data and information technology resources; and
(6)include a general description of the existing security program and future plans for ensuring security of data in the agency information technology plan as provided for in 2-17-523.