State agencies and other entities subject to the provisions of this article shall:

Terms Used In West Virginia Code 5A-6B-4

  • Cyber risk assessment: means the process of identifying, analyzing and evaluating risk and applying the appropriate security controls relevant to the information custodians. See West Virginia Code 5A-6B-2
  • Cybersecurity framework: means computer technology security guidance for organizations to assess and improve their ability to prevent, detect, and respond to cyber incidents. See West Virginia Code 5A-6B-2
  • Enterprise: means the collective departments, agencies and boards within state government that provide services to citizens and other state entities. See West Virginia Code 5A-6B-2
  • Plan of action and milestones: means a remedial plan, or the process of accepting or resolving risk, which helps the information custodian to identify and assess information system security and privacy weaknesses, set priorities and monitor progress toward mitigating the weaknesses. See West Virginia Code 5A-6B-2
  • Security controls: means safeguards or countermeasures to avoid, detect, counteract or minimize security risks to physical property, information, computer systems or other assets. See West Virginia Code 5A-6B-2

(1) Undergo an appropriate cyber risk assessment as required by the cybersecurity framework or as directed by the Chief Information Security Officer;

(2) Adhere to the cybersecurity standard established by the Chief Information Security Officer in the use of information technology infrastructure;

(3) Adhere to enterprise cybersecurity policies and standards;

(4) Manage cybersecurity policies and procedures where more restricted security controls are deemed appropriate;

(5) Submit all cybersecurity policy and standard exception requests to the Chief Information Security Officer for approval;

(6) Complete and submit a cyber risk self-assessment report to the Chief Information Security Officer by December 31, 2020;

(7) Manage a plan of action and milestones based on the findings of the cyber risk assessment and business needs; and

(8) Submit annual reports to the Chief Security Information Officer no later than November 1 of each year beginning on November 1, 2023. The report shall contain an analysis and evaluation of each agency or entity’s cybersecurity readiness, ability to keep user data safe, data classifications, and other steps that the agency or entity has taken towards information technology modernization that are consistent with the objectives of §5A-6-4d and § 5A-6-4e of this code.

  Previous
Next  
 Article 6B Contents