C.R.S. Section 24-37.5-404.7
General assembly

  • information security plans

(1)

The general assembly shall develop an information security plan. The information security plan shall provide information security for the communication and information resources that support the operations and assets of the general assembly.

(2)

The information security plan shall include:

(a)

Periodic assessments of the risk and magnitude of the harm that could result from a security incident;

(b)

A process for providing adequate information security for the communication and information resources of the general assembly;

(c)

Information security awareness training for regular employees of the general assembly;

(d)

Periodic testing and evaluation of the effectiveness of information security for the general assembly, which shall be performed not less than annually;

(e)

A process for detecting, reporting, and responding to security incidents consistent with the information security policy of the general assembly. The general assembly and the chief information security officer shall establish the terms and conditions by which the general assembly shall report information security incidents to the chief information security officer.

(f)

Plans and procedures to ensure the continuity of operations for information resources that support the operations and assets of the general assembly in the event of a security incident.

(3)

The legislative service agency directors shall maintain the information security plan pursuant to this section and keep the joint technology committee advised of the plan.

(4)

Nothing in this section shall be construed to require the general assembly to adopt policies or standards that conflict with federal law, rules, or regulations or with contractual arrangements governed by federal laws, rules, or regulations.

(5)

The general assembly shall provide regularized security awareness training to inform the regular legislative employees, administrators, and users about the information security risks and the responsibility of employees, administrators, and users to comply with the general assembly’s information security plan and the policies, standards, and procedures designed to reduce those risks.

Source: Section 24-37.5-404.7 — General assembly - information security plans, https://leg.­colorado.­gov/sites/default/files/images/olls/crs2023-title-24.­pdf (accessed Oct. 20, 2023).

24‑37.5‑101
Legislative declaration - findings
24‑37.5‑102
Definitions
24‑37.5‑103
Office of information technology - creation - information technology revolving fund - geographic information system coordination
24‑37.5‑105
Office - roles - responsibilities - state search interface - rules - legislative declaration - definitions
24‑37.5‑105.2
State agencies - information technology - responsibilities
24‑37.5‑105.4
Delegation of authority
24‑37.5‑106
Chief information officer - duties and responsibilities
24‑37.5‑116
Communications and stakeholder management plan
24‑37.5‑117
Use of technology to interact with citizens - working group - strategic plan
24‑37.5‑118
Change of references - director to revisor of statutes
24‑37.5‑119
Broadband service - report - broadband deployment board - broadband administrative fund - creation - rules - legislative declaration - definitions - repeal
24‑37.5‑120
Technology risk prevention and response fund - creation - definitions
24‑37.5‑121
Digital access to government services - strategic plan - reporting - legislative declaration - definitions
24‑37.5‑122
Study of personally identifiable information - authority of chief information officer - report to joint technology committee - definitions - repeal
24‑37.5‑123
Colorado operations resource engine upgrade and continuous improvement project - reporting
24‑37.5‑401
Legislative declaration
24‑37.5‑403
Chief information security officer - duties and responsibilities
24‑37.5‑404
Public agencies - information security plans
24‑37.5‑404.5
Institutions of higher education - information security plans
24‑37.5‑404.7
General assembly - information security plans
24‑37.5‑405
Security incidents - authority of chief information security officer
24‑37.5‑701
Legislative declaration - intent
24‑37.5‑702
Government data advisory board - created - duties - definition
24‑37.5‑703
Interdepartmental data protocol - contents
24‑37.5‑704
Data-sharing - authorization
24‑37.5‑801
Information technology asset inventory - refresh cycle schedule - report
24‑37.5‑802
Information technology budget requests - working group - report
24‑37.5‑901
Legislative declaration
24‑37.5‑902
Definitions
24‑37.5‑903
Colorado broadband office - creation - responsibilities - gifts, grants, or donations
24‑37.5‑904
Digital inclusion grant program - income-eligible household reimbursement program - creation - award criteria - digital inclusion grant program fund - definition - reporting - repeal
Green check means up to date. Up to date

Current through Fall 2024

§ 24-37.5-404.7’s source at colorado​.gov