§ 147-33.111. State CIO approval of security standards and security assessments.
§ 147‑33.111. State CIOapproval of security standards and security assessments.
(a) NotwithstandingG.S. 143‑48.3 or any other provision of law, and except as otherwiseprovided by this section, all information technology security purchased usingState funds, or for use by a State agency or in a State facility, shall besubject to approval by the State Chief Information Officer in accordance withsecurity standards adopted under this Article.
(b) If the legislativebranch, the judicial branch, The University of North Carolina and itsconstituent institutions, local school administrative units as defined by G.S.115C‑5, or the North Carolina Community Colleges System develop their ownsecurity standards, taking into consideration the mission and functions of thatentity, that are comparable to or exceed those set by the State ChiefInformation Officer under this section, then these entities may elect to begoverned by their own respective security standards, and approval of the StateChief Information Officer shall not be required before the purchase ofinformation technology security. The State Chief Information Officer shallconsult with the legislative branch, the judicial branch, The University ofNorth Carolina and its constituent institutions, local school administrativeunits, and the North Carolina Community Colleges System in reviewing thesecurity standards adopted by those entities.
(c) Before a Stateagency may enter into any contract with another party for an assessment ofnetwork vulnerability, including network penetration or any similar procedure,the State agency shall notify the State Chief Information Officer and obtainapproval of the request. The State Chief Information Officer shall refer therequest to the State Auditor for a determination of whether the Auditor'soffice can perform the assessment and testing. If the State Auditor determinesthat the Auditor's office can perform the assessment and testing, then theState Chief Information Officer shall authorize the assessment and testing bythe Auditor. If the State Auditor determines that the Auditor's office cannotperform the assessment and testing, then with the approval of the State ChiefInformation Officer and State Auditor, the State agency may enter into acontract with another party for the assessment and testing. If the State agencyenters into a contract with another party for assessment and testing, the Stateagency shall issue public reports on the general results of the reviews. Thecontractor shall provide the State agency with detailed reports of the securityissues identified that shall not be disclosed as provided in G.S. 132‑6.1(c).The State agency shall provide the State Chief Information Officer and theState Auditor with copies of the detailed reports that shall not be disclosedas provided in G.S. 132‑6.1(c). (2001‑424, s. 15.2(b); 2004‑129, ss. 10,12, 14.)