§ 22-13-10 - Audit of information security systems.
SECTION 22-13-10
§ 22-13-10 Audit of information securitysystems. (a) The general assembly recognizes that the security of government computersystems is essential to ensuring the stability and integrity of vitalinformation gathered and stored by government for the benefit of the citizenryand the breach of security over computer systems presents a risk to the health,safety, and welfare of the public. It is the intent of the legislature toinsure that government computer systems and information residing on thesesystems are protected from unauthorized access, compromise, sabotage, hacking,viruses, destruction, illegal use, cyber attack or any other act which mightjeopardize or harm the computer systems and the information stored on them.
(b) In conjunction with the powers and duties outlined inthis chapter, the auditor general may conduct reviews and assessments of thevarious government computer systems and the security systems established tosafeguard these computer systems. Computer systems subject to this sectionshall include systems which pertain to federal, state, or local programs, andquasi-governmental bodies, and the computer systems of any entity or programwhich is subject to audit by the office of the auditor general. The auditorgeneral's review may include an assessment of system vulnerability, networkpenetration, potential security breaches, and susceptibility to cyber attackand cyber fraud.
(c) In the event the review by the auditor general indicatesa computer system is vulnerable, or security over the system is lacking, thosefindings shall not be disclosed publicly and shall not be considered publicrecords. Notwithstanding any other provision of law to the contrary, theworkpapers developed in connection with the review of the computer system andthe security over the system shall not be deemed public records and are notsubject to disclosure. The auditor general's findings may be disclosed at thediscretion of the auditor general to the chief information officer of the stateas well as the joint committee on legislative services. Unless the auditorgeneral authorizes the release of information or findings gathered in theconduct of a review of computer system security, all such information shall bedeemed classified, confidential, secret, and non-public.
(d) In order to maintain the integrity of the computersystem, the auditor general may procure the services of specialists ininformation security systems or other contractors deemed necessary inconducting reviews under this section, and in procuring those services shall beexempt from the requirements of the state purchasing law or regulation.
(e) Any outside contractor or vendor hired to provideservices in the review of the security of a computer system shall be bound bythe confidentiality provisions of this section.