ARIZONA STATE SENATE
Phoenix, Arizona
information systems security
information; confidentiality
Purpose
Defines information systems
security information and requires state agencies to maintain the
confidentiality of their information systems security information.
Background
Information systems security
information, as defined in this legislation, is information concerning the
processes used to manage the security of this State’s information systems. This includes records, process instructions,
data and any other information directly related to information systems
security.
Recently, information
officers in some state agencies have expressed concerns about current practices
of sharing information. There is no
statutory requirement for agencies to maintain the confidentiality of their
information systems security information.
Therefore, when information is shared, there is very little protection
from compromising the security of the entire agency’s database. Additionally, agency information officers
have no means to argue that the confidentiality of their database has been
compromised unless it is argued in court.
This can be expensive and time consuming.
In an attempt to address
these issues, this legislation prohibits all state agencies from sharing
information systems security information except to a limited number of
people. However, it does not restrict
the sharing of information.
Provisions
1. States that information systems security information is confidential.
2. Defines information systems security information as information concerning the processes used to manage the security of this State’s information systems. This includes records, process instructions, data and other information directly related to information systems security.
3. Requires an agency that controls an information system to maintain the confidentiality of its information systems security information.
4. Requires agencies to continue to maintain the confidentiality of information systems security information if the agency has contracted to place state information on an information system that is not under direct control of that agency.
5. Prohibits the responsible agency from conveying information systems security information to anyone other than duly appointed information systems auditors, law enforcement officials who need the information to conduct a lawful investigation or any person the responsible agency director deems as having a need to know the information.
6. Specifies that the Arizona State Library, Archives and Public Records (ASLAPR) is to be responsible for maintaining the confidentiality of information systems security information if it is included in records that have been transferred to ASLAPR.
7. Allows the responsibility for maintaining the confidentiality of the information and the record to be transferred as the record for information systems security information is transferred.
8. Provides for a general effective date.
Prepared by Senate Staff
February 7, 2002