ARIZONA STATE SENATE
Phoenix, Arizona
information systems security
information; confidentiality
Purpose
Defines information systems
security information and requires state agencies to maintain the
confidentiality of their information systems security information.
Background
Information systems security
information, as defined in this legislation, is information concerning the
processes used to manage the security of this State’s information systems. This includes records, process instructions,
data and any other information directly related to information systems
security.
Recently, information
officers in some state agencies have expressed concerns about current practices
of sharing information. There is no
statutory requirement for agencies to maintain the confidentiality of their
information systems security information.
Therefore, when information is shared, there is very little protection
from compromising the security of the entire agency’s database. Additionally, agency information officers
have no means to argue that the confidentiality of their database has been
compromised unless it is argued in court.
This can be expensive and time consuming.
In an attempt to address
these issues, this legislation prohibits all state agencies from sharing
information systems security information except to a limited number of
people. However, it does not restrict
the sharing of information
There is no fiscal impact to the state general fund
associated with this legislation.
Provisions
1. States that information systems security information is confidential.
2. Defines information systems security information as information concerning the processes used to manage the security of this State’s information systems. This includes records, process instructions, data and other information directly related to information systems security.
3. Requires an agency that controls an information system to maintain the confidentiality of its information systems security information.
4. Requires agencies to continue to maintain the confidentiality of information systems security information if the agency has contracted to place state information on an information system that is not under direct control of that agency.
5. Prohibits the responsible agency from conveying information systems security information to anyone other than duly appointed information systems auditors, law enforcement officials with a court order who need the information to conduct a lawful investigation, the Office of the Auditor General or any person the responsible agency director deems as having a need to know the information.
6. Specifies that the Arizona State Library, Archives and Public Records (ASLAPR) is to be responsible for maintaining the confidentiality of information systems security information if it is included in records that have been transferred to ASLAPR.
7. Allows the responsibility for maintaining the confidentiality of the information and the record to be transferred as the record for information systems security information is transferred.
8. Provides for a general effective date.
Amendments
Adopted in Committee
· Requires law enforcement officials to obtain a court order before acquiring information systems security information needed to conduct a lawful investigation.
Amendments
Adopted by Committee of the Whole
·
Allows an agency that is responsible for the
confidentiality of their information systems security information to share
their information systems security information with the Office of the Auditor
General.
Senate Action
GOV 2/11/02 DPA 5-0-1-0
3rd Read 3/18/02 DPA 28-0-2
Prepared by Senate Staff
March 19, 2002