Enhance Security of Office of Information Technology

      Joint Technology Committee. The bill allows the joint technology committee (JTC), within 90 days after the day that the chief information security officer of the office of information technology (security officer) files a written information technology compliance report (compliance report) with the JTC as required by the bill, to vote to request that the legislative audit committee direct the state auditor to conduct a special information technology security audit (IT security audit) of the office of information technology (OIT) if the compliance report indicates that one or more audit recommendations made by the state auditor is unresolved 2 or more years past the implementation date for the audit recommendation or if a material discrepancy exists between a representation in the compliance report and a previous audit finding.

     If the JTC votes to request an IT security audit and if the legislative audit committee votes to direct the audit, the bill requires:

• The state auditor to conduct the IT security audit;
• The state auditor to obtain input from OIT when the state auditor determines the scope and boundaries of the audit;
• The state auditor to submit the IT security audit report to the legislative audit committee, the JTC, the joint budget committee, and the governor; and
• OIT to reimburse the state auditor for the auditor's costs incurred in completing the IT security audit.

     The bill requires OIT to establish, maintain, keep, update, and make available to state agency information technology leadership and the members of the JTC, a list of all active information technology vendor contracts for state agencies.

     The bill specifies that, except in the case of an information technology security emergency, OIT shall not publish or implement a technical information technology standard, and that the standard is void, unless the standard:

• Was publicly posted; and
• Received approval from the security officer if the standard relates to security, access controls, or the handling of data.

     The bill requires OIT to ensure that, if an information technology contract provides ongoing service and delivery to Coloradans, that the contract maintains current architecture diagrams that are updated at least annually.

     The bill prohibits the chief information officer from delegating a duty, responsibility, or power of the security officer.

     The bill requires the security officer to submit 2 annual reports to the JTC. The first report is a written compliance report that includes OIT's current compliance status with applicable security standards; all open audit recommendations regarding OIT made by the state auditor and the date on which each recommendation was made; and a timeline for remediation and a mitigation plan or compensation controls for each open audit recommendation made by the state auditor.

     The second report is a written statewide information technology security risk report (security risk report) that assesses the overall security risk posture of state agency information technology systems. To support the preparation of the security risk report, the security officer may conduct evaluations of state agency information technology systems, including penetration testing, vulnerability scanning, configuration evaluations, and vendor and system reviews. Each state agency shall provide to the security officer, upon request, the access and information necessary to conduct evaluations of state agency technology systems, including system access, product information, and architecture information.

     The bill requires the security officer, or the chief information officer if the security officer is unavailable, to perform the duties and uphold the responsibilities assigned to the security officer pursuant to law.


(Note: This summary applies to this bill as introduced.)