(a) Notwithstanding G.S. 143-48.3 or any other provision of law, and except as otherwise provided by this section, all information technology security purchased using State funds, or for use by a State agency or in a State facility, shall be subject to approval by the State Chief Information Officer in accordance with security standards adopted under this Article.
(a1) The State Chief Information Officer shall conduct assessments of information system security, network vulnerability, including network penetration or any similar procedure. The State Chief Information Officer may contract with another party or parties to perform the assessments. Detailed reports of the security issues identified shall be kept confidential as provided in G.S. 132-6.1(c).
(b) If the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units as defined by G.S. 115C-5, or the North Carolina Community Colleges System develop their own security standards, taking into consideration the mission and functions of that entity, that are comparable to or exceed those set by the State Chief Information Officer under this section, then these entities may elect to be governed by their own respective security standards, and approval of the State Chief Information Officer shall not be required before the purchase of information technology security. The State Chief Information Officer shall consult with the legislative branch, the judicial branch, The University of North Carolina and its constituent institutions, local school administrative units, and the North Carolina Community Colleges System in reviewing the security standards adopted by those entities.
(c) Before a State agency may enter into any contract with another party for an assessment of information system security or network vulnerability, the State agency shall notify the State Chief Information Officer and obtain approval of the request. If the State agency enters into a contract with another party for assessment and testing, after approval of the State Chief Information Officer, the State agency shall issue public reports on the general results of the reviews. The contractor shall provide the State agency with detailed reports of the security issues identified that shall not be disclosed as provided in G.S. 132-6.1(c). The State agency shall provide the State Chief Information Officer with copies of the detailed reports that shall not be disclosed as provided in G.S. 132-6.1(c).
(d) Nothing in this section shall be construed to preclude the Office of the State Auditor from assessing the security practices of State information technology systems as part of that Office's duties and responsibilities. (2001-424, s. 15.2(b); 2004-129, ss. 10, 12, 14; 2010-31, s. 6.15(a); 2013-188, s. 5.)
Sections: Previous 147-33.99 147-33.100 147-33.101 147-33.102 147-33.103 147-33.104A 147-33.110 147-33.111 147-33.112 147-33.113 147-33.120 147-33.121 147-33.122 147-33.123 147-34 Next
Last modified: March 23, 2014