A.R.S. 18-105 - Statewide information security and privacy office

A. The statewide information security and privacy office is established in the department.  The statewide information security and privacy office shall serve as the strategic planning, facilitation and coordination office for information technology security in this state.  Individual budget units shall continue to maintain operational responsibility for information technology security.

B. The director shall appoint a statewide chief information security officer to manage the statewide information security and privacy office.  The statewide chief information security officer shall report to the director pursuant to section 18-103.

C. The statewide information security and privacy office shall develop, implement, maintain and ensure compliance by each budget unit with a coordinated statewide assurance plan for information security and privacy. The statewide information security and privacy office shall:

1. Direct information security and privacy protection compliance reviews with each budget unit to ensure compliance with standards and effectiveness of security assurance plans as necessary.

2. Identify information security and privacy protection risks in each budget unit and direct agencies to adopt risk mitigation strategies, methods and procedures to lessen these risks.

3. Monitor and report compliance of each budget unit with state information security and privacy protection policies, standards and procedures.

4. Coordinate statewide information security and privacy protection awareness and training programs.

5. Develop other strategies as necessary to protect this state's information technology infrastructure and the data that is stored on or transmitted by the infrastructure.

D. The statewide information security and privacy office may temporarily suspend operation of information infrastructure that is owned, leased, outsourced or shared in order to isolate the source of, or stop the spread of, an information security breach or other similar incident. A budget unit shall comply with directives to temporarily discontinue or suspend operations of information infrastructure.

E. Each budget unit and its contractors shall identify and report security incidents to the statewide information security and privacy office immediately on discovery and deploy mitigation strategies as directed.