Ask Reggi Your Question Now
Can I skip having an information security program in place in Colorado? What are the requirements?
Information Security Program Requirements in Colorado
In Colorado, institutions of higher education, public agencies, and licensees are required to have an information security program in place [1.1][2.1][1.2]. The information security program must provide security for the communication and information resources that support the operations and assets of the organization. The requirements for the information security program include:
- Periodic assessments of the risk and magnitude of the harm that could result from a security incident;
- A process for providing adequate information security for the communication and information resources of the organization;
- Information security awareness training to inform the employees, administrators, and users about the information security risks and the responsibility of employees, administrators, and users to comply with the organization’s information security program and the policies, standards, and procedures designed to reduce the security risks;
- Periodic testing and evaluation of the effectiveness of information security for the organization, which shall be performed not less than annually;
- A process for detecting, reporting, and responding to security incidents consistent with the information security policy of the organization;
- Plans and procedures to ensure the continuity of operations for information resources that support the operations and assets of the organization in the event of a security incident.
Skipping Information Security Program in Colorado
No, institutions of higher education, public agencies, and licensees in Colorado cannot skip having an information security program in place [1.1][2.1][1.2]. Each organization is required to develop an information security program that includes administrative, technical, and physical safeguards for the protection of customer information [2.1].
Furthermore, the chief information security officer is authorized to temporarily discontinue or suspend the operation of an organization’s communication and information resources in order to isolate the source of a security incident [1.3].
Therefore, organizations in Colorado must comply with the state’s information security program requirements.
Source(s):
- [1.1] Institutions of higher education - information security plans.
- [2.1] Information Security Program
- [1.2] Public agencies - information security plans.
- [1.3] Security incidents - authority of chief information security officer.
Jurisdiction
Colorado