Can I skip having an information security program in place in Florida? What are the requirements?

Based on the documents provided, it is not possible to skip having an information security program in place in Florida. The documents indicate that there are requirements for agency information security programs, security breach protection provisions, personnel security and security awareness, physical security and access to data processing facilities, and risk management.

Requirements for Information Security Programs

The document FLREG 71A-1.003 indicates that an agency information security program is required, and provides rulemaking authority and law implemented. However, this document has been repealed, and it is unclear if there are any current regulations that replace it.

Security Breach Protection Provisions

FLREG 60FF-3.005 outlines security breach protection provisions that are required for department-approved use of third-party network equipment, services, and software. These provisions include requirements for procurement solicitations, contracts, purchase orders, or agreements for network services, software, or equipment through means other than SUNCOM services. The vendor must agree to use reasonable efforts to provide equipment, software, and services in accordance with and adherence to Chapters 60FF-1 through 60FF-3, F.A.C. The vendor shall assume 100% liability for system failures and/or security breaches that result from violations of subsections 60FF-3.004(1) and (2), F.A.C., that are caused by the vendor-provided network solution if the vendor has failed to inform the Florida Department of Management Services, the purchaser, and parties who are implementing or accommodating implementation of the services, equipment, or software described in the contract/purchase order/agreement. The relative amount of liability for system failures and security breaches shall be apportioned between the purchasing entity, the vendor, and the Department when the cause of system failures or security breaches is within the shared control of these parties in accordance with their respective fault.

Personnel Security and Security Awareness

FLREG 71A-2.008 outlines requirements for personnel security and security awareness, but this document has been repealed.

Physical Security and Access to Data Processing Facilities

FLREG 71A-2.003 outlines requirements for physical security and access to data processing facilities, but this document has been repealed.

Risk Management

FLREG 71A-2.001 outlines requirements for risk management, but this document has been repealed.

Therefore, it is not possible to skip having an information security program in place in Florida. However, it is unclear if there are any current regulations that replace FLREG 71A-1.003, which outlines requirements for agency information security programs.

Jurisdiction

Florida

• Privacy