Can I skip having an information security program in place in Iowa? What are the requirements?

To answer your question, no, you cannot skip having an information security program in place in Iowa if you are a licensee. According to IACO 507F.4, all licensees must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment conducted pursuant to subsection 3. The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the licensee’s information system, protect against threats or hazards to the security or integrity of nonpublic information and the licensee’s information system, protect against unauthorized access to or the use of nonpublic information, and minimize the likelihood of harm to any consumer.

The licensee must conduct a risk assessment that designates one or more employees, an affiliate, or an outside vendor to act on behalf of the licensee and that has responsibility for the information security program, identifies reasonably foreseeable internal or external threats that may result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, assesses the probability of, and the potential damage caused by, the threats identified, assesses the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats identified, and implements information safeguards to manage threats identified in the licensee’s ongoing risk assessments and, at least annually, assesses the effectiveness of the information safeguards’ key controls, systems, and procedures.

Based on the risk assessment conducted, the licensee must develop, implement, and maintain an information security program as described and determine which of the following security measures are appropriate and implement each appropriate security measure:

• Place access controls on information systems
• Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes
• Restrict access of nonpublic information stored in or at physical locations to authorized individuals only
• Protect by encryption or other appropriate means, all nonpublic information while the nonpublic information is transmitted over an external network, and all nonpublic information that is stored on a laptop computer, a portable computing or storage device, or portable computing or storage media
• Adopt secure development practices for in-house developed applications utilized by the licensee, and procedures for evaluating, assessing, and testing the security of externally developed applications utilized by the licensee
• Modify information systems in accordance with the licensee’s information security program
• Utilize effective controls, which may include multi-factor authentication procedures for authorized individuals accessing nonpublic information
• Regularly test and monitor systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems
• Include audit trails within the information security program designed to detect and respond to cybersecurity events, and designed to reconstruct material financial transactions sufficient to support the normal business operations and obligations of the licensee
• Implement measures to protect against the destruction, loss, or damage of nonpublic information due to environmental hazards, natural disasters, catastrophes, or technological failures
• Develop, implement, and maintain procedures for the secure disposal of nonpublic information that is contained in any format
• Include cybersecurity risks in the licensee’s enterprise-wide risk management process
• Maintain knowledge and understanding of emerging threats or vulnerabilities and utilize reasonable security measures, relative to the character of the sharing and the type of information being shared, when sharing information
• Provide the licensee’s personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee’s risk assessment.

Licensees shall comply with this section no later than January 1, 2023. ^[1.1]

Source(s):

• [1.1] Information security program.

Jurisdiction

Iowa

• Privacy