Can I skip having an information security program in place in Montana? What are the requirements?

Based on the information provided in the context documents, it is not possible to skip having an information security program in place in Montana if you are a licensee. Montana law requires each licensee to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of personal information ^[1.1]. The objective of the information security program is to ensure the security and confidentiality of personal information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any individual or a violation of the Privacy Act ^[1.2]. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities ^[1.1].

However, state agencies may make a written request for an exception from a rule, policy, standard, or procedure in writing to the state chief information officer (CIO) ^[3.1]. The request must clearly outline a compelling business case, which includes a cost-benefit analysis for the state agency and whether there is an impact to the enterprise, demonstrating why it is in the best interests of the state of Montana to grant the exception ^[3.1]. If you are a state agency, you may be able to request an exception from the information security program requirement if you meet the criteria outlined in the law.

Therefore, if you are a licensee in Montana, you must have an information security program in place that meets the requirements outlined in the law.

Source(s):

• [1.1] INFORMATION SECURITY PROGRAM
• [1.2] OBJECTIVE OF INFORMATION SECURITY PROGRAM
• [3.1] GRANTING EXCEPTIONS

Jurisdiction

Montana

• Privacy