Can I skip having an information security program in place in North Dakota? What are the requirements?

In North Dakota, it is mandatory for licensees to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[2.1]. The program must be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against any threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer. The licensee must also designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the licensee which is responsible for the information security program, identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic information, assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage any threats, and implement information safeguards to manage the threats identified in the licensee’s ongoing assessment and assess the effectiveness of the safeguards’ key controls, systems, and procedures on an annual basis. Failure to comply with these requirements may result in penalties ^[2.1].

Therefore, it is not possible to skip having an information security program in place in North Dakota if you are a licensee.

Source(s):

• [2.1] Information security program.

Jurisdiction

North Dakota

• Privacy