2014 -- S 2469

========

LC004241

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2014

____________

A N   A C T

RELATING TO PUBLIC FINANCE - POST AUDIT OF ACCOUNTS

     

     Introduced By: Senators DiPalma, Felag, Lombardi, Jabour, and Archambault

     Date Introduced: February 27, 2014

     Referred To: Senate Finance

     (Administration)

It is enacted by the General Assembly as follows:

1

     SECTION 1. Chapter 35-7 of the General Laws entitled “Post Audit of Accounts” is

2

hereby amended by adding thereto the following section:

3

     35-7-15. Audit of information security systems. – (a) The general assembly recognizes

4

that the security of government computer systems is essential to ensuring the stability and

5

integrity of vital information gathered and stored by the government for the benefit of the

6

citizenry and the breach of security over computer systems presents a risk to the health, safety,

7

and welfare of the public. It is the intent of the legislature to insure that government computer

8

systems and information residing on these systems are protected from unauthorized access,

9

compromise, sabotage, hacking, viruses, destruction, illegal use, cyber attack or any other act

10

which might jeopardize or harm the computer systems and the information stored on them.

11

     (b) In conjunction with the powers and duties outlined in this chapter, the bureau of

12

audits may conduct reviews and assessments of the various government computer systems and

13

the security systems established to safeguard these computer systems. Computer systems subject

14

to this section shall include systems which pertain to federal, state, or local programs, and quasi-

15

governmental bodies, and the computer systems of any entity or program which is subject to audit

16

by the bureau of audits. The bureau of audit’s review may include an assessment of system

17

vulnerability, network penetration, potential security breaches, and susceptibility to cyber attack

18

and cyber fraud.

19

     (c) In the event the review by the bureau of audits indicates a computer system is

 

1

vulnerable, or security over the system is lacking, those findings shall not be disclosed publicly

2

and shall not be considered public records. Notwithstanding any other provision of law to the

3

contrary, the work papers developed in connection with the review of the computer system and

4

the security over the system shall not be deemed public records and are not subject to disclosure.

5

The bureau of audit’s findings may be disclosed at the discretion of the bureau of audits to the

6

chief information officer and the director of administration. Unless the bureau of audits authorizes

7

the release of information or findings gathered in the conduct of a review of computer system

8

security, all such information shall be deemed classified, confidential, secret, and non-public.

9

     (d) In order to maintain the integrity of the computer system, the bureau of audits may

10

procure the services of specialists in information security systems or other contractors deemed

11

necessary in conducting reviews under this section, and in procuring those services shall be

12

exempt from the requirements of the state purchasing law or regulation.

13

     (e) Any outside contractor or vendor hired to provide services in the review of the

14

security of a computer system shall be bound by the confidentiality provisions of this section.

15

SECTION 2. This act shall take effect upon passage.

========

LC004241

========

 

LC004241 - Page 2 of 2

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO PUBLIC FINANCE - POST AUDIT OF ACCOUNTS

***

1

     This act would provide that the bureau of audits may conduct reviews and assessments of

2

government computer systems and the security systems that safeguard the computer systems.

3

This act would further provide that in the event the bureau of audits determines a system to be

4

vulnerable or lacking such findings shall not be publicly disclosed or considered a public record.

5

     This act would take effect upon passage.

========

LC004241

========

 

LC004241 - Page 3 of 2