Text to be removed highlighted in red.
135:1 New Paragraph; Department of Information Technology; Commissioner; Directors; Chief Information Security Officer. Amend RSA 21-R:3 by inserting after paragraph I-a the following new paragraph:
I-b. The commissioner shall appoint a chief information security officer, who shall be qualified to hold that position by reason of education and experience. The chief information security officer shall perform such duties described in RSA 21-R:4-a and as may be assigned by the commissioner, which may include, but not be limited to, the authority and power with approval of the commissioner to direct the formulation and implementation of cybersecurity and information security strategy, direction, policy, procedures, and standards across the executive branch of the state government.
135:2 Department of Information Technology; Commissioner; Directors; Compensation; Chief Information Security Officer. Amend RSA 21-R:3, III to read as follows:
III. The salaries of the commissioner, deputy commissioner, and division directors shall be as specified in RSA 94:1-a.
135:3 New Paragraph; Department of Information Technology; Duties of the Commissioner; Establishing Cybersecurity Integration Center. Amend RSA 21-R:4 by inserting after paragraph XX the following new paragraph:
XXI. Establish and maintain within the department a cybersecurity integration center to serve as the unified state center for coordinating cybersecurity monitoring, sharing information, distributing cybersecurity threat analysis, and enabling situational awareness between and among executive branch agencies and departments.
135:4 New Section; Duties of the Chief Information Security Officer. Amend RSA 21-R by inserting after section 4 the following new section:
21-R:4-a Duties of the Chief Information Security Officer. The chief information security officer shall be responsible for the following:
I. Chairing the cybersecurity advisory committee.
II. Developing, publishing, maintaining, and interpreting the statewide information security manual's policies and standards.
III. Developing, managing, and executing the statewide cyber disruption plan and an information security event response process.
IV. Staffing and training members of ESF-17 under the state emergency operations plan.
V. Identifying security requirements to limit the risks associated with identified executive branch business objectives as defined by the governor and the heads of state agencies.
VI. Providing information security subject matter expertise to the executive branch of the New Hampshire state government.
VII. Drafting and implementing an information security awareness and training program to be used by all state agencies.
VIII. Providing security metrics to track the performance of the information security program.
IX. Developing an information security governance and risk program, including, but not limited to:
(a) Coordinating and conducting risk assessments of agencies and their information assets.
(b) Conducting and managing vulnerability assessments of agency networks, applications, databases, and systems.
(c) Conducting penetration tests of agency networks, applications, databases, and systems.
(d) Conducting information security risk assessments of third parties with access to state of New Hampshire information assets.
X. Serving as the chief of the New Hampshire cyber integration center.
135:5 Effective Date. This act shall take effect 60 days after its passage.
Approved: June 30, 2023
Effective Date: August 29, 2023
Text to be added highlighted in green.
135:1 New Paragraph; Department of Information Technology; Commissioner; Directors; Chief Information Security Officer. Amend RSA 21-R:3 by inserting after paragraph I-a the following new paragraph:
I-b. The commissioner shall appoint a chief information security officer, who shall be qualified to hold that position by reason of education and experience. The chief information security officer shall perform such duties described in RSA 21-R:4-a and as may be assigned by the commissioner, which may include, but not be limited to, the authority and power with approval of the commissioner to direct the formulation and implementation of cybersecurity and information security strategy, direction, policy, procedures, and standards across the executive branch of the state government.
135:2 Department of Information Technology; Commissioner; Directors; Compensation; Chief Information Security Officer. Amend RSA 21-R:3, III to read as follows:
III. The salaries of the commissioner, deputy commissioner, chief information security officer, and division directors shall be as specified in RSA 94:1-a.
135:3 New Paragraph; Department of Information Technology; Duties of the Commissioner; Establishing Cybersecurity Integration Center. Amend RSA 21-R:4 by inserting after paragraph XX the following new paragraph:
XXI. Establish and maintain within the department a cybersecurity integration center to serve as the unified state center for coordinating cybersecurity monitoring, sharing information, distributing cybersecurity threat analysis, and enabling situational awareness between and among executive branch agencies and departments.
135:4 New Section; Duties of the Chief Information Security Officer. Amend RSA 21-R by inserting after section 4 the following new section:
21-R:4-a Duties of the Chief Information Security Officer. The chief information security officer shall be responsible for the following:
I. Chairing the cybersecurity advisory committee.
II. Developing, publishing, maintaining, and interpreting the statewide information security manual's policies and standards.
III. Developing, managing, and executing the statewide cyber disruption plan and an information security event response process.
IV. Staffing and training members of ESF-17 under the state emergency operations plan.
V. Identifying security requirements to limit the risks associated with identified executive branch business objectives as defined by the governor and the heads of state agencies.
VI. Providing information security subject matter expertise to the executive branch of the New Hampshire state government.
VII. Drafting and implementing an information security awareness and training program to be used by all state agencies.
VIII. Providing security metrics to track the performance of the information security program.
IX. Developing an information security governance and risk program, including, but not limited to:
(a) Coordinating and conducting risk assessments of agencies and their information assets.
(b) Conducting and managing vulnerability assessments of agency networks, applications, databases, and systems.
(c) Conducting penetration tests of agency networks, applications, databases, and systems.
(d) Conducting information security risk assessments of third parties with access to state of New Hampshire information assets.
X. Serving as the chief of the New Hampshire cyber integration center.
135:5 Effective Date. This act shall take effect 60 days after its passage.
Approved: June 30, 2023
Effective Date: August 29, 2023