NOTE: This bill has been prepared for the signature of the appropriate legislative officers and the Governor. To determine whether the Governor has signed the bill or taken other action on it, please consult the legislative status sheet, the legislative history, or the Session Laws. SENATE BILL 11-082 BY SENATOR(S) King S., Carroll, Renfroe, Tochtrop, Foster, Giron, Guzman, Heath, Kopp, Newell, Nicholson, Schwartz, Steadman, White; also REPRESENTATIVE(S) Acree, Gardner D., Kerr J., Miklosi, Conti, Labuda, Pace, Stephens, Summers, Wilson. Concerning the authority of the state auditor to conduct audits of security systems used for information technology operated by the state. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. 2-3-103, Colorado Revised Statutes, is amended BY THE ADDITION OF THE FOLLOWING NEW SUBSECTIONS to read: 2-3-103. Duties of state auditor - definitions. (1.5) (a) In addition to any other duties granted by law, the state auditor may assess, confirm, and report on the security practices of all of the information technology systems maintained or administered by all departments, institutions, and agencies of state government, including educational institutions and the judicial and legislative branches. The auditor may perform similar or related duties with respect to political subdivisions of the state where the auditor has been granted authority to perform financial or performance audits with respect to such political subdivisions. In order to perform such duties, the state auditor may conduct penetration or similar testing of computer networks or information systems of the state or a political subdivision, as applicable, assess network or information system vulnerability, or conduct similar or related procedures to promote best practices with respect to the confidentiality, integrity, and availability of information systems technology as the auditor deems necessary in his or her discretion. In conducting such testing, the state auditor may contract with auditors or information technology security specialists, or both, that possess the necessary specialized knowledge and experience to perform the required work. The authority of the state auditor pursuant to the requirements of this subsection (1.5) shall be coextensive with the auditor's authority under this part 1. (b) Any testing or assessment of security practices and procedures concerning information technology in accordance with paragraph (a) of this subsection (1.5) shall be conducted or caused to be conducted by the state auditor: (I) After consultation and in coordination with, but not requiring the approval of, the chief information officer appointed pursuant to section 24-37.5-103, C.R.S., or any person performing comparable duties for either a state agency that is not under the jurisdiction of the office of information technology created in section 24-37.5-103, C.R.S., or a political subdivision of the state; (II) In accordance with industry standards prescribed by the national institute of standards and technology or any successor agency; and (III) After the state auditor and any other person with whom the state auditor is required to consult in accordance with the requirements of subparagraph (I) of this paragraph (b) have agreed in writing to rules governing the manner in which the testing or assessment is to be conducted, including a mitigation plan for handling significant system outages or disruptions in the event they occur. (10) As used in this section, unless the context otherwise requires: (a) "Information technology" shall have the same meaning as specified in section 24-37.5-102 (2), C.R.S. SECTION 2. 2-3-107 (2) (b), Colorado Revised Statutes, is amended to read: 2-3-107. Authority to subpoena witnesses - access to records. (2) (b) Nothing in this subsection (2) shall be construed as authorizing or permitting the publication of information prohibited by law. Notwithstanding the approval of the committee to release work papers of the office of the state auditor pursuant to section 2-3-103 (3), no information required to be kept confidential pursuant to any other law shall be released in connection with an audit. The results of any audit or evaluation of information technology systems undertaken pursuant to section 2-3-103 (1.5) that are precluded from disclosure under section 24-6-402 (3) (a) (IV), C.R.S., shall not be released in connection with any such audit or evaluation. In addition to the penalty established in section 2-3-103.7, any person who unlawfully releases confidential information shall be subject to any criminal or civil penalty under any applicable law for the unlawful release of the information. SECTION 3. Act subject to petition - effective date. This act shall take effect at 12:01 a.m. on the day following the expiration of the ninety-day period after final adjournment of the general assembly (August 10, 2011, if adjournment sine die is on May 11, 2011); except that, if a referendum petition is filed pursuant to section 1 (3) of article V of the state constitution against this act or an item, section, or part of this act within such period, then the act, item, section, or part shall not take effect unless approved by the people at the general election to be held in November 2012 and shall take effect on the date of the official declaration of the vote thereon by the governor. ____________________________ ____________________________ Brandon C. Shaffer Frank McNulty PRESIDENT OF SPEAKER OF THE HOUSE THE SENATE OF REPRESENTATIVES ____________________________ ____________________________ Cindi L. Markwell Marilyn Eddins SECRETARY OF CHIEF CLERK OF THE HOUSE THE SENATE OF REPRESENTATIVES APPROVED________________________________________ _________________________________________ John W. Hickenlooper GOVERNOR OF THE STATE OF COLORADO