(1) Each institution of higher education, in coordination with the department of higher education, shall develop an information security program. The information security program shall provide information security for the communication and information resources that support the operations and assets of the institution of higher education.
(2) The information security program shall include:
Periodic assessments of the risk and magnitude of the harm that could result from asecurity incident;
A process for providing adequate information security for the communication andinformation resources of the institution of higher education;
Information security awareness training to inform the employees, administrators, andusers at the institution of higher education about the information security risks and the responsibility of employees, administrators, and users to comply with the institution's information security program and the policies, standards, and procedures designed to reduce the security risks;
Periodic testing and evaluation of the effectiveness of information security for theinstitution of higher education, which shall be performed not less than annually;
A process for detecting, reporting, and responding to security incidents consistentwith the information security policy of the institution of higher education. The institutions of higher education, the Colorado commission on higher education, and the chief information security officer shall establish the terms and conditions by which the institutions of higher education shall report information security incidents to the chief information security officer.
Plans and procedures to ensure the continuity of operations for information resourcesthat support the operations and assets of the institution of higher education in the event of a security incident.
(3) (a) On or before July 1, 2011, and on or before July 1 each year thereafter, each institution of higher education shall submit to the department of higher education a report concerning the development and implementation of the institution's information security program and compliance with the requirements specified in subsection (2) of this section. Upon receipt of the reports, the department of higher education shall review the reports and subsequently submit the reports to the chief information security officer.
(b) As soon as practicable after August 10, 2016, the department of higher education shall divide the institutions of higher education into three groups. Notwithstanding any provision of paragraph (a) of this subsection (3) to the contrary:
After the report submitted by July 1, 2017, the institutions in the first group shallsubmit the report required in this subsection (3) by July 1 every three years;
After the report submitted by July 1, 2018, the institutions in the second group shallsubmit the report required in this subsection (3) by July 1 every three years; and
After the report submitted by July 1, 2019, the institutions in the third group shallsubmit the report required in this subsection (3) by July 1 every three years.
Nothing in this section shall be construed to require any institution of higher education or the department of higher education to adopt policies or standards that conflict with federal law, rules, or regulations or with contractual arrangements governed by federal laws, rules, or regulations.
and (6) (Deleted by amendment, L. 2011, (SB 11-062), ch. 128, p. 431, § 8, effectiveApril 22, 2011.)
(7) (Deleted by amendment, L. 2011, (HB 11-1301), ch. 297, p. 1422, § 13, effective August 10, 2011.)
Source: L. 2006: Entire part added, p. 1717, § 1, effective June 6. L. 2007: (1) amended, p. 914, § 10, effective May 17. L. 2011: (1), (2)(e), (3), (5), and (6) amended, (SB 11-062), ch. 128, p. 431, § 8, effective April 22; entire section amended, (HB 11-1301), ch. 297, p. 1422, § 13, effective August 10. L. 2016: (3) amended, (HB 16-1375), ch. 225, p. 859, § 2, effective August 10.