Section 4. The secretary shall, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as an enterprise chief information security officer (CISO) for the commonwealth who shall serve at the pleasure of the secretary. The CISO shall advise the secretary and the CIO on preventing data loss and fraud and protecting privacy. The CISO shall ensure all existing IT policies applicable to executive offices and agencies reflect best practices related to security and privacy.