1. Except as otherwise provided in subsection 3, records and portions of records that are assembled, maintained, overseen or prepared by the Division to mitigate, prevent or respond to acts of terrorism, the public disclosure of which would, in the determination of the Administrator, create a substantial likelihood of threatening the safety of the general public are confidential and not subject to inspection by the general public to the extent that such records and portions of records consist of or include:
(a) Information regarding the infrastructure and security of information systems, including, without limitation:
(1) Access codes, passwords and programs used to ensure the security of an information system;
(2) Access codes used to ensure the security of software applications;
(3) Procedures and processes used to ensure the security of an information system; and
(4) Plans used to re-establish security and service with respect to an information system after security has been breached or service has been interrupted.
(b) Assessments and plans that relate specifically and uniquely to the vulnerability of an information system or to the measures which will be taken to respond to such vulnerability, including, without limitation, any compiled underlying data necessary to prepare such assessments and plans.
(c) The results of tests of the security of an information system, insofar as those results reveal specific vulnerabilities relative to the information system.
2. The Administrator shall maintain or cause to be maintained a list of each record or portion of a record that the Administrator has determined to be confidential pursuant to subsection 1. The list described in this subsection must be prepared and maintained so as to recognize the existence of each such record or portion of a record without revealing the contents thereof.
3. At least once each biennium, the Administrator shall review the list described in subsection 2 and shall, with respect to each record or portion of a record that the Administrator has determined to be confidential pursuant to subsection 1:
(a) Determine that the record or portion of a record remains confidential in accordance with the criteria set forth in subsection 1;
(b) Determine that the record or portion of a record is no longer confidential in accordance with the criteria set forth in subsection 1; or
(c) If the Administrator determines that the record or portion of a record is obsolete, cause the record or portion of a record to be disposed of in the manner described in NRS 239.073 to 239.125, inclusive.
4. On or before February 15 of each year, the Administrator shall:
(a) Prepare a report setting forth a detailed description of each record or portion of a record determined to be confidential pursuant to this section, if any, accompanied by an explanation of why each such record or portion of a record was determined to be confidential; and
(b) Submit a copy of the report to the Director of the Legislative Counsel Bureau for transmittal to:
(1) If the Legislature is in session, the standing committees of the Legislature which have jurisdiction of the subject matter; or
(2) If the Legislature is not in session, the Legislative Commission.
5. As used in this section, "act of terrorism" has the meaning ascribed to it in NRS 239C.030.
(Added to NRS by 2003, 2461; A 2005, 268; 2011, 2950)