(a) The Bureau of Information Technology shall be responsible for the following:
(1) Development of the policies and standards to be followed in providing for the confidentiality of information;
(2) Development of policies necessary to ensure the security of the Virgin Islands’ informational and physical assets;
(3) Development of policies to provide for the preservation of the Virgin Islands’ information processing capability;
(4) Coordination of research and identification of solutions or problems affecting information security;
(5) Review and recommendation of personal services contracts for information security consulting services;
(6) Representation of the Virgin Islands to the federal government, other agencies of territorial government, local government entities, and private industry on issues that have territory wide impact on information security;
(7) Development of polices and monitoring of territorial agencies to ensure that agency business operations will continue to function in the event of a disaster;
(8) Review and advisement on security plans concerning the location and construction of information processing facilities for territorial agencies;
(9) Preparation of policies and procedures for inclusion in the Virgin Islands Administrative Manual for the territorial agencies regarding the applicable law relating to confidentiality and privacy of, and public access, to information.
(b) Territorial agencies shall notify the Bureau of all incidents involving the unauthorized, intentional damage to, or modification or destruction of, electronic information, and the damage to, or destruction or theft of data processing equipment, or the intentional damage to, or destruction of, information processing facilities. The Bureau shall investigate each incident.
(c) The head of each territorial agency, department or independent instrumentality that utilizes, receives, or provides data processing services shall designate an information security officer who shall be responsible for implementing territorial policies and standards regarding the confidentiality and security of information pertaining to his respective entity. Such policies and standards include, but are not limited to, strict controls to prevent unauthorized access to data maintained in computer files, program documentation, data processing systems, data files, and data processing equipment physically located in such agency, department or independent instrumentality.
(d) Any contract entered into by any territorial agency or department which includes provisions for data processing system design, programming, documentation, conversion, equipment maintenance, and similar aspect of data processing services shall contain a provision requiring the contractor and all the contractor’s staff working under such contract to maintain all confidential information obtained as a result of such contracts as confidential and to not divulge such information to any other person.