A. The Information Services Division of the Office of Management and Enterprise Services shall create a standard security risk assessment for state agency information technology systems that complies with the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Information Technology--Code of Practice for Security Management (ISO/IEC 27002).

B. Each state agency that has an information technology system shall obtain an information security risk assessment to identify vulnerabilities associated with the information system. The Information Services Division of the Office of Management and Enterprise Services shall approve not less than two firms which state agencies may choose from to conduct the information security risk assessment.

C. A state agency with an information technology system that is not consolidated under the Information Technology Consolidation and Coordination Act or that is otherwise retained by the agency shall additionally be required to have an information security audit conducted by a firm approved by the Information Services Division that is based upon the most current version of the NIST Cyber-Security Framework, and shall submit a final report of the information security risk assessment and information security audit findings to the Information Services Division each year on a schedule set by the Information Services Division. Agencies shall also submit a list of remedies and a timeline for the repair of any deficiencies to the Information Services Division within ten (10) days of the completion of the audit. The final information security risk assessment report shall identify, prioritize, and document information security vulnerabilities for each of the state agencies assessed. The Information Services Division may assist agencies in repairing any vulnerabilities to ensure compliance in a timely manner.

D. Subject to the provisions of subsection C of Section 34.12 of this title, the Information Services Division shall report the results of the state agency assessments and information security audit findings required pursuant to this section to the Governor, the Speaker of the House of Representatives, and the President Pro Tempore of the Senate by the first day of January of each year. Any state agency with an information technology system that is not consolidated under the Information Technology Consolidation and Coordination Act¹ that cannot comply with the provisions of this section shall consolidate under the Information Technology Consolidation and Coordination Act.

E. This section shall not apply to state agencies subject to mandatory North American Electric Reliability Corporation (NERC) cybersecurity standards and institutions within The Oklahoma State System of Higher Education, the Social Security Disability Determination Services Division of the Department of Rehabilitation Services, and the Oklahoma State Regents for Higher Education and the telecommunications network known as OneNet that follow the International Organization for Standardization (ISO), the Oklahoma Military Department (OMD) and the International Electrotechnical Commission (IEC)-Security techniques-Code of Practice for Information Security Controls or National Institute of Standards and Technology.