(b) Develop and publish for use by state agencies an information technology security framework that, at a minimum, includes guidelines and processes for:
1. Establishing asset management procedures to ensure that an agency’s information technology resources are identified and managed consistent with their relative importance to the agency’s business objectives.
2. Using a standard risk assessment methodology that includes the identification of an agency’s priorities, constraints, risk tolerances, and assumptions necessary to support operational risk decisions.
3. Completing comprehensive risk assessments and information technology security audits, which may be completed by a private sector vendor, and submitting completed assessments and audits to the Agency for State Technology.
4. Identifying protection procedures to manage the protection of an agency’s information, data, and information technology resources.
5. Establishing procedures for accessing information and data to ensure the confidentiality, integrity, and availability of such information and data.
6. Detecting threats through proactive monitoring of events, continuous security monitoring, and defined detection processes.
7. Establishing agency computer security incident response teams and describing their responsibilities for responding to information technology security incidents, including breaches of personal information containing confidential or exempt data.
8. Recovering information and data in response to an information technology security incident. The recovery may include recommended improvements to the agency processes, policies, or guidelines.
9. Establishing an information technology security incident reporting process that includes procedures and tiered reporting timeframes for notifying the Agency for State Technology and the Department of Law Enforcement of information technology security incidents. The tiered reporting timeframes shall be based upon the level of severity of the information technology security incidents being reported.
10. Incorporating information obtained through detection and response activities into the agency’s information technology security incident response plans.
11. Developing agency strategic and operational information technology security plans required pursuant to this section.
12. Establishing the managerial, operational, and technical safeguards for protecting state government data and information technology resources that align with the state agency risk management strategy and that protect the confidentiality, integrity, and availability of information and data.