Current through 2023 Legislative Sessions
Section 54-10-29 - Audits of computer systems - Penalty1. The state auditor may:a. Pursuant to the powers and duties outlined in this chapter, conduct a review and assessment of computer systems and related security systems. Computer systems subject to this section include the computer systems of a state agency or political subdivision that is subject to audit by the state auditor. Tests conducted in connection with this review and assessment may include an assessment of system vulnerability, network penetration, potential security breach, and susceptibility to cyber attack or cyber fraud.b. Disclose any findings to the chief information officer of the state or to any state official or legislative committee. Working papers and preliminary drafts of reports created in connection with the review of computer systems and the security of the systems are exempt from section 44-04-18. Those parts of findings and working papers that identify the methods of the state auditor or that may cause or perpetuate vulnerability of the computer system reviewed are exempt from section 44-04-18 and protected from disclosure until the state auditor directs otherwise.c. Procure the services of a specialist in information security systems or other contractors deemed necessary in conducting a review under this section. The procurement of these services is exempt from the requirements of chapter 54-44.4.2. An outside contractor hired to provide services in the review of the security of a computer system is subject to the confidentiality provisions of this section and section 44-04-27. Any individual who knowingly discloses confidential information is subject to the provisions of section 12.1-13-01.3. The state auditor shall notify the executive officer of any state agency of the date, time, and location of any test conducted in connection with a review and assessment of computer systems or related security systems. The executive officer or the officer's designee may attend and observe any test during which confidential information may be accessed or controlled.4. The state auditor shall notify the attorney general of the date, time, and location of any test conducted in connection with a review and assessment of computer systems or related security systems. The attorney general may designate an individual to participate in the test. The designee of the attorney general may order the test to be terminated if the individual believes a sensitive system is being breached, a sensitive system may be breached, or sensitive information may be revealed.5. Notwithstanding any provision in chapter 32-12.2 to the contrary, if the attorney general and the director of the office of management and budget determine it is in the best interest of the state, the state auditor may agree to limit the liability of a contractor performing a review and assessment under this section. The liability limitation must be approved by the attorney general and director of the office of management and budget in writing. For any uninsured losses, the director of the office of management and budget may approve the risk management fund to assume all or part of the contractor's liability to the state in excess of the limitation.6. A state agency receiving federal tax information under section 6103 of the Internal Revenue Code, as amended [ 26 U.S.C. 6103 ], in conjunction with the state auditor, may enter a contract with the vendor selected by the state auditor under subdivision c of subsection 1 to conduct a review and assessment of the state agency's computer systems and related security systems, including an assessment of system vulnerability, network penetration, potential security breach, and susceptibility to cyber attack or cyber fraud.