Email WV Code

Email: Chapter 5A, Article 6B, Section 4

§5A-6B-4. Responsibilities for cybersecurity.

(a) Each information custodian receiving centralized support from the West Virginia Office of Technology, or any other entity subject to the provisions of this article, shall:

(1) Undergo an appropriate cyber risk assessment as required by the cybersecurity framework or as directed by the Chief Information Security Officer;

(2) Adhere to the cybersecurity standard established by the Chief Information Security Officer in the use of information technology infrastructure;

(3) Adhere to enterprise cybersecurity policies and standards;

(4) Manage cybersecurity policies and procedures where more restricted security controls are deemed appropriate;

(5) Submit all cybersecurity policy and standard exception requests to the Chief Information Security Officer for approval;

(6) Participate in at least one annual cybersecurity program review with representatives of the West Virginia Office of Technology before November 30 of each year. The review will provide the Office of Technology with an analysis and evaluation of each information custodian’s cybersecurity readiness, ability to keep user data safe, data classifications, and other steps that the information custodian has taken towards safeguarding, risk management, cybersecurity readiness, or information technology modernization.

(b) If an information custodian fails to participate in the annual cybersecurity program review, the West Virginia Office of Technology may recover expenses associated with conducting any diagnostics or evaluations performed to assure safety of the network, devices, and systems. The amount charged to the information custodian may not exceed the actual costs incurred by the West Virginia Office of Technology in performing the review, resolving identified problems, and ensuring network security, protection, and continuity of operations.