Duties of the Chief Technology Officer Relating to Security of Government Information

(a)The Chief Technology Officer shall ensure the security of government information and the data communications infrastructure from unauthorized uses, intrusions, or other security threats. At a minimum, these policies, procedures and standards shall identify and require the adoption of practices to safeguard information systems, data and communications infrastructures, as well as define the scope and regularity of security audits, and which bodies are authorized to conduct security audits. The audits may include reviews of physical security practices.

(b)Annual Audits.

(1)The Chief Technology Officer shall, at least annually, perform security audits of all executive branch agencies regarding the protection of government databases and data communications.

(2)Security audits may include, but are not limited to, on-site audits, as well as reviews of all written security procedures and documented practices.

(c)The Chief Technology Officer may contract with a private firm, or firms, that specialize in conducting these audits.

(d)All public bodies subject to the audits required by this Section shall fully cooperate with the entity designated to perform the audit.

(e)The Chief Technology Officer may direct specific remediation actions to mitigate findings of insufficient administrative, technical and physical controls necessary to protect government information or data communication infrastructures.

(f)The Chief Technology Officer of the Office of Technology shall provide regulatory and policy oversight to government-wide technology initiatives and interagency working groups related to artificial intelligence and emerging technologies. Such oversight shall ensure that all frameworks, standards, and recommendations developed by the Task Force or related entities comply with applicable privacy laws, cybersecurity and data-governance standards, and protections of civil liberties and individual rights. The Chief Technology Officer shall promulgate rules to minimize vulnerability to threats and to regularly assess security risks, determine appropriate security measures, and perform security audits of government information systems and data communications infrastructures.

(g)The Chief Technology Officer shall ensure compliance with confidentiality restrictions and other security guidelines applicable to law enforcement agencies, emergency response personnel, and emergency management operations.

(h)The provisions of this Section shall not infringe upon the responsibilities assigned to the Public Auditor, or other statutory requirements.

(i)In consultation with the Adjutant General, the Chief of Police, the Fire Chief, and the Director of the Division of Homeland Security, the Chief Technology Officer is responsible for the development and maintenance of an information systems disaster recovery system for the government of Guam with redundant sites in two

(2)or more locations isolated from reasonably perceived threats to the primary operations of the government of Guam.

(1)The Chief Technology Officer shall develop specifications, funding mechanisms and participation requirements for all executive branch agencies to protect the government of Guam’s essential data, information systems, and critical government services in times of emergency, inoperativeness, or disaster. CH. 1 OFFICE OF I MAGA’HÅGA/MAGA’LÅHI [THE GOVERNOR]

(2)Each executive branch agency shall assist the Chief Technology Officer in planning for its specific needs, and provide to the Chief Technology Officer any information or access to information systems or equipment that may be required in carrying out this purpose.

(3)No government-wide or executive branch agency procurement of disaster recovery services may be initiated, let or extended without the expressed consent of the Chief Technology Officer.