Page:United States Statutes at Large Volume 120.djvu/3481

 120 STAT. 3450

PUBLIC LAW 109–461—DEC. 22, 2006 (3) A detailed cost-benefit analysis of each of the options identified. (4) Estimates regarding the length of time and associated costs needed to complete such a facility under each of the options identified.

Department of Veterans Affairs Information Security Enhancement Act of 2006. 38 USC 101 note.

TITLE IX—INFORMATION SECURITY MATTERS SEC. 901. SHORT TITLE.

This title may be cited as the ‘‘Department of Veterans Affairs Information Security Enhancement Act of 2006’’. SEC. 902. DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY PROGRAMS AND REQUIREMENTS.

(a) INFORMATION SECURITY PROGRAMS AND REQUIREMENTS.— Chapter 57 is amended by adding at the end the following new subchapter: ‘‘SUBCHAPTER III—INFORMATION SECURITY ‘‘§ 5721. Purpose ‘‘The purpose of the Information Security Program is to establish a program to provide security for Department information and information systems commensurate to the risk of harm, and to communicate the responsibilities of the Secretary, Under Secretaries, Assistant Secretaries, other key officials, Assistant Secretary for Information and Technology, Associate Deputy Assistant Secretary for Cyber and Information Security, and Inspector General of the Department of Veterans Affairs as outlined in the provisions of subchapter III of chapter 35 of title 44 (also known as the ‘Federal Information Security Management Act of 2002’, which was enacted as part of the E-Government Act of 2002 (Public Law 107–347)). ‘‘§ 5722. Policy ‘‘(a) IN GENERAL.—The security of Department information and information systems is vital to the success of the mission of the Department. To that end, the Secretary shall establish and maintain a comprehensive Department-wide information security program to provide for the development and maintenance of cost-effective security controls needed to protect Department information, in any media or format, and Department information systems. ‘‘(b) ELEMENTS.—The Secretary shall ensure that the Department information security program includes the following elements: ‘‘(1) Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the Department. ‘‘(2) Policies and procedures that— ‘‘(A) are based on risk assessments; ‘‘(B) cost-effectively reduce security risks to an acceptable level; and

VerDate 14-DEC-2004

12:05 Jul 13, 2007

Jkt 059194

PO 00003

Frm 00253

Fmt 6580

Sfmt 6581

E:\PUBLAW\PUBL003.109

APPS06

PsN: PUBL003

�