Page:United States Statutes at Large Volume 120.djvu/3484

 PUBLIC LAW 109–461—DEC. 22, 2006

120 STAT. 3453

as the Chief Information Officer of the Department, is responsible for the following: ‘‘(1) Establishing, maintaining, and monitoring Department-wide information security policies, procedures, control techniques, training, and inspection requirements as elements of the Department information security program. ‘‘(2) Issuing policies and handbooks to provide direction for implementing the elements of the information security program to all Department organizations. ‘‘(3) Approving all policies and procedures that are related to information security for those areas of responsibility that are currently under the management and the oversight of other Department organizations. ‘‘(4) Ordering and enforcing Department-wide compliance with and execution of any information security policy. ‘‘(5) Establishing minimum mandatory technical, operational, and management information security control requirements for each Department system, consistent with risk, the processes identified in standards of the National Institute of Standards and Technology, and the responsibilities of the Assistant Secretary to operate and maintain all Department systems currently creating, processing, collecting, or disseminating data on behalf of Department information owners. ‘‘(6) Establishing standards for access to Department information systems by organizations and individual employees, and to deny access as appropriate. ‘‘(7) Directing that any incidents of failure to comply with established information security policies be immediately reported to the Assistant Secretary. ‘‘(8) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department for appropriate administrative or disciplinary action. ‘‘(9) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department along with taking action to correct the failure or violation. ‘‘(10) Requiring any key official of the Department who is so notified to report to the Assistant Secretary with respect to an action to be taken in response to any compliance failure or policy violation reported by the Assistant Secretary. ‘‘(11) Ensuring that the Chief Information Officers and Information Security Officers of the Department comply with all cyber security directives and mandates, and ensuring that these staff members have all necessary authority and means to direct full compliance with such directives and mandates relating to the acquisition, operation, maintenance, or use of information technology resources from all facility staff. ‘‘(12) Establishing the VA National Rules of Behavior for appropriate use and protection of the information which is used to support Department missions and functions. ‘‘(13) Establishing and providing supervision over an effective incident reporting system. ‘‘(14) Submitting to the Secretary, at least once every quarter, a report on any deficiency in the compliance with subchapter III of chapter 35 of title 44 of the Department or any Administration, office, or facility of the Department.

VerDate 14-DEC-2004

12:05 Jul 13, 2007

Jkt 059194

PO 00003

Frm 00256

Fmt 6580

Sfmt 6581

E:\PUBLAW\PUBL003.109

Deadline. Reports.

APPS06

PsN: PUBL003

�