Page:United States Statutes at Large Volume 120.djvu/3485

 120 STAT. 3454

Notification.

VerDate 14-DEC-2004

12:05 Jul 13, 2007

PUBLIC LAW 109–461—DEC. 22, 2006

‘‘(15) Reporting immediately to the Secretary on any significant deficiency in the compliance described by paragraph (14). ‘‘(16) Providing immediate notice to the Secretary of any presumptive data breach. ‘‘(c) ASSOCIATE DEPUTY ASSISTANT SECRETARY FOR CYBER AND INFORMATION SECURITY.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Associate Deputy Assistant Secretary for Cyber and Information Security, as the Senior Information Security Officer of the Department, is responsible for carrying out the responsibilities of the Assistant Secretary for Information and Technology under the provisions of subchapter III of chapter 35 of title 44, as set forth in subsection (b). ‘‘(d) DEPARTMENT INFORMATION OWNERS.—In accordance with the criteria of the Centralized IT Management System, Department information owners are responsible for the following: ‘‘(1) Providing assistance to the Assistant Secretary for Information and Technology regarding the security requirements and appropriate level of security controls for the information system or systems where sensitive personal information is currently created, collected, processed, disseminated, or subject to disposal. ‘‘(2) Determining who has access to the system or systems containing sensitive personal information, including types of privileges and access rights. ‘‘(3) Ensuring the VA National Rules of Behavior is signed on an annual basis and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions. ‘‘(4) Assisting the Assistant Secretary for Information and Technology in the identification and assessment of the common security controls for systems where their information resides. ‘‘(5) Providing assistance to Administration and staff office personnel involved in the development of new systems regarding the appropriate level of security controls for their information. ‘‘(e) OTHER KEY OFFICIALS.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Under Secretaries, Assistant Secretaries, and other key officials of the Department are responsible for the following: ‘‘(1) Implementing the policies, procedures, practices, and other countermeasures identified in the Department information security program that comprise activities that are under their day-to-day operational control or supervision. ‘‘(2) Periodically testing and evaluating information security controls that comprise activities that are under their day-today operational control or supervision to ensure effective implementation. ‘‘(3) Providing a plan of action and milestones to the Assistant Secretary for Information and Technology on at least a quarterly basis detailing the status of actions being taken to correct any security compliance failure or policy violation. ‘‘(4) Complying with the provisions of subchapter III of chapter 35 of title 44 and other related information security laws and requirements in accordance with orders of the Assistant Secretary for Information and Technology to execute the appropriate security controls commensurate to responding to a security bulletin of the Security Operations Center of the

Jkt 059194

PO 00003

Frm 00257

Fmt 6580

Sfmt 6581

E:\PUBLAW\PUBL003.109

APPS06

PsN: PUBL003

�