(A) There is hereby established the office of information technology within the department of administrative services. The office shall be under the supervision of a state chief information officer to be appointed by the director of administrative services and subject to removal at the pleasure of the director. The chief information officer is an assistant director of administrative services.
(B) Under the direction of the director of administrative services, the state chief information officer shall lead, oversee, and direct state agency activities related to information technology development and use. In that regard, the state chief information officer shall do all of the following:
(1) Coordinate and superintend statewide efforts to promote common use and development of technology by state agencies. The office of information technology shall establish policies and standards that govern and direct state agency participation in statewide programs and initiatives.
(2) Establish policies and standards for the acquisition and use of common information technology by state agencies, including, but not limited to, hardware, software, technology services, and security, and the extension of the service life of information technology systems, with which state agencies shall comply;
(3) Establish criteria and review processes to identify state agency information technology projects or purchases that require alignment or oversight. As appropriate, the department of administrative services shall provide the governor and the director of budget and management with notice and advice regarding the appropriate allocation of resources for those projects. The state chief information officer may require state agencies to provide, and may prescribe the form and manner by which they must provide, information to fulfill the state chief information officer's alignment and oversight role;
(4) Establish policies and procedures for the security of personal information that is maintained and destroyed by state agencies;
(5) Employ a chief information security officer who is responsible for the implementation of the policies and procedures described in division (B)(4) of this section and for coordinating the implementation of those policies and procedures in all of the state agencies;
(6) Employ a chief privacy officer who is responsible for advising state agencies when establishing policies and procedures for the security of personal information and developing education and training programs regarding the state's security procedures;
(7) Establish policies on the purchasing, use, and reimbursement for use of handheld computing and telecommunications devices by state agency employees;
(8) Establish policies for the reduction of printing and the use of electronic records by state agencies;
(9) Establish policies for the reduction of energy consumption by state agencies;
(10) Compute the amount of revenue attributable to the amortization of all equipment purchases and capitalized systems from information technology service delivery and major information technology purchases operating appropriation items and major computer purchases capital appropriation items that is recovered as part of the information technology services rates the department of administrative services charges and deposits into the information technology fund created in section 125.15 of the Revised Code;
(11) Regularly review and make recommendations regarding improving the infrastructure of the state's cybersecurity operations with existing resources and through partnerships between government, business, and institutions of higher education;
(12) Assist, as needed, with general state efforts to grow the cybersecurity industry in this state.
(1) The chief information security officer shall assist each state agency with the development of an information technology security strategic plan and review that plan, and each state agency shall submit that plan to the state chief information officer. The chief information security officer may require that each state agency update its information technology security strategic plan annually as determined by the state chief information officer.
(2) Prior to the implementation of any information technology data system, a state agency shall prepare or have prepared a privacy impact statement for that system.
(D) When a state agency requests a purchase of information technology supplies or services under Chapter 125. of the Revised Code, the state chief information officer may review and reject the requested purchase for noncompliance with information technology direction, plans, policies, standards, or project-alignment criteria.
(E) The office of information technology may operate technology services for state agencies in accordance with this chapter.
(F) With the approval of the director of administrative services, the office of information technology may establish cooperative agreements with federal and local government agencies and state agencies that are not under the authority of the governor for the provision of technology services and the development of technology projects.
(G) The office of information technology may operate a program to make information technology purchases. The director of administrative services may recover the cost of operating the program from all participating government entities by issuing intrastate transfer voucher billings for the procured technology or through any pass-through billing method agreed to by the director of administrative services, the director of budget and management, and the participating government entities that will receive the procured technology.
If the director of administrative services chooses to recover the program costs through intrastate transfer voucher billings, the participating government entities shall process the intrastate transfer vouchers to pay for the cost. Amounts received under this section for the information technology purchase program shall be deposited to the credit of the information technology governance fund created in section 125.15 of the Revised Code.
(H) Upon request from the director of administrative services, the director of budget and management may transfer cash from the information technology fund created in section 125.15 of the Revised Code to the major information technology purchases fund in an amount not to exceed the amount computed under division (B)(10) of this section. The major information technology purchases fund is hereby created in the state treasury.
(I) As used in this section:
(1) "Personal information" has the same meaning as in section 149.45 of the Revised Code.
(2) "State agency" means every organized body, office, or agency established by the laws of the state for the exercise of any function of state government, other than any state-supported institution of higher education, the office of the auditor of state, treasurer of state, secretary of state, or attorney general, the adjutant general's department, the bureau of workers' compensation, the industrial commission, the public employees retirement system, the Ohio police and fire pension fund, the state teachers retirement system, the school employees retirement system, the state highway patrol retirement system, the general assembly or any legislative agency, the capitol square review advisory board, or the courts or any judicial agency.
Amended by 130th General Assembly File No. TBD, HB 483, §101.01, eff. 9/15/2014.
Amended by 129th General AssemblyFile No.28, HB 153, §101.01, eff. 6/30/2011.
Amended by 128th General AssemblyFile No.9, HB 1, §101.01, eff. 10/16/2009.
Effective Date: 09-29-2005; 2008 HB46 09-01-2008; 2008 HB562 09-22-2008