18-104. Powers and duties of the department; violation; classification

A. The department shall:

1. Develop, implement and maintain a coordinated statewide plan for information technology. This includes:

(a) Adopting statewide technical and coordination standards for information technology.

(b) Serving as statewide coordinator for information technology resources.

(c) Developing a statewide disaster recovery plan, identifying risks in each budget unit and directing agencies to adopt risk mitigation strategies, methods and procedures to minimize the risks.

(d) Developing a list of approved department projects by priority category.

(e) Developing a detailed list of information technology assets that are owned, leased or employed by this state.

(f) Evaluating and either approving or disapproving budget unit information technology plans. Budget units shall submit information technology plans that include quality assurance plans and disaster recovery plans to the department each year on or before May 15. The legislative and judicial departments of state government shall submit information technology plans on or before September 1 for information purposes.

(g) Evaluating specific information technology projects relating to the approved budget unit and statewide information technology plans in consultation with the statewide information security and privacy office in the Arizona department of homeland security. The department shall approve or reject projects with total costs of at least $25,000 but not more than $1,000,000 and may establish conditional approval criteria, including procurement purchase authority. If the total project costs exceed $1,000,000, the department shall evaluate the project and make recommendations to the information technology authorization committee. If the total project costs exceed $5,000,000, the department shall require the budget unit to contract with an independent third party to review and guide the technology approach, scope, estimated cost, timeline for completion and overall feasibility of the project before making recommendations to the information technology authorization committee. On or before the thirtieth day following the last day of each calendar quarter, the budget unit shall submit a report from the independent third party to the information technology authorization committee and the joint legislative budget committee regarding the progress of each ongoing project. As part of a budget request for an information technology project that has total costs of at least $25,000, a budget unit shall indicate the status of review by the department.  Projects shall not be artificially divided to avoid review by the department.

2. Require that budget units incorporate a life-cycle analysis into the information technology planning, budgeting and procurement processes.

3. Require that budget units demonstrate expertise to carry out information technology plans, either by employing staff or contracting for outside services.

4. Monitor information technology projects that the department considers to be major or critical, including expenditure and activity reports and periodic review.

5. Temporarily suspend the expenditure of monies if the department determines that the information technology project is at risk of failing to achieve its intended results or does not comply with the requirements of this section.

6. Continuously study emergent technology and evaluate its impact on this state's system.

7. Advise each budget unit as necessary and report to the committee on an annual basis.

8. Provide to budget units information technology consulting services it deems necessary, either directly or by procuring outside consulting services.

9. Maintain all otherwise confidential information received from a budget unit pursuant to this section as confidential.

10. Provide staff support to the committee.

11. Subject to section 35-149, accept, spend and account for grants, monies and direct payments from public or private sources and other grants of monies or property to conduct programs that it deems consistent with the government information technology purposes and objectives of the department.

12. Adopt rules it deems necessary or desirable to further the government information technology objectives and programs of the department.

13. Formulate policies, plans and programs to effectuate the government information technology purposes of the department.

14. Advise and make recommendations to the governor and the legislature on all matters concerning its objectives.

15. Contract and enter into interagency and intergovernmental agreements pursuant to title 11, chapter 7, article 3 with any public or private party.

16. Have an official seal that shall be judicially noticed.

17. Establish an interactive online directory of codes, rules, ordinances, if available electronically, and statutes to assist individuals and businesses with regulatory requirements and obligations.  As provided in this paragraph, counties, municipalities and budget units shall submit information in a manner and format prescribed by the agency.

18. Manage enterprise-level information technology infrastructure, except that the information security and privacy office in the Arizona department of homeland security shall manage the information security aspects of the infrastructure.

19. Develop strategies to protect the information technology infrastructure of this state and the data that is stored on or transmitted by the infrastructure.

20. Temporarily suspend access to information technology infrastructure when directed by the Arizona department of homeland security and consult with the Arizona department of homeland security regarding security policies, standards and procedures.

B. The department shall advise the judicial and legislative branches of state government concerning information technology.

C. The department may examine all books, papers, records and documents in the office of any budget unit and may require any state officer of the budget unit to furnish information or statements necessary to carry out this chapter.

D. The director, any member of the director's staff or any employee who knowingly divulges or makes known in any manner not permitted by law any particulars of any confidential record, document or information is guilty of a class 5 felony.