Security Protocols Policy
Iowa Code section 22.7(50) authorizes a government body to keep confidential “[i]nformation concerning security procedures or emergency preparedness” when the disclosure of such information could “reasonably be expected to jeopardize” the “protection of governmental employees, visitors to the government body, persons in the care, custody, or under the control of the government body, or property under the jurisdiction of the government body.” However, such authorization only applies to “a government body that has adopted a rule or policy identifying the specific records or class of records to which . . . subsection  applies and which is contained in such a record.”
Accordingly, it is the official policy of the Office of the Chief Information Officer of the State of Iowa that the following classes of records may be withheld from public inspection upon request pursuant to Iowa Code 22.7(50):
- Computer resource security files containing names, identifiers, and passwords of users of computer resources. Such files must be kept confidential to maintain security for access to confidential records pursuant to Iowa Code section 22.7.
- Data or information collected for the purpose of assessing, analyzing, measuring, preparing for, or responding to suspected, potential, or actual information security threats.
- Data or information collected for the purpose of assessing, analyzing, or classifying the severity of, nature of, ability to remediate, or ability to migrate data.
- Detailed security audit information. Such information includes but is not limited to security assessment reports; information directly related to vulnerability assessments; information contained in records relating to security measures such as security and response plans, security codes and combinations, passwords, restricted area passes, keys, and security or response procedures; emergency response protocols; and information contained in records that if disclosed would significantly increase the vulnerability of critical physical systems or infrastructures of the office.
- Information security data, proposals, or assessments compiled, prepared, or developed by a governmental body, or compiled, prepared, or developed by a nongovernment body and used by a government body pursuant to a contractual relationship with the nongovernment body.
Effective Date: This policy shall be effective February 1, 2016.