In North Dakota, it is mandatory for licensees to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system [2.1]. The program must be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against any threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer.

New Mexico has specific requirements for information security programs that must be followed by all agencies and organizations that handle sensitive information. Skipping having an information security program in place is not an option. The state requires all agencies to have documented security operating instructions, management processes, and formal incident management procedures in place that define roles and responsibilities of individuals who operate or use agency IT technical operations and facilities [2.

Information Security Program Requirements in New Hampshire In New Hampshire, every licensee is required to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information [1.5]. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities [1.5]. The objectives of the information security program are to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer [1.

Based on the context documents, it is not possible to skip having an information security program in place in Nebraska. NEAC 210-77-04 requires each licensee to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. The administrative, technical, and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

In Missouri, it is not recommended to skip having an information security program in place. However, we could not find any specific requirements for having an information security program in place in Missouri in the provided context documents. The documents only provide information on continuing education requirements for corporate security advisors [1.2], causes to deny corporate security advisor license [1.3], cancellation of program certification [2.1], and program participant renewal [2.3]. Therefore, we suggest consulting with a legal professional or the Missouri state government for more information on information security program requirements in Missouri.

Information Security Program Requirements in Mississippi No, you cannot skip having an information security program in place in Mississippi. Mississippi has established an Enterprise Security Program to provide for coordinated oversight of cybersecurity efforts across all state agencies [1.1]. Additionally, each licensee in Mississippi is required to develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment and that contains administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system [2.

In Massachusetts, it is mandatory to have an information security program in place. The Attorney General’s WISP and the Auditor’s WISP require that security measures be established and maintained for computers, including wireless systems, that cover at least the following elements: secure user authentication protocols, secure access control measures, restricted access to computerized records containing personal information, safeguards against access by former employees, safeguards against the transmission of personal information, reasonable periodic monitoring of networks and systems for unauthorized use of or access to personal information, encryption of personal information stored on laptops or other portable devices, firewall protection for electronic files containing personal information on a system that is connected to the Internet, the most current version of system security agent software, education and training of employees on the proper use of the computer security system, the importance of personal information security, and resources available to safeguard personal information, and enhanced network security [1.

Information Security Program Requirements in Maine No, you cannot skip having an information security program in place in Maine if you are a licensee. According to MERS Section 2264, a licensee shall develop, implement, and maintain a comprehensive, written information security program based on the licensee’s risk assessment and containing administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information systems. The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the licensee’s information systems, protect against reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the licensee’s information systems, protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer, and define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when it is no longer needed [1.

In Louisiana, it is not recommended to skip having an information security program in place. The state has implemented the Statewide Income and Eligibility Verification System (SIEVS) [2.1], which requires computer matching to obtain information from various agencies, including the Social Security Administration, the Internal Revenue Service, and the Louisiana Department of Labor. Additionally, private security agents and businesses are required to be licensed and meet certain qualifications [1.2][1.3]. Security clearances are also required for systems personnel [3.

Information Security Program Requirements in Kansas In Kansas, an information security program is required by law. The Kansas Cybersecurity Act [2.1] establishes the Kansas Information Security Office (KISO) within the Office of Information Technology Services. The KISO is responsible for administering the Kansas Cybersecurity Act and assisting the executive branch in developing, implementing, and monitoring strategic and comprehensive information security risk-management programs. Under the direction of the Chief Information Security Officer (CISO), the KISO is responsible for creating and managing a unified and flexible control framework to integrate and normalize requirements resulting from applicable state and federal laws, and rules and regulations.