(30 ILCS 5/3-2.4)
    Sec. 3-2.4. Cybersecurity audit.
    (a) In conjunction with its annual compliance examination program, the Auditor General shall review State agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information.
    (b) The review required under this Section shall, at a minimum, assess the following:
        (1) the effectiveness of State agency cybersecurity
    
practices;
        (2) the risks or vulnerabilities of the
    
cybersecurity systems used by State agencies;
        (3) the types of information that are most
    
susceptible to attack;
        (4) ways to improve cybersecurity and eliminate
    
vulnerabilities to State cybersecurity systems; and
        (5) any other information concerning the
    
cybersecurity of State agencies that the Auditor General deems necessary and proper.
    (c) Any findings resulting from the testing conducted under this Section shall be included within the applicable State agency's compliance examination report. Each compliance examination report shall be issued in accordance with the provisions of Section 3-14. A copy of the report shall also be delivered to the head of the applicable State agency and posted on the Auditor General's website.
(Source: P.A. 100-914, eff. 1-1-19.)