(a) At least once every two years, each state agency shall conduct an information security assessment of the agency’s:
(1) information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities; and
(2) data governance program with participation from the agency’s data management officer, if applicable, and in accordance with requirements established by department rule.