Each state agency shall designate an information security officer who:
(1) reports to the agency’s executive-level management;
(2) has authority over information security for the entire agency;
(3) possesses the training and experience required to perform the duties required by department rules; and
(4) to the extent feasible, has information security duties as the officer’s primary duties.