Why is this document important and worth reading? Here’s an excerpt from the opening paragraph:
“This brief arises from discussions in NASCIO’s Security and Privacy Committee that relate to several factors: the chronic degree of underfunding for IT security programs within state government, in the context of significantly diminished state budgets; the transition of over half of the state CIO positions in the wake of 27 new governors in 2011; and the expanding number of states undertaking IT consolidation across the country.”
Although I was not one of the authors of this report, I certainly agree with call to action and the urgency required regarding the current situation for most state and local governments around America.
What is covered in the taxonomy? Here are the service categories described in the briefing:
Governance, Risk, and Compliance Services
1. Information Security Program Management
2. Secure System Engineering
3. Information Security Training and Awareness
4. Business Continuity
5. Information Security Compliance
6. Information Security Monitoring
7. Information Security Incident Response and Forensics
8. Vulnerability and Threat Management
9. Boundary Defense
10. Endpoint Defense
11. Identity and Access Management
12. Physical Security
For each of these areas, the document defines the scope of the individual services, and describes the key activities and tools employed in the delivery of the service. The potential benefits of using a comprehensive taxonomy as well as some possible cost savings are also offered at the end of this document.
I highly encourage IT leaders as well as state and local security leadership to take a look at this piece.