The National Association of State Chief Information Officers sent a “call to action” last week to the new governors that outlines the plethora of challenges and risks pertaining to cyber-security in state government.
“With 26 new administrations, it’s imperative that new governors and other state policy leaders be aware of the cyber-security threats that states face on a daily basis.” said Kyle Schafer, NASCIO president and West Virginia CIO, via a statement. “This call to action is meant to assist state leaders in understanding the threats and developing appropriate process and policy to mitigate risks.”
The document outlines a five-point summary of present challenges, which include administrations turning more often to IT solutions as a means to improve efficiency amid fiscal crises. But personal information continues to be at risk, as state networks are being attacked on a daily basis, according to NASCIO.
The association said an enterprise model for cyber-security is the preferable approach, no matter the state’s governance structure. A culture of security must be created across the government, according to NASCIO. “The most effective cyber-security programs produce accurate assessments of the risks associated with each system the government maintains, and for the network as a whole,” the paper said.
The call to action said one bright spot is that tight budgets are creating opportunities to improve states’ cyber-security postures by “baking” it into restructured departments and new processes. Furthermore, the federal government is realizing that states need more money to address cyber-security gaps. The U.S. Department of Homeland Security will do assessment of states cyber-security in fall 2011, according to NASCIO.
Finally, NASCIO urges the new governors to consider some basic questions:
- Is your state supporting a “culture of information security” encompassing a governance structure of state leadership and all key stakeholders?
- Has your state implemented an enterprise cyber-security framework that includes policies, control objectives, practices, standards and compliance?
- Has your state invested in information technologies that provide continuous vulnerability management and protect against critical cyber threats on an ongoing basis?
- Are security metrics available in your state that accurately measure and report intrusion attempts, penetrations, vulnerabilities and security breaches?
- Have state employees and contractors been trained for their roles and responsibilities in protecting the state’s cyber assets?