The report, "Public-Sector Information Security: A Call to Action for Public-Sector CIOs," is based, in part, on a forum sponsored by NASCIO with the support of the PricewaterhouseCoopers Endowment that identified actions to combat emerging electronic threats to security and critical infrastructure.
The report, written by Don Heiman, former CIO of Kansas, offers public-sector officials 10 recommendations for improving information security, including:
- Making sure "everyone is at the table" when developing an IT governance structure. All branches of state government and local units of government should be involved in developing policies, setting standards and establishing enterprise-level security plans.
- Adopting IT control objectives to manage, implement and maintain IT systems.
- Developing a business case for information security based on a full risk assessment of vulnerabilities. The assessment should include a complete inventory of critical systems and assets and would also involve an analysis of the gap between actual and ideal security levels for the identified systems and related assets.
- Establishing an interstate security information center that would help states analyze security breaches, repair affected IT systems, report security alerts, provide clearinghouse services for good practices and work with federal agencies.
"The NASCIO is pleased to have been able to produce this document with the support of The PricewaterhouseCoopers Endowment," said Rock Regan, CIO of Connecticut and President of the NASCIO. "As leading implementers of IT and IT-related governance solutions, state CIOs need to be conveners of efforts to protect critical information assets. This document is a great starting point for any public-sector CIO who recognizes that IT security is not just a question of technologies and processes, but part of a larger enterprise philosophy that builds security into the way we do business."
The PricewaterhouseCoopers Endowment for the Business of Government