A law signed by Gov. Jim Justice last week creates a new cybersecurity office within the Office of Technology to assess the vulnerabilities of state agencies and unify security policies.
A newly signed West Virginia law seeks to bolster the cybersecurity standards, allocating $4.2 million toward the development of a unified security policy and enterprise service for public agencies.
The Secure WV Act, signed into law last week, creates a new Cybersecurity Office within the Office of Technology that will be responsible for conducting a risk assessment across most state agencies. The office will conclude its assessment by developing a unifying security standard that most state agencies will be subject to.
Chief Technology Officer Joshua Spence said in a statement that the legislation will serve as “a foundational step forward in cybersecurity protection of state information systems and data.”
“By leveraging a risk management approach, the state can ensure cybersecurity resources are applied to that which matters most,” the CTO said.
Spence further described the goal of the program as the creation of a “core cybersecurity standard" that will allow officials to make an "apples-to-apples comparison of cyber-risk assessments across all agencies within the Executive Branch.”
This kind of standardization of approach across agency lines is viewed by many security officials as a means of reducing overall risk, and West Virginia is one of a number of states to recently propose initiatives to analyze, centralize and improve cybersecurity policies.
Last year, West Virginia was chosen as one of four states to participate in the National Governors Association (NGA) cybersecurity policy academy. The program provides technical assistance to the states to help them improve their defense capabilities.
West Virginia's first step in its broader attempt to improve cybersecurity will be this risk assessment, Spence said in the release.
“As the state seeks to optimize government services by leveraging technology, it is important the state understand the associated cyber-risk to ensure that the appropriate levels of protection are applied,” he said.
The new cybersecurity framework will “assist and provide guidance to agencies in cyber-risk strategy and setting forth other duties,” effectively getting everybody on the same page in regards to safety, according to the bill text.
The initiative is expected to take approximately two years to complete.