Educating those in Public Service
According to NASCIO, an important aspect to cyber security is education and training of those employed by the state. NASCIO, the National Association of State Chief Information Officers, released a brief earlier this year outlining the need for security awareness in state government, explaining to CIOs that "IT security awareness and training may avert your next crisis."
The State of Michigan has recognized this need for training. In the state Department of Information Technology's 2007-2010 Office of Enterprise Security Strategic (OES) Plan (PDF), they have included a section on Training and Culture designed to reach three specific security goals: "raise awareness, enhance staff skills and improve over time."
"All of the work involved in creating a solid risk management and business continuity plan are worthless without a comprehensive awareness and training program for the individuals who are carrying out this plan. Therefore the development and implementation of a comprehensive training plan for everyone in MDIT [Michigan Department of Information Technology] -- from employees to supervisors and functional managers to executive-level managers -- is paramount," the plan says.
Informing the Public and Protecting Their Personal Data
Back in June, Ohio had a data breach. A computer back-up device was stolen, but is believed never to have been accessed. While most data breaches are treated as a national disaster, complete with panic, Ohio's IT professionals jumped into action to secure the citizens' data. A Web site was designed to give the people all the necessary information on ID theft and to keep them informed of the government's progress.
"Our review of the information in the stolen data device will continue until we have determined ... that we have identified every piece of sensitive information contained in the device," Governor Ted Strickland said in June. "We will continue to inform the public as new information becomes available."
People who logged on to the site were pointed to various credit-check businesses. The information was broken down into sections for taxpayers, state employees -- both current and retired -- vendors, school districts and local governments that may have been affected by the data theft. Basic information on data protection was also made available to the citizens.
Ohio learned from this incident, and one week later Strickland issued an executive order requiring all state agencies to utilize a secure method of storage for sensitive computerized data. To this end, Ohio has a site with security resources for state employees, including information on various executive orders and security requirements such as data encryption/cryptography and securing sensitive data.
Keeping Kids Safe Online
One of the best state-run kids cyber safety education Web sites is Pennsylvania Attorney General Tom Corbett's. The site uses age specific (elementary, middle school and high school) materials, such as cartoons and testimonials, to teach Internet safety. "Legal Eye the Firefly" helps the younger children learn about cyber bullying and they can take online quizzes to test their Internet smarts. The high and middle school sites include an Internet Safety contract where the kids can pledge to stay safe online, a video of Internet safety tips as well as links where children can report inappropriate online incidents such as someone sending inappropriate materials or attempting to meet with them.
"You even have a chance to become an official Attorney General," Corbett tells children in a special welcome message to K-5th graders. "It's very important for you to learn how to be safe while using the Internet."
These are only a few examples of what states are doing to improve cyber security. Hopefully others can take these examples and develop their own programs and solutions -- there's always more to be done.
