States called to action on security

• By Dibya Sarkar
• Jul 24, 2002

Promoting information technology security as a "way of life," a new report is urging state governments to look at better governance and enterprise architecture models, deploy enhanced technologies to measure and prevent cyberattacks, and share data with other critical groups.

The report, "Public-Sector Information Security: A Call to Action for Public-Sector CIOs," was issued by the National Association of State Chief Information Officers (www.nascio.org) and funded by the PricewaterhouseCoopers Endowment for the Business of Government.

John Lainhart, a PwC Consulting partner responsible for the group's information assurance practice, said the report should serve as a comprehensive roadmap to view IT governance not just as a technology issue, but also from a management perspective.

"It's a new topic. It's cutting edge if you will," said Lainhart, adding that governors and state legislatures have to come up to speed about the necessity for IT security. "It's clearly a huge problem for the states."

The report, written by former Kansas CIO Don Heiman and released July 23, spells out 10 recommendations to boost IT security:

* Develop an enterprise IT governance model including representatives from all branches of state government.

* Develop measures of success and best practices.

* Adopt IT control objects to manage, implement and maintain systems.

* Develop metrics to precisely measure intrusions, breaches, penetrations, and vulnerabilities and share such confidential information with appropriate groups.

* Develop an enterprisewide IT architecture that includes cybersecurity.

* Create a business case for security, including a full risk assessment of critical infrastructure vulnerabilities, inventory of critical systems and assets and gap analysis.

* Implement appropriate security technologies depending on the asset.

* Develop a state security portal for coordinating emergency response. The portal should integrate with emergency technologies.

* Establish an interstate information sharing and analysis center to help coordinate state responses to cyberattacks.

* Develop model legislation to all local, state and federal entities to share confidential security incident reports among themselves and private groups that support critical infrastructures.

With up to 45 states grappling with revenue shortfalls, the issue may have a difficult climb.

"This is a problem particularly for the states because of the budget crunches in the states and it's got to be put into a priority order," said Lainhart, who also sits on the nonprofit IT Governance Institute board, which is promoting the issue.

"They've got to look at this and identify their significant needs and put the funds there and certainly we've said in the report they need some help from the federal government. That's what Congress is considering right now in homeland security legislation," he said.