States called to action on security
- By Dibya Sarkar
- Jul 24, 2002
Promoting information technology security as a "way of life," a new report
is urging state governments to look at better governance and enterprise
architecture models, deploy enhanced technologies to measure and prevent
cyberattacks, and share data with other critical groups.
The report, "Public-Sector Information Security: A Call to Action for
Public-Sector CIOs," was issued by the National Association of State Chief
Information Officers (www.nascio.org) and funded
by the PricewaterhouseCoopers Endowment for the Business of Government.
John Lainhart, a PwC Consulting partner responsible for the group's
information assurance practice, said the report should serve as a comprehensive
roadmap to view IT governance not just as a technology issue, but also from
a management perspective.
"It's a new topic. It's cutting edge if you will," said Lainhart, adding
that governors and state legislatures have to come up to speed about the
necessity for IT security. "It's clearly a huge problem for the states."
The report, written by former Kansas CIO Don Heiman and released July
23, spells out 10 recommendations to boost IT security:
* Develop an enterprise IT governance model including representatives
from all branches of state government.
* Develop measures of success and best practices.
* Adopt IT control objects to manage, implement and maintain systems.
* Develop metrics to precisely measure intrusions, breaches, penetrations,
and vulnerabilities and share such confidential information with appropriate
* Develop an enterprisewide IT architecture that includes cybersecurity.
* Create a business case for security, including a full risk assessment
of critical infrastructure vulnerabilities, inventory of critical systems
and assets and gap analysis.
* Implement appropriate security technologies depending on the asset.
* Develop a state security portal for coordinating emergency response.
The portal should integrate with emergency technologies.
* Establish an interstate information sharing and analysis center to
help coordinate state responses to cyberattacks.
* Develop model legislation to all local, state and federal entities
to share confidential security incident reports among themselves and private
groups that support critical infrastructures.
With up to 45 states grappling with revenue shortfalls, the issue may
have a difficult climb.
"This is a problem particularly for the states because of the budget
crunches in the states and it's got to be put into a priority order," said
Lainhart, who also sits on the nonprofit IT Governance Institute board,
which is promoting the issue.
"They've got to look at this and identify their significant needs and
put the funds there and certainly we've said in the report they need some
help from the federal government. That's what Congress is considering right
now in homeland security legislation," he said.