State CIOs: Better security starts with a common language
- By William Jackson
- Oct 28, 2011
Budget cuts, IT reorganization and changes in administration are challenging state CIOs trying to ensure the security of their IT systems, according to a new report from the National Association of State CIOs.
“The fiscal condition of the states is slowly recovering from the Great Recession, but the security resources, processes, programs and technology that protect critical assets remain under stress,” states the report, which proposes a common taxonomy of a dozen core security services and tools for delivering them. The taxonomy is intended to provide common language for discussing and assessing security needs and programs.
States are moving from a system-centric to a services-centric view of IT, the report states. “The use of standard terminology to describe security services allows the CIO and the state [chief information security officer] to articulate service requirements clearly and accurately whether their environments are centralized, federated, decentralized or a hybrid.”
US-Russian dictionary defines cyber war, other concepts
NASCIO has been sounding the alarm on threats to state IT security for several years. A 2010 survey conducted with Deloitte found that IT security spending by states was below that of the private sector and trending downward, and many states had no enterprise security program but relied on siloed, agency-specific programs. These challenges are being compounded by changes in administration, with 27 new governors coming into office in 2011.
The consolidation and reorganization of IT programs under way in many states creates an opportunity to reassess security programs, and that requires an understanding of the basic security services and how to deliver them.
“Whether or not a state CIO has been in his or her position for a long period of time or has just come to the job, state chief information security officers need to be able to communicate quickly with CIOs and high-level policymakers to explain current resource commitments and to articulate new requirements in simple but compelling language,” the report states.
The taxonomy divides security services into governance, risk and compliance services, and operational security services. The list of categories is meant to be comprehensive, with the understanding that no single program might be doing all of the functions. The services are available to be applied in a risk management framework with appropriate risk assessment.
There might be disagreement about the list, but “it was agreed that NASCIO’s identification of this core would facilitate standardization across state programs,” the report states.
Core services identified are:
Governance, Risk, and Compliance Services
- Information security program management.
- Secure system engineering.
- Information security training and awareness.
- Business continuity.
- Information security compliance.
Operational Security Services
- Information security monitoring.
- Information security incident response and forensics.
- Vulnerability and threat management.
- Boundary defense.
- Endpoint defense.
- Identity and access management.
- Physical security.
The taxonomy provides a description of each service, with a list of key activities they involve and available tools for carrying them out.
The taxonomy is intended to be used to:
- Assess current programmatic capabilities, expenditures and weaknesses within each of the core IT security service areas.
- Inform discussions in light of IT consolidation efforts of the services that are best performed centrally versus those that are distributed.
- In decentralized environments, the taxonomy can be used as a common vocabulary across lines of agency authority and allow better assessment of the total costs being expended to fulfill the service requirement.
- Enhance the assessment of programs against those of other states and to identify potential services that can be performed through multistate collaboration.
- Ensure that security requirements are well-articulated and understood both on the provider side and the business side as states move to use of cloud computing services.