As states look forward to the federal stimulus funds from the American Recovery and Reinvestment Act of 2009, the
National Association of State Chief Information Officers (NASCIO) warned CIOs and chief security officers yesterday to pay close heed to security standards and their security programs. The infusion of funds will likely come with a call for stricter controls. At the same time, the pressure on states to put this bolus of money into action will almost certainly create security risks, NASCIO said.
Indeed, the warning came as the NASCIO released a new report aimed at giving state CIOs and chief information security officers (CISOs) a framework for dealing with the challenging array of security standards affecting state organizations.
The brief, "Desperately Seeking Security Frameworks -- A Roadmap for State CIOs," outlines 10 security standards, from the Sarbanes-Oxley Act and COBIT to the Payment Card Industry Data Security Standard and SAS 70, and their implications for state organizations.
While the overview includes information on how states are using these security standards to form their security programs (or not), the report's list of succinctly defined standards should also prove useful to IT executives in the private sector. The report offers eight "action items" that seem like they could apply to any CIO or CISO:
- Understand the complexity of overlapping standards.
- Select a foundational standard while expecting to reference others as needed.
- Start the "as is" assessment to identify existing gaps.
- Incorporate the standards by reference to the state's [or company's] security architecture.
- Understand related vertical standards and potential impacts on the enterprise as they evolve.
- Develop strong working relationships with state [read: company] auditors
- Monitor, test and quantify compliance levels to ensure that standards and controls are working and effective.
- Work untiringly to educate members of the state [read: company] workforce about the role of security standards, and their own responsibility under those standards.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer