Indeed, the warning came as the NASCIO released a new report aimed at giving state CIOs and chief information security officers (CISOs) a framework for dealing with the challenging array of security standards affecting state organizations.
The brief, "Desperately Seeking Security Frameworks -- A Roadmap for State CIOs," outlines 10 security standards, from the Sarbanes-Oxley Act and COBIT to the Payment Card Industry Data Security Standard and SAS 70, and their implications for state organizations.
While the overview includes information on how states are using these security standards to form their security programs (or not), the report's list of succinctly defined standards should also prove useful to IT executives in the private sector. The report offers eight "action items" that seem like they could apply to any CIO or CISO:
- Understand the complexity of overlapping standards.
- Select a foundational standard while expecting to reference others as needed.
- Start the "as is" assessment to identify existing gaps.
- Incorporate the standards by reference to the state's [or company's] security architecture.
- Understand related vertical standards and potential impacts on the enterprise as they evolve.
- Develop strong working relationships with state [read: company] auditors
- Monitor, test and quantify compliance levels to ensure that standards and controls are working and effective.
- Work untiringly to educate members of the state [read: company] workforce about the role of security standards, and their own responsibility under those standards.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer