Security standards to help manage compliance for those federal funds

Article

Security standards to help manage compliance for those federal funds

Linda Tucci, Senior News Writer
As states look forward to the federal stimulus funds from the American Recovery and Reinvestment Act of 2009, the National Association of State Chief Information Officers (NASCIO) warned CIOs and chief security officers yesterday to pay close heed to security standards and their security programs. The infusion of funds will likely come with a call for stricter controls. At the same time, the pressure on states to put this bolus of money into action will almost certainly create security risks, NASCIO said.

    Requires Free Membership to View

    Login

    Download CIODecisions Ezine FREE with your registration.

    Get essential editorial insights that senior IT executives need to run IT operations effectively and efficiently. Check out past issues then register to get the latest issue.

    Get Enterprise CIO Decisions Now!

    By submitting your registration information to SearchCIO.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchCIO.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

More from the NASCIO
NASCIO behind green IT with strong statement, action plan

E-records management moves up the state CIO agenda
"The infusion of federal dollars coming as a consequence of the American Recovery and Reinvestment Act puts significant new pressures on state IT programs to support recovery programs and services. It also increases the likelihood that the federal government will impose stricter security controls as part of broader concerns about transparency and accountability in the use of recovery monies," said Colorado CIO Mike Locatis, co-chair for the NASCIO Security and Privacy Committee, in a statement. "This heightens the need for states to understand existing and new IT security standards to ensure that their programs employ and integrate these as necessary."

Indeed, the warning came as the NASCIO released a new report aimed at giving state CIOs and chief information security officers (CISOs) a framework for dealing with the challenging array of security standards affecting state organizations.

The brief, "Desperately Seeking Security Frameworks -- A Roadmap for State CIOs," outlines 10 security standards, from the Sarbanes-Oxley Act and COBIT to the Payment Card Industry Data Security Standard and SAS 70, and their implications for state organizations.

While the overview includes information on how states are using these security standards to form their security programs (or not), the report's list of succinctly defined standards should also prove useful to IT executives in the private sector. The report offers eight "action items" that seem like they could apply to any CIO or CISO:

  1. Understand the complexity of overlapping standards.
  2. Select a foundational standard while expecting to reference others as needed.
  3. Start the "as is" assessment to identify existing gaps.
  4. Incorporate the standards by reference to the state's [or company's] security architecture.
  5. Understand related vertical standards and potential impacts on the enterprise as they evolve.
  6. Develop strong working relationships with state [read: company] auditors
  7. Monitor, test and quantify compliance levels to ensure that standards and controls are working and effective.
  8. Work untiringly to educate members of the state [read: company] workforce about the role of security standards, and their own responsibility under those standards.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper