As states look forward to the federal stimulus funds from the American Recovery and Reinvestment Act of 2009, the National Association of State Chief Information Officers (NASCIO) warned CIOs and chief security officers yesterday to pay close heed to security standards and their security programs. The infusion of funds will likely come with a call for stricter controls. At the same time, the pressure on states to put this bolus of money into action will almost certainly create security risks, NASCIO said.
"The infusion of federal dollars coming as a consequence of the American Recovery and Reinvestment Act puts significant new pressures on state IT programs to support recovery programs and services. It also increases the likelihood that the federal government will impose stricter security controls as part of broader concerns about transparency and accountability in the use of recovery monies," said Colorado CIO Mike Locatis, co-chair for the NASCIO Security and Privacy Committee, in a statement. "This heightens the need for states to understand existing and new IT security standards to ensure that their programs employ and integrate these as necessary."
Indeed, the warning came as the NASCIO released a new report aimed at giving state CIOs and chief information security officers (CISOs) a framework for dealing with the challenging array of security standards affecting state organizations.
The brief, "Desperately Seeking Security Frameworks -- A Roadmap for State CIOs," outlines 10 security standards, from the Sarbanes-Oxley Act and COBIT to the Payment Card Industry Data Security Standard and SAS 70, and their implications for state organizations.
While the overview includes information on how states are using these security standards to form their security programs (or not), the report's list of succinctly defined standards should also prove useful to IT executives in the private sector. The report offers eight "action items" that seem like they could apply to any CIO or CISO:
- Understand the complexity of overlapping standards.
- Select a foundational standard while expecting to reference others as needed.
- Start the "as is" assessment to identify existing gaps.
- Incorporate the standards by reference to the state's [or company's] security architecture.
- Understand related vertical standards and potential impacts on the enterprise as they evolve.
- Develop strong working relationships with state [read: company] auditors
- Monitor, test and quantify compliance levels to ensure that standards and controls are working and effective.
- Work untiringly to educate members of the state [read: company] workforce about the role of security standards, and their own responsibility under those standards.
Let us know what you think about the story; email: Linda Tucci, Executive Editor.
NASCIO behind green IT with strong statement, action plan
E-records management moves up the state CIO agenda