| |
 |
Monday, August 05, 2002 |
Public Sector Information Security
Don Heiman, former CIO of the State of Kansas, was commissioned by NASCIO and PricewaterhouseCoopers to prepare this report entitled, Public Sector Information Security: A Call to Action for Public-Sector CIOs. The report argues that in order to exercise effective enterprise and IT governance, agency heads and the agency’s executive management team must have a clear understanding of what to expect from their enterprise’s information and security programs. Executive management typically has only a vague idea of what issues are associated with information security. Utah has already implemented many of Heiman's recommendations to some degree. The remainder will probably be included in the enterprise cybersecurity and homeland security projects to be initiated in September.
Heiman's 10 recommendations for enterprise security:
Management:
1. Make sure everyone is at the table. Develop an IT governance structure that is inclusive of all stakeholders. The structure should include security governance at the enterprise level and it should bring to the policy table emergency response and audit leadership. All branches of state government and local units of government should be represented in order to develop policies, set standards, and establish enterprise-level security plans.
2. Develop measures for enterprise success. Implement enterprise planning for security out-comes, including measures for success and best practices for setting and performing tasks, and commit to sharing resources for the good of the whole.
3. Adopt IT control objectives to manage, implement, and maintain IT systems.
4. Develop security metrics that accurately measure unwanted intrusions, security breaches, penetrations, and vulnerabilities. The reporting should be shared at a summary level with the executive, legislative, and judicial branches of state government as well as with other govern-mental organizations. The reports should be confidential to government communities.
5. Develop state enterprise-IT architectures that include security as an underlying domain with disciplines based on engineering standards, best practices, and accepted architecture-setting methodologies. The architectures should underlie the various IT domains and include physical security.
6. Develop a business case for security based on a full risk assessment of critical-infrastructure vulnerabilities. The risk assessment should include a complete inventory of critical systems and assets. It should also involve a gap analysis between actual and ideal security levels for the identified systems and related assets.
Technology:
7. Deploy automated and manual security technologies based on asset inventories and application criticality, including security levels derived from the enterprise architecture for IT.
8. Develop a state security portal that integrates with emerging technologies for emergency response such as intelligent roads and radio-frequency infrastructure. The state security portal should have a public access site as well as a private enterprise site for coordinating emergency response.
Homeland Security:
9. Establish an interstate security information sharing and analysis center (interstate ISAC) funded at least partially by the federal government. The interstate ISAC, building on the federal-sector ISAC model, will assist states in analyzing security breaches, repairing affected systems, reporting security alerts, providing clearinghouse services for progressive practices, and interfacing with appropriate federal entities.
10. Develop model state legislation that allows local, state, and federal entities to confidentially share security incident reports among themselves and with other ISACs supporting the natio n’s critical-infrastructure owners and operators.
State CIOs ready plans for security center - FCW
8:44:46 AM 
|
|
NIPC and the National Association of State Chief Information Officers (NASCIO) Agree on Cooperative Security Efforts
On July 25th, NASCIO signed an agreement with the National Infrastructure Protection Center (NIPC) to create an Interstate Information Sharing and Analysis Center that will facilitate the sharing of critical information. According to the FBI, this partnership between the NASCIO and the NIPC will allow vital security-related information to move more effectively between the multi-agency NIPC, based at FBI headquarters in Washington, DC, and the states through their chief information officers (CIOs). This places CIOs in the middle of key homeland security issues. Two enterprise initiatives are being developed in Utah as part of Governor Leavitt's new IT initiative, one on homeland security, with a second focused on enterprise computer security. Developing appropriate interfaces with this new IPAC should be part of both projects which will be presented to the cabinet in September.
Ron Dick, director of the NIPC stated,
"We must be able to give the states the most comprehensive and timely threat assessments and warnings we possibly can, so they can take actions to protect their critical infrastructures, and minimize the potential loss of life and property. Advance knowledge of the target area and the type of attack (bomb, chemical, radiological, biological and/or cyber) can make a vital difference in their readiness to prevent, and mitigate the consequences of an attack. The intelligence, law enforcement and other agencies that make up the NIPC are committed to giving the states that vital edge."
NASCIO leaders stated that "over time NASCIO will work with the states and federal partners, such as NIPC, to develop this Interstate ISAC function into a national model for two-way trusted exchange of information in order to analyze and disseminate actionable intelligence on threats, attacks, vulnerabilities, anomalies, and security best practices involving the continuity of state governments."
more on this issue can be found in Federal Computer Week
Utah's Cybersecurity Information Center
7:49:35 AM
|
|
© Copyright 2002 David Fletcher.
|
|
