Return to Homepage


Home   |   Site Map   |   Privacy   |   Contact Us   |   RSS YouTube Twitter Linked In Facebook NASCIO Community
committees
Email This Page     |     Print This Page     |    
Comments?     |     Share This Link

COMMITTEES   |   Security & Privacy Committee Publications

Committee Publications:

The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs
October 2011

To ensure that IT security remains robust in the current difficult budget environment, the National Association of State Chief Information Officers (NASCIO) has identified a taxonomy of core, critical IT security services to facilitate the analysis of requirements, sourcing options, and costs for delivering appropriate security. For each of the twelve services that were identified, the brief includes a description, a list of the key activities associated with the service, and a list of tools that commonly support service delivery.


State Cyber Security Resource Guide: Awareness, Education, and Training Initiatives State Cyber Security Resource Guide: Awareness, Education, and Training Initiatives
September 2011

For the 2011 observance of National Cyber Security Awareness Month, NASCIO has updated its Resource Guide for State Cyber Security Awareness,Education, and Training Initiatives. The guide includes new information from our state members, who provided examples of state awareness programs and initiatives. This is an additional resource of best-practice information, together with an interactive state map to allow users to drilldown to the actual resources that states have developed or are using to promote cyber awareness. It includes contact information for the CISO, hyperlinks to state security and security awareness pages, and information describing cyber security awareness, training, and education initiatives.

The Resource Guide is a work-in-progress that should provide a valuable reference resource for Cyber Security Awareness Month, as well as the ongoing planning of security awareness and training efforts state programs may undertake thereafter.
 


Security at the Edge: Protecting Mobile Computing Devices Part II: Policies on the Use of Personally Owned Smartphones in State Government Security at the Edge: Protecting Mobile Computing Devices Part II: Policies on the Use of Personally Owned Smartphones in State Government
March 2010
Due to the pervasive use of personally owned smartphones in the U.S., practical concerns have arisen around state employee requests to use these devices for state business. The potential for security incidents and data breaches is a practical concern that state CIOs and CISOs must address when establishing security standards. While these devices make the work lives of employees less complicated, and perhaps reduce state IT acquisition costs, officials must once again face the classic dilemma of balancing risks and rewards. Policies on the Use of Personally Owned Smartphones in State Government highlights the trend toward states establishing security policies and standards for connecting personally owned smartphones to government networks.

Resource Guide for State Cyber Security Awareness, Education, and Training Initiatives Resource Guide for State Cyber Security Awareness, Education, and Training Initiatives
September 2009
For the observance of the sixth annual National Cyber Security Awareness Month, NASCIO has created a Resource Guide of examples of state awareness programs and initiatives. The compendium augments previously gathered information with data from a just-completed, short survey of state CISOs. It includes links to state security awareness pages, contact information for state CISOs, and information describing cyber security awareness, training, and education initiatives that target four categories: Executives/Elected Officials; Citizens; State Workers; and IT Security Personnel.

The Resource Guide is a work-in-progress that should provide a valuable reference resource for Cyber Security Awareness Month, as well as the ongoing planning of security awareness and training efforts state programs may undertake thereafter.

Security at the Edge — Protecting Mobile Computing Devices
July 2009
The business of government is increasingly conducted or supported by mobile computing devices as states adopt these tools to un-tether traditional office workers from their desks or employ them for a wide variety of purposes in the field. Use of mobile devices is so widespread that it is difficult to imagine how state governments can operate without them, given their increased computing power and the ease with which they may be integrated with state networks and databases via the Internet. At the same time, however, mobile devices are unusually vulnerable to loss, theft, mis-use, or misconfiguration, which can and does lead to the loss of sensitive data. Security at the Edge highlights the risks associated with uncontrolled use of mobile devices, and targets the standards and procedural controls that allow state CIOs to better secure them.

Desperately Seeking Security Frameworks – A Roadmap for State CIOs
March 2009
State CIOs, chief security officers, and the IT security professionals who work with them face a challenging and sometimes confusing array of security frameworks – these may be pushed down by Federal agencies, issued by national or international standards bodies, promoted by industry as best practice, or in some instances, be written into law or federal regulation. Desperately Seeking Security Frameworks provides an overview of the primary security standards, regulations, and laws that impact state IT security programs, highlights how states have used the frameworks to shape their security architectures, policies, standards, and controls, and identifies the key issues for CIOs as they establish and maintain IT security programs.

Protecting the Realm: Confronting the Realities of State Data at Risk
September 2008
This brief underlines the criticality of managing states’ digital assets and identifies key, high-level elements for establishing better data security programs within states.  The brief covers data ownership and governance issues, recommends grounding data protection efforts in states’ enterprise architecture frameworks, and outlines nine primary elements that a comprehensive data protection program must incorporate or address.  It describes data classification frameworks that have been developed in both state and federal agencies, and includes summaries of operational data classification and security initiatives in the states of Ohio, Arkansas, and Iowa

IT Security Awareness and Training: Changing the Culture of State Government
August 2007
Most state government employees use technology to do their daily work, yet they may not realize the dramatic consequences that can flow from one mistake. As data breaches and security incidents that originate from within state government appear to be on the rise, cultural change is needed. All state employees need to understand that IT security is everyone’s job and understand how to use the state’s IT resources in a way that does not create the risk of a security incident. NASCIO’s Research Brief, "IT Security Awareness and Training: Changing the Culture of State Government" , highlights awareness and training activities that State CIOs can implement to avoid internal threats that can lead to a full-on state government crisis. To assist CIOs in pursuing these efforts, this brief includes many examples of awareness and training activities that are currently taking place with the states. This brief is a product of NASCIO’s Information Security and Privacy Committee.

Insider Security Threats: State CIOs Take Action Now!
April 2007
This brief examines the often overlooked threats from within. Media attention has focused primarily on external threats with federal government and industry reports revealing alarming hacking and identity theft statistics. However, threats from within both public and private sector organizations may be even more prevalent than external threats and can have equally if not more serious consequences.

This brief discusses five significant insider threats and provides insight on ways to prevent, detect and respond to them. The threats are as follows:

  • Malicious Employees
  • Inattentive, Complacent or Untrained Employees
  • Contractors and Outsourced Services
  • Insufficient IT Security Compliance, Oversight, Authority and Training
  • Pervasive Computing-Technology is Everywhere and Data is on the Move

Keeping the Citizen Trust: What a State CIO Can Do To Protect Privacy
October 2006
This Research Brief examines how privacy in the state government context has evolved as a defining issue in response to rapidly changing technological advances and the complexities of a fast-paced world. The brief then explores some initial areas in which a state CIO may encounter privacy issues, including in the context of IT governance, enterprise architecture, policy, security and business processes, and offers some potential ways of addressing those issues.

A Current View of the State CISO: A National Survey Assessment
September 2006
These aggregate survey results reflect a snapshot of the state CISO role as of summer 2006. The survey results indicate that the state CISO position has become highly prevalent and is evolving into a state IT security policy and strategy leader. The survey was conducted during the preparation of NASCIO's July 2006 Research Brief entitled Born of Necessity: The CISO Evolution-Bringing the Technical and the Policy Together.

Born of Necessity: The CISO Evolution--Bringing the Technical and the Policy Together
July 2006

This brief examines the role of the state Chief Information Security Officer (CISO) as it has evolved in response to the growing complexities of the IT threat environment, homeland security concerns, and the increasing demands for enhanced citizen services. Specific points this brief addresses include critical success factors for state CISOs, the importance of a CISO’s relationship-building across the state and among levels of government, and a few predictions on the future evolution of the state CISO.

The IT Security Business Case: Sustainable Funding to Manage the Risks
May 2006

This brief takes a holistic approach to constructing the case for enterprise IT security investment by outlining for the state CIOs the following steps:

  • Understanding state government’s IT environment that drives the need for security
  • Starting with an enterprise-wide IT risk assessment
  • Making the case for IT security through demonstrating the risks (bolstered by the IT risk assessment results), the benefits of security, and how security aligns with the state’s business needs.

Findings from NASCIO’s Cybersecurity Survey
January 2006

The Year of Working Dangerously: The Privacy Implications of Wireless in the State Workplace—Part II
September 2005
Part II of this brief provides privacy policy and security measures to help states address the potential privacy implications of wireless technologies identified in Part I.

The Year of Working Dangerously: The Privacy Implications of Wireless in the State Workplace—Part I
August 2005
Part I identifies the privacy implications of wireless technologies in the state workplace, including the privacy implications of mobile technologies such as laptop computers, PDAs and other similar devices.

TLK2UL8R: The Privacy Implications of Instant and Text Messaging Technologies in State Government
May 2005
This brief explores the privacy implications of Instant Messaging (IM) applications—both consumer and enterprise-grade—in the context of the state workplace. It also addresses the privacy implications of text messaging and chat technologies.

Welcome to the Jungle: The State Privacy Implications of Spam, Phishing and Spyware
February 2005
This brief explores the privacy implications for state government created by the threats of spam, phishing and spyware and potential ways of preventing and mitigating this triple threat to state IT systems.

The Real Phantom Menace: Spyware and its State Implications
January 2005
This brief addresses the security, privacy, citizen trust and business process-related implications of spyware and other forms of malware for state government IT systems and suggests some potential technical, legal and awareness-raising solutions for the menace of malware.

Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications
December 2004
This brief explores the business drivers behind e-authentication and the privacy implications that states and others should consider in pursuing e-authentication efforts.

Think Before You Dig: The Privacy Implications of Data Mining & Aggregation
September 2004
This brief examines the business benefits and privacy issues related to government’s use of data-mining technologies. It also takes a look at high-profile government data-mining programs and suggests ways to infuse privacy protections and transparency into government’s use of data-mining technologies.

HAVA (the Help America Vote Act 2002)—A Briefing Paper
April 2004
This briefing paper provides an overview of the Help America Vote Act of 2002 (HAVA) and explores its IT-related challenges as well as NASCIO’s role in helping states to implement the Act.

Information Privacy: A Spotlight on Key Issues Information Privacy: A Spotlight on Key Issues
February 2004
NASCIO is pleased to announce the release of its newest publication, Information Privacy: A Spotlight on Key Issues. This publication, produced by the Privacy committee, serves as a resource for states developing privacy policies that protect citizen information and are compliant with federal and state legal requirements. This publication highlights key issues in the following areas of privacy: Children’s Information, Drivers’ Information, Health Information, Financial Information, Education Information, Social Security Numbers, Homeland Security-Related Information, Website Privacy Policies, and Government Data Matching Activities and Agreements.

In addition, the publication includes state examples for many of these areas of information privacy, an overview of recent privacy events at the federal level and a glossary of privacy related terms.

Federal Privacy Law Compendium, Version 1.0 Federal Privacy Law Compendium, Version 1.0
April 2003
To help states identify and assess federal laws that may have privacy implications for their information systems and policies, the NASCIO Privacy Committee has developed the Federal Privacy Law Compendium, Version 1.0. It is intended to serve as a resource for summaries of federal laws that may have an impact on the privacy of citizens’ information that is entrusted to state government. The Federal Privacy Law Compendium provides a starting point for states in their assessment of whether the summarized federal privacy laws will impact state information system operations and/or policies.

The Federal Privacy Law Compendium summarizes ten federal laws that deal with the privacy of information and highlights instances of potential impact on state government. The federal privacy laws summarized are:

  • The Children’s Online Privacy Protection Act of 1998
  • The Computer Fraud and Abuse Act of 1984
  • The Computer Matching & Privacy Protection Act of 1988 & Amendments of 1990
  • The Driver’s Privacy Protection Act of 1994
  • The Electronic Communications Privacy Act of 1986
  • The Fair Credit Reporting Act of 1970
  • The Family Educational Rights and Privacy Act of 1974
  • The Gramm-Leach-Bliley Financial Services Modernization Act of 1999
  • The Health Insurance Portability and Accountability Act of 1996
  • The Privacy Act of 1974

Proposed GSA Rule: New Policy on the .gov Domain
May 2002
This brief provides an overview of the Proposed Rule promulgated by the U.S. General Services Administration (GSA) that made the .gov Top-Level Internet domain available for states, local governments and Native Sovereign Nations to register domain names for their official government websites.

.

Taking the Lead: Green IT in the States Newsbrief Subscriptions A Call to Action: Information Exchange Strategies