NASCIO Issues Better Data Security Through Classification: A Game Plan for Smart Cybersecurity Investments

The National Association of State Chief Information Officers (NASCIO) today released Better Data Security Through Classification: A Game Plan for Smart Cybersecurity Investments. The brief, a joint project between NASCIO’s Cybersecurity Committee and Data Protection Working Group, explains why a risk based cybersecurity approach is the most beneficial to state government data. When states take a risk based approach they improve operational efficiency, assessments are more accurate, attack surfaces are reduced and decision making is improved. As the brief states, taking an enterprise mentality brings together previously silo-based security and IT tools and allows for ongoing and continuous data monitoring and assessing. 

Data is critical to state government and why state chief information officers (CIOs) ranked data management and analytics-e.g. data governance; data architecture; strategy; business intelligence; predictive analytics; big data; roles and responsibilities-as a top priority for 2017 ( Additionally, in the 2016 State CIO Survey, 42% of state CIOs characterized data governance as high on their strategic and operational plan.

“A risk-based approach to cybersecurity is ideal for state governments because it enables incremental and measurable improvement. Data classification is a critical step in the process of understanding the critical data we protect,” said Mark Raymond, NASCIO President and CIO of the State of Connecticut. 

Today, it is not uncommon for the true and core value of a state to reside in its data assets, specifically the information it collects, develops, and stores, and in the products it develops and sells that are comprised of the data, or derived from the data. We live in the information age. Information is the fuel for the engine that propels virtually every decision that is made in business today. Once data is classified, there are additional steps that can and should be taken to realize all the benefits of classification, so this guide is intended to provide a path into what can become a “life-cycle” type of exercise, repeating at periodic intervals on into the future, rather than a project that becomes final, or “completed.” Systems and system data continue to change, so classification of the data must be updated in order to remain accurate and useful.

Read the brief at