Cybersecurity and the Storage of Critical Information
Cybersecurity has posed a challenge to the storage of critical information for both private and public institutions. State governments manage a wide range of information that is critical to the public and thus to the government. In most situations, state governments are in charge of handling data about citizens, such as social security numbers, tax and financial information, and social security numbers (National Conference of States Legislatures, 2017). As a result, interventions in securing information from cybercriminals are required. State governments' initiatives include the development of security policies to ensure the safety of IT information. The purpose of formulated policies is that they lay a framework or the guidance to be adhered to by the state agencies in ensuring that the information handled is profoundly secured. The importance of IT security is that it allows the state government to have a written strategy on the protection and maintenance of the information technology system.
The Need for Comprehensive IT Security Policies
Every state or nation should have comprehensive IT security policies to assist in risk and intrusions, as well as outlining the responsibility of the state organs in the safety of handling information. Additionally, cybercriminals are always attracted to the information handled by the government to frustrate or disrupt essential matters of the state. For that reason, therefore, there is a need for each state to protect information and maintain public trust in handling their information. For the case of the US, all states are expected to be submitting published IT Strategic plans to address cybersecurity issues (Dawson & Desouza, 2015). Ideally, the security policy formulated seeks to provide integrity, confidentiality, and availability of the handled information (Hostland, Enstad, Eilertsen, & Boe, 2010).
State Of Oklahoma and State of Nevada Information Security
The states of Oklahoma and Nevada are two examples of states in the US that have seen the need to formulate measures to protect information. Both states have bodies that work within their jurisdiction to form and follow up matters related to information security and cybercrimes. In the case of the State of Nevada, several laws have been used in formulating cybersecurity policies. This includes; Nevada Revised Statue 242.101, the Clinger-Cohen Act of 1996, and Federal Information Security Management Act of 2002 (State of Nevada, 2017). On the other hand, the State of Oklahoma policies and security procedures are governed by the Office of State Finance under several regulations related to duties of the information system division (Office of State Finance, 2011). This policy is supported by the Federal Information Security Management Act of 2002 (FISMA Act 2002) which gives guidance and procedures on the selection of appropriate control of the information system (NASCIO, 2009). Both documents recognize the importance of the physical and environmental information security. In that case, therefore, the information facilities are monitored to reduce environmental risk exposure threats. Another aspect supported by the two security policies is the importance of awareness and training of the various issues related to cyber threats so that the state agencies would know about risk detection and mitigation strategies. In fact, training and awareness have been outlined as significant cybersecurity initiatives that need to be considered (Deloitte-NASCIO, 2016).
State Of Oklahoma IT Policy Document
This policy document acknowledges that the information handled by the state is a property of the state and therefore the information or data relies primarily on confidentiality and integrity. The policy, therefore, provides guidelines that govern the performance of the information. According to this policy, the information should be used solely for its intended purposes (Office of State Finance, 2011). Therefore, any disclosure must adhere to this rule such that the release of information is strictly for related jobs by accredited state officers. Another unique feature of this policy is that state agencies are required to use best practices in password management such as changing passwords at regular intervals and not sharing the passwords with other state officers. This policy requires the state agency to have full responsibility for maintaining the integrity, accuracy, and authenticity of the information. The policy also highlights management criteria that allow the Office of State Finance to be solely responsible for direction and leadership in all phases of cybersecurity. However, the Office of State Finance delegates some aspects to the hosting Agency Security such as incident management which ensures quick and orderly responses (Office of State Finance, 2011). Also, the document mandates the hosting agencies with the jurisdiction to reduce risk to all information assets by providing options analyzed alternatives.
The State of Nevada Policy Document
One of the unique features of this document is that the management security incidents involve the reports of the employees concerning the incident to the Information security Officer and to their appropriate manager (State of Nevada, 2017). Secondly, the security initiatives are not centralized since they are coordinated by appointed representatives from different areas within the state office. Also, for disclosure purposes of state employees and IT contractors, the document recommends the screening of employees so that the background information is made available. These credentials are processed by the department of public safety as well as the interventions from the Federal Bureau of Investigation (State of Nevada, 2017). In fact, unfavorable results from this screening lead to termination employ. Another important feature of this document is that it recognizes the inventory assets concerning informational technology. In that respect, therefore, the selected state entities are mandated to maintain these assets which are categorized into physical assets, software assets, and information assets (State of Nevada, 2017).
Comparison Between the Two Policies
The State Of Nevada security document has provided necessary policies that can be adopted by other policymakers. This is because the document is structured in a superior way to address some of the security-related issues such as threats from the external sources (State of Nevada, 2017). External sources of threats, in this case, refer to the employees and IT contractors. The two IT security documents provided the backup measures but failed to project the disposal criteria comprehensively. For instance, some of the information in the workstation of the state agencies may be transitory causing massive accumulation of data (Tolson, 2015). The buildup of information increases storage cost as well as the threats associated with eDiscovery. Therefore, an ideal policy, therefore, should consider recycling or disposal of unwanted information. The State of Nevada security policy outlines a special incident management than the Oklahoma security policies. Although the two acknowledge this fact, Oklahoma only provides the department with the responsibility to detect risk. Risk handling, therefore, should be a major consideration that should primarily rely on reporting the breaches of security policies (Perkins, 2017). The framework from both documents failed to show a collaborative aspect between the user or the state agencies and the managers or overseers of the overall policies. This fails to address a critical matter related to a secured information system that can be mitigated by a comprehensive analysis of security threats (Tittel & Kyle, 2010).
Conclusion
The increasing threats to the information assets have necessitated the need for all states to develop comprehensive and updated cybersecurity policies. The rationale of such interventions is to create guidelines that ensure the proper handling of public or state information, which fosters credibility, confidentiality, availability when needed, and integrity. The paper recommends the formulation of policies to accommodate sources of funding since this might lead to a possible breach of policies. A critical insight that needs to be included in the policies is the idea of employee screening since it is important in isolating possible threats to information in the state agencies.
References
Office of State Finance. (2011, March 1). State of Oklahoma information security policy, procedures, guidelines. Retrieved from ok.gov: https://www.ok.gov/OSF/documents/StateOfOklahomaInfoSecPPG_osf_12012008.pdf
Dawnson, G., & Desouza, K. (2015, March 5). How state governments are addressing cybersecurity. Retrieved from techtank: https://www.brookings.edu/blog/techtank/2015/03/05/how-state-governments-are-addressing-cybersecurity/
Deloitte-NASCIO. (2016 ). State government at risk: Turning strategy and awareness into progress. Deloitte University Press.
Hostland, K., Enstad, P., Eilertsen, O., & Boe, G. (2010, October). Information security policy. Retrieved from geant: https://services.geant.net/sites/cbp/Knowledge_Base/Security/Documents/gn3-na3-t4-ufs126.pdf
NASCIO. (2009, March). Desperately seeking security frameworks- a roadmap for state CIOs. Retrieved from nascio.org: http://www.nascio.org/Portals/0/Publications/Documents/NASCIO-SecurityFrameworks.pdf
National Conference of States Legislatures. (2017, January 16). Data security laws: state government. Retrieved from NCSL: http://www.ncsl.org/research/telecommunications-and-information-technology/data-security-laws-state-government.aspx
Perkins, J. (2017). Policy: Information security policy. London: LSE.
State of Nevada. (2017, March 30). State of Nevada Information security program policy 100 Rev c. Retrieved from nv.gov: http://it.nv.gov/uploadedFiles/ITnvgov/Content/Governance/dtls/Standards/100StateConsolidatedPolicy.pdf
Tittel, E., & Kyle, M. (2010, November 8). The Ideal Security Professional. Retrieved from Pearson IT certification: http://www.pearsonitcertification.com/articles/article.aspx?p=1641703
Tolson, B. (2015, May 20). The Lifecycle of Information – Updated. Retrieved from information governance: https://informationgaovernance101.com/2015/05/20/the-lifecycle-of-information-updated/
