State Governments Lack Control over Data Security
Improving security is going to be tough, since most states are in fiscal trouble.
There has been talk lately about pending federal legislation on cybersecurity and the potential for some national standards on how data is protected.
It seems that individual states also need to get into the act because apparently, state agencies believe risk management works in a vacuum. According to an article at SearchSecurity.com, security programs in state government lack oversight across agencies and there are little to no direct reporting lines from agency security offices to the state CISO. Robert Westervelt wrote:
Many state CISOs lack the authority to ensure personally identifiable information (PII) is protected in all agencies and departments, according to a new study that analyzes cybersecurity readiness at the state level. The lack of authority is resulting in the failure of states to adequately measure the effectiveness and progress of security programs and security program management , according to the 2010 Deloitte- National Association of State Chief Information Officers (NASCIO) Cybersecurity Study.
When you think how much PII state governments hold, it would be nice if states could make security a higher priority. Or at least come up with a security policy that encourages conversation between agencies so everyone is working toward the same goal.