Paper #3

Compare and Contrast Two State Government IT Security Policies

CSIA 360

UMUC

Professor Andrea Simpson

Eyassu Semegn

Due Date 09/27/2015

 Introduction
The Sates IT security program is evolving through different changes and dynamically

shifting from time to time. The program goal is to maintain the government data integrity when

delivering to the public. The States IT security program also aimed to protect secretive

governmental data and information from public and unauthorized access by protecting the

confidentiality the data. The states are trying harder to maintain the confidentiality, the integrity

and availability of the data. However, how hard they are trying, the States are facing different

types of obstacles to maintaining its protection. The first obstacle is a deficiency of cybersecurity

budget. The states are severely punished due to the budgetary shortfalls (nascio, 2009). Fighting

the newly developed and sophisticated threats with a low budget is not an easy task.

Additionally, the states are facing a lack of cybersecurity professionals and experts. There are

limited number of professionals are working in different governmental offices. The scarcity of

the professionals is because of a limited number of graduate students from different university

and colleges. Also, the states cannot put up a fight to compete with the private sectors to hire

qualified cyber specialists. The salary that is provided by private sectors is way better than the

government. Due to the shortage of budget and scarcity of cybersecurity professionals, inhibiting

the States’ from fighting cybersecurity threats in full energy (nascio, 2009).

Even though each state has their way of protecting data, the main goal of IT security

policy is the same. The main purpose of IT security policy is protecting the non-Public

Information from unauthorized modification, access, destruction or disclosure. An IT security

policy is a document of a particular governmental office (Rouse, 2014). The comprehensive IT

security policy document explains how the agency can protect and secure its confidential

information technology assets. Additionally the document may include how the company plans

to educate its employees. How IT security practices are enforced and carried out. How the
security procedures can be evaluated and check their effectiveness to do the required adjustment

and correction. The IT security also referred as a living document because it is always updated

and continues, and it will never finish. Whenever there is a technology or employee change, the

update is crucial (tiaonline, 2015). Government offices are holding mainly non-public data and

privately identifiable information of citizens. Since the content of the offices’ information is

confidential, every stat has a comprehensive IT security and protection policy. The IT security

comprehensiveness is vary from state to state due to their different financial power, IT security

procedure and techniques, qualified professionals and more. For instance, the rich states may

have very strong IT security procedure and advanced technology with more qualified

cybersecurity professionals than the poor once. Let’s compare and contrast the state of Oklahoma

and Indianapolis IT security Policies. First let’s compare their common policy of IT security and

then their differences.

The common IT security policy of the state of Oklahoma and Indianapolis

The state of Oklahoma and Indianapolis IT security policy have several common

principles and methods. Some of their policy similarities are the following:

Incident management: The two states policy have similar way of handling or managing

incident or data breach. Both dictate that how agencies need to develop incident response plans.

Companies and organizations need to create an internal initial incident response team to handle

incidents. The incident response team should be the only one to involve when the incident

happens. The team needs to act immediately by following the incident procedure. After the

incident response, the team expected to identify the sources of the incident and try to approach

the problem. If the incident is expected to be a cyber terrorism, the team immediately report to
the FBI Terrorism Task Force (JTTF) and the states’ homeland security (State of Oklahoma,

2008).

Business Continuity: A business continuity plan is a part of a contingency plan that is

used to minimize or stop the risk of business or service interruption. A business continuity plan

is also covered by both stats IT security policies. The continuity plan is an effective strategy to

replace assets when they are not available anymore to provide the necessary service. The service

disruption can be caused by natural disasters, security breach or power loss. The disruption can

be long term or short term. Both states policy insist the business continuity plan need to involve

the advance preparation and risk or service disruption response plan. In the time of disruption,

the service needs to continue at least in an acceptable level of the functionality of the Institute. At

the event of the service disruption, the plan acts right away by following through detailed

procedures and guidelines. The plan needs to be flexible enough to grant or allow different

additional system modifications and service maintenances (State of Indiana, 2013).

Risk Management: The state of Oklahoma and Indianapolis IT security policy take the

same kind of side when it comes to risk management. According to their policy, the risk

management plan consists of risk evaluation and assessment and risk mitigation and control

system. The risk assessment is meant to identify, evaluate and assess the risk in a particular

agency IT system. After the evaluation, the system offered or referred how risk can be reduced.

By referring the risk assessment process and result, the risk mitigation is exercising or

implementing different types of risk-reducing or controlling measures. The risk mitigation

process is the one who take an action to reduce the risk what the system faced. After the

mitigation process, the responsible person will decide which risk is needs to be reduced or

eliminate completely (State of Oklahoma, 2008).

 The Policy Differences between the Two States

However, the state of Indianapolis and Oklahoma has many similarities in their IT

security policies they also have some differences.

The Unique Policy of Indianapolis

The responsibility of CSIO: According to the state of Indianapolis, the information

security policy should be a draft or developed by CISO (Chief Information Security Officer) of

the state Office of Technology (IOT). The CISO handles reviewing and updating the policy

regularly and makes sure the policy serves the executive branch agencies at its minimum

baseline (State of Indiana, 2013). The policy states that the proper review and the regular update

of the policy are useful to mitigate the IT security risk. The regularly developed and updated

policy need to protect and the state’s information resources and agencies need to implement

additional strong policies as needed.

Collection and Protection of data. The IT security policy of Indianapolis insisted that

confidential and personal or private information should be collected by institutes if it is only

necessary. Without any solid reason or mandated legislation, any state agencies cannot collect

any confidential or personally identifiable information (State of Indiana, 2013). After the

personal and confidential information is collected and stored, it need to be protected from any

unauthorized access and modification. To preserve the security of the data agencies need to

establish data management rules and regulations. The state agencies must take full responsibility

and accountability for the security and the protection of the data they collected. If any

confidential and personal information is compromised, the agency who collected that data is

fully accountable. Following the compromisation, all types of applicable laws shall follow

against the agency or any Law enforcement shall be engaged.

 Granting Information access to the third party. Unlike the state of Oklahoma, the

state of Indianapolis IT security policy granted Information access to the third party when they

need to do business (State of Indiana, 2013). During the business transaction the individual need

to give his/her permission for the third party to access the particular data. The policy states that

the trusted third parties are granted the same or equal level of authority to state agencies to

protect state information. The parties also granted to execute business on the behalf of the

citizens of the state.

The Unique Policy of Oklahoma

On the other hand, the state of Oklahoma has some different IT security policies when it

compares the state of Indianapolis. Some of the differences are:

Awareness Training: The IT security policy of Oklahoma state mention in detail about

the necessity of awareness training about IT security measures and procedures. According to the

policy, state agencies and institutions need to give training to their employees to create IT

security awareness and technology updates. The policy insisted that effective on-going

awareness presentation systems need to be designed (State of Oklahoma, 2008). The main

purpose of awareness and security training is to allow individuals to recognize the IT security

concerns and make them respond accordingly. Training employees in a formal procedure to build

skills and knowledge and that will facilitate the job performance of an employee. When the

training is reaching to audiences in a wide range that will create awareness. Once every

employee is aware of the security issues and threats, making a reasonable and a conscious

decision would be easier for them.

Data Center Management: The other different thing about the state of Oklahoma IT

security policy is the data center management. The data center management is covered the
biggest part of the policy of the state. This part of policy mainly dealt with how information can

be secured and managed using different systems and protocols (State of Oklahoma, 2008). The

data Center management also includes physical asset resources and facilities which is found in

the domain of IT. For instance, segregating of duties, Capacity Planning, Systems Planning and

Acceptance, Control of Operational Software, Management of Removable Computer Media are

some of the responsibility for data center management system.

Publicly Available Systems: Furthermore, the Oklahoma’s state IT security policy has a

unique section called publicly available systems. The publicly available system strictly

mentioned about how information can be used publicly. The section states that before any

informant publicly published, agencies need to follow certain laws, rules and regulations. The

publicized information integrity must be protected to inhibit unauthorized publications. Most of

the time information and software released by different agencies through their websites and other

resources. The released information could be electronic published data or a software electronic, it

needs to have a digital signature or another controlling methods (State of Oklahoma, 2008). The

data releasing body has a full responsibility and accountability for the information that

publicized.

Compare and Contrast the State of Oklahoma and Indianapolis IT Security Polices

Both states provide sufficient, detail and effective IT security policies and principles.

Most of their policies and principles are very similar and closely related. The idea they depend

on and the issues they raised are very similar and sometimes it is identical. It is a little bit

challenging to scratch out their policy differences. However, there is some slight difference

between the two states. The state of Indianapolis stated that the IT security policy is needed to be

prepared by Chief Information Security Officer (CISO) of the state or the agency. Though the
state of Oklahoma does not mention anything about the responsibility of CSIO. Also, the

Indianapolis state explained in detail how securely and legally information can be collected and

protected. Additionally the policy stated that the trusted third parties shall grant authority to

collect data if it is necessary during a business transaction; however this issue is not discussed by

the state of Oklahoma.

Besides the state of Indianapolis, the state of Oklahoma policy mentioned how creating

awareness and giving proper training to employees about IT security is crucial and must. The

policy also stated that what kind of certain laws agencies need to follow before polishing any

public data. Unlike the state of Indianapolis, the state of Oklahoma strictly insisted agencies to

take a precaution to protect the integrity of the public data before and after they publicized it. For

the published public data the agency that published it handles its integrity and efficiency.

After comparing and contrasting both states’ IT security policies, the state of Oklahoma

has a slightly better policy than the state of Indianapolis because of the following reasons. The

Oklahoma state policy does not give or granted equal authority for the third parties to collect and

protect sensitive information. Also, the policy thoroughly mentioned how it is crucial and

important a new to give technology training and security threat awareness to employees.

Additionally, the policy does not only mentioned about how to secure sensitive information but

also states how to handle public data. Finally, the state of Oklahoma uses a lot of pictorial and

tabular methods, and that help the reader to understand state’s policy very easily.
 Recommendations

- States and federal government need to improve the efforts of cybersecurity.

- State agencies need to create a strong partnership with private and public sectors to create

a strong suit for current and emerging security threats.

- The federal government needs to create and stimulate effective cyber threat information

sharing and awareness program among state agencies and private and public sectors.

- IT security policymakers should not only address how cyber threats can be mitigated.

Also, they should provide information about operational and physical or infrastructural

work of cybersecurity.

- The US Congress must increase state's yearly budget for cybersecurity research and

development projects. The improved budget greatly increase the capacity of state

agencies’ IT security power and.

- Experienced countries in IT security practices should gather and work together to share

their experience. The exchanged experience would help to create globally acceptable IT

security policy in the group and individually (tiaonline, 2015).

 Reference

computing. (2015, 09 26). Desktop Computing Security Policies and Recommendations. Retrieved from
sas.upenn.edu: https://www.sas.upenn.edu/computing/help/faculty_staff/desktop_security

nascio. (2009, 03 01). Desperately Seeking Security Frameworks A Roadmap for State CIOs. Retrieved
from nascio.org: http://www.nascio.org/publications/documents/Deloitte-
NASCIOCybersecurityStudy_2014.pdf

Rouse, M. (2014). security policy definition. Tech Target. Retrieved from

http://searchsecurity.techtarget.com/definition/security-policy

State of Indiana. (2013, 01 10). State of Indiana Information Resources Policy and Practices. Retrieved
from www.in.gov: http://www.in.gov/iot/files/Information_Security_Framework.pdf

State of Oklahoma. (2008, 12 01). Information Security Policy, Procedures, Guidelines. Retrieved from
www.ok.gov:
http://www.ok.gov/OSF/documents/StateOfOklahomaInfoSecPPG_osf_12012008.pdf

tiaonline. (2015, 09 26). Cybersecurity Recommendations for Critical Infrastructure and the Global Supply
Chain. Retrieved from tiaonline.org: http://www.tiaonline.org/policy/securing-network-
cybersecurity-recommendations-critical-infrastructure-and-global-supply