Académique Documents
Professionnel Documents
Culture Documents
CSIA 360
UMUC
Eyassu Semegn
shifting from time to time. The program goal is to maintain the government data integrity when
delivering to the public. The States IT security program also aimed to protect secretive
governmental data and information from public and unauthorized access by protecting the
confidentiality the data. The states are trying harder to maintain the confidentiality, the integrity
and availability of the data. However, how hard they are trying, the States are facing different
types of obstacles to maintaining its protection. The first obstacle is a deficiency of cybersecurity
budget. The states are severely punished due to the budgetary shortfalls (nascio, 2009). Fighting
the newly developed and sophisticated threats with a low budget is not an easy task.
Additionally, the states are facing a lack of cybersecurity professionals and experts. There are
limited number of professionals are working in different governmental offices. The scarcity of
the professionals is because of a limited number of graduate students from different university
and colleges. Also, the states cannot put up a fight to compete with the private sectors to hire
qualified cyber specialists. The salary that is provided by private sectors is way better than the
government. Due to the shortage of budget and scarcity of cybersecurity professionals, inhibiting
the States’ from fighting cybersecurity threats in full energy (nascio, 2009).
Even though each state has their way of protecting data, the main goal of IT security
policy is the same. The main purpose of IT security policy is protecting the non-Public
security policy document explains how the agency can protect and secure its confidential
information technology assets. Additionally the document may include how the company plans
to educate its employees. How IT security practices are enforced and carried out. How the
security procedures can be evaluated and check their effectiveness to do the required adjustment
and correction. The IT security also referred as a living document because it is always updated
and continues, and it will never finish. Whenever there is a technology or employee change, the
update is crucial (tiaonline, 2015). Government offices are holding mainly non-public data and
privately identifiable information of citizens. Since the content of the offices’ information is
confidential, every stat has a comprehensive IT security and protection policy. The IT security
comprehensiveness is vary from state to state due to their different financial power, IT security
procedure and techniques, qualified professionals and more. For instance, the rich states may
have very strong IT security procedure and advanced technology with more qualified
cybersecurity professionals than the poor once. Let’s compare and contrast the state of Oklahoma
and Indianapolis IT security Policies. First let’s compare their common policy of IT security and
The state of Oklahoma and Indianapolis IT security policy have several common
principles and methods. Some of their policy similarities are the following:
Incident management: The two states policy have similar way of handling or managing
incident or data breach. Both dictate that how agencies need to develop incident response plans.
Companies and organizations need to create an internal initial incident response team to handle
incidents. The incident response team should be the only one to involve when the incident
happens. The team needs to act immediately by following the incident procedure. After the
incident response, the team expected to identify the sources of the incident and try to approach
the problem. If the incident is expected to be a cyber terrorism, the team immediately report to
the FBI Terrorism Task Force (JTTF) and the states’ homeland security (State of Oklahoma,
2008).
used to minimize or stop the risk of business or service interruption. A business continuity plan
is also covered by both stats IT security policies. The continuity plan is an effective strategy to
replace assets when they are not available anymore to provide the necessary service. The service
disruption can be caused by natural disasters, security breach or power loss. The disruption can
be long term or short term. Both states policy insist the business continuity plan need to involve
the advance preparation and risk or service disruption response plan. In the time of disruption,
the service needs to continue at least in an acceptable level of the functionality of the Institute. At
the event of the service disruption, the plan acts right away by following through detailed
procedures and guidelines. The plan needs to be flexible enough to grant or allow different
Risk Management: The state of Oklahoma and Indianapolis IT security policy take the
same kind of side when it comes to risk management. According to their policy, the risk
management plan consists of risk evaluation and assessment and risk mitigation and control
system. The risk assessment is meant to identify, evaluate and assess the risk in a particular
agency IT system. After the evaluation, the system offered or referred how risk can be reduced.
By referring the risk assessment process and result, the risk mitigation is exercising or
process is the one who take an action to reduce the risk what the system faced. After the
mitigation process, the responsible person will decide which risk is needs to be reduced or
However, the state of Indianapolis and Oklahoma has many similarities in their IT
security policy should be a draft or developed by CISO (Chief Information Security Officer) of
the state Office of Technology (IOT). The CISO handles reviewing and updating the policy
regularly and makes sure the policy serves the executive branch agencies at its minimum
baseline (State of Indiana, 2013). The policy states that the proper review and the regular update
of the policy are useful to mitigate the IT security risk. The regularly developed and updated
policy need to protect and the state’s information resources and agencies need to implement
Collection and Protection of data. The IT security policy of Indianapolis insisted that
necessary. Without any solid reason or mandated legislation, any state agencies cannot collect
any confidential or personally identifiable information (State of Indiana, 2013). After the
personal and confidential information is collected and stored, it need to be protected from any
unauthorized access and modification. To preserve the security of the data agencies need to
establish data management rules and regulations. The state agencies must take full responsibility
and accountability for the security and the protection of the data they collected. If any
confidential and personal information is compromised, the agency who collected that data is
fully accountable. Following the compromisation, all types of applicable laws shall follow
state of Indianapolis IT security policy granted Information access to the third party when they
need to do business (State of Indiana, 2013). During the business transaction the individual need
to give his/her permission for the third party to access the particular data. The policy states that
the trusted third parties are granted the same or equal level of authority to state agencies to
protect state information. The parties also granted to execute business on the behalf of the
On the other hand, the state of Oklahoma has some different IT security policies when it
Awareness Training: The IT security policy of Oklahoma state mention in detail about
the necessity of awareness training about IT security measures and procedures. According to the
policy, state agencies and institutions need to give training to their employees to create IT
security awareness and technology updates. The policy insisted that effective on-going
awareness presentation systems need to be designed (State of Oklahoma, 2008). The main
purpose of awareness and security training is to allow individuals to recognize the IT security
concerns and make them respond accordingly. Training employees in a formal procedure to build
skills and knowledge and that will facilitate the job performance of an employee. When the
training is reaching to audiences in a wide range that will create awareness. Once every
employee is aware of the security issues and threats, making a reasonable and a conscious
Data Center Management: The other different thing about the state of Oklahoma IT
security policy is the data center management. The data center management is covered the
biggest part of the policy of the state. This part of policy mainly dealt with how information can
be secured and managed using different systems and protocols (State of Oklahoma, 2008). The
data Center management also includes physical asset resources and facilities which is found in
the domain of IT. For instance, segregating of duties, Capacity Planning, Systems Planning and
Publicly Available Systems: Furthermore, the Oklahoma’s state IT security policy has a
unique section called publicly available systems. The publicly available system strictly
mentioned about how information can be used publicly. The section states that before any
informant publicly published, agencies need to follow certain laws, rules and regulations. The
the time information and software released by different agencies through their websites and other
resources. The released information could be electronic published data or a software electronic, it
needs to have a digital signature or another controlling methods (State of Oklahoma, 2008). The
data releasing body has a full responsibility and accountability for the information that
publicized.
Compare and Contrast the State of Oklahoma and Indianapolis IT Security Polices
Both states provide sufficient, detail and effective IT security policies and principles.
Most of their policies and principles are very similar and closely related. The idea they depend
on and the issues they raised are very similar and sometimes it is identical. It is a little bit
challenging to scratch out their policy differences. However, there is some slight difference
between the two states. The state of Indianapolis stated that the IT security policy is needed to be
prepared by Chief Information Security Officer (CISO) of the state or the agency. Though the
state of Oklahoma does not mention anything about the responsibility of CSIO. Also, the
Indianapolis state explained in detail how securely and legally information can be collected and
protected. Additionally the policy stated that the trusted third parties shall grant authority to
collect data if it is necessary during a business transaction; however this issue is not discussed by
Besides the state of Indianapolis, the state of Oklahoma policy mentioned how creating
awareness and giving proper training to employees about IT security is crucial and must. The
policy also stated that what kind of certain laws agencies need to follow before polishing any
public data. Unlike the state of Indianapolis, the state of Oklahoma strictly insisted agencies to
take a precaution to protect the integrity of the public data before and after they publicized it. For
the published public data the agency that published it handles its integrity and efficiency.
After comparing and contrasting both states’ IT security policies, the state of Oklahoma
has a slightly better policy than the state of Indianapolis because of the following reasons. The
Oklahoma state policy does not give or granted equal authority for the third parties to collect and
protect sensitive information. Also, the policy thoroughly mentioned how it is crucial and
important a new to give technology training and security threat awareness to employees.
Additionally, the policy does not only mentioned about how to secure sensitive information but
also states how to handle public data. Finally, the state of Oklahoma uses a lot of pictorial and
tabular methods, and that help the reader to understand state’s policy very easily.
Recommendations
- State agencies need to create a strong partnership with private and public sectors to create
- The federal government needs to create and stimulate effective cyber threat information
sharing and awareness program among state agencies and private and public sectors.
- IT security policymakers should not only address how cyber threats can be mitigated.
Also, they should provide information about operational and physical or infrastructural
work of cybersecurity.
- The US Congress must increase state's yearly budget for cybersecurity research and
development projects. The improved budget greatly increase the capacity of state
- Experienced countries in IT security practices should gather and work together to share
their experience. The exchanged experience would help to create globally acceptable IT
computing. (2015, 09 26). Desktop Computing Security Policies and Recommendations. Retrieved from
sas.upenn.edu: https://www.sas.upenn.edu/computing/help/faculty_staff/desktop_security
nascio. (2009, 03 01). Desperately Seeking Security Frameworks A Roadmap for State CIOs. Retrieved
from nascio.org: http://www.nascio.org/publications/documents/Deloitte-
NASCIOCybersecurityStudy_2014.pdf
State of Indiana. (2013, 01 10). State of Indiana Information Resources Policy and Practices. Retrieved
from www.in.gov: http://www.in.gov/iot/files/Information_Security_Framework.pdf
State of Oklahoma. (2008, 12 01). Information Security Policy, Procedures, Guidelines. Retrieved from
www.ok.gov:
http://www.ok.gov/OSF/documents/StateOfOklahomaInfoSecPPG_osf_12012008.pdf
tiaonline. (2015, 09 26). Cybersecurity Recommendations for Critical Infrastructure and the Global Supply
Chain. Retrieved from tiaonline.org: http://www.tiaonline.org/policy/securing-network-
cybersecurity-recommendations-critical-infrastructure-and-global-supply