Introduction
The importance of an Information Technology (IT) Security Policy for state agencies and offices has never been more evident than now. State agencies and offices have information that is very crucial to the running of the state; hence they are key targets for cybersecurity attacks. As many of them have moved from having manual records and processes, it makes them quite vulnerable to data breaches. IT Security policies help guide users of IT resources on the best behaviors that help them prevent, detect, and respond to IT security incidents (Cram et al., 2017).
States use IT security policies to ensure sensitive public data does not get into the wrong hands and state systems are not hacked, which would cause a major disruption in how they offer services to the public. Attacks could also get political where, say, a rival to the governor wants a hold of specific information so as to have leverage against them. The people who will get harmed either way will be the state’s citizens, so extraordinary measures should go into protecting them.
Every state should have an IT security policy first because it will cost them more to sort things after an attack, such as a data leak. Taking a preventative approach to IT security will help more than reactive measures. That does not mean that the policies should leave out response strategies in case of incidents. Creating awareness among the staff in state offices about the importance of adhering to IT security policies goes a long way in reducing the number of incidents. The state should make sure IT policies are reviewed often as things change quickly in the technological space.
Similarities between the IT Security Policies in Virginia and Oklahoma
The similarities in the IT security policies for Virginia and Oklahoma show that there are standard policies that no state agency should ignore. Both of them provide policy statements that declare security responsibility on agency IT systems lies solely on agency heads. They both set up different roles of personnel that are to head the agency in terms of security like Chief Information Officer, Information Security Officer, Agency Head, and Security Admin. This is notable as not having key security roles in agencies would make them more vulnerable to major security incidents (Stewart & Jürjens, 2017).
Having a contingency plan is key to agencies as they have become reliant on IT systems. Contingency plans must meet the specific needs of the said agency as they align with international standards (Freire & Padilla, 2019). On both policies, there is a reference to a contingency plan. Some of the plans listed to help execute recovery and restoration if there is an incident in Virginia include continuity of operations planning, disaster recovery planning, and IT system backup and restoration. In addition, the Oklahoma policy also talks about analysis and identification of the cause of accidents.
Many people forget the importance of physical security when talking about information security. As much as most cyber threats are online, not securing your premises makes the work easy for intruders. This applies especially for agencies that were designed to work in isolation; they may have more laxity with regard to physical security (Barrère et al., 2020). The Virginia policy talks of requiring planning and application of facilities security practices as the first line of defense for their electronic information against any threat, for example, theft and interruption to computer services. The Oklahoma policy emphasizes the security of the building and the local environment is crucial to the security of the agency’s information.
Both policies have put measures for logical access control to make sure users are who they say they are. They talk of password management, account management, and remote access, which is important as staff in state agencies, both big and small, should not have the right to access every piece of information on the systems. Users are assigned roles that govern their place in the system; for example, a secretary should not have viewer rights for the development code of the system. As the agency systems become more complex, there needs to be a better design of access control that can handle collaboration in the different agencies (Paci et al., 2018). The current access control designs seem centered around independent clustered systems, but it would be ideal to approach the affiliated agencies as distributed systems from the same node.
Concerning auditing, both states give directives on how audits should be performed and who is responsible. The agency has a right to do an audit at any time, which means the staff emails and activities done through company computers can be accessed. There is increased use of automated system audit software in many organizations, which works better than scheduled audits. There is increased precision provided by automated audits (Cangemi & Brennan, 2019), and also, faster discovery of new risks which the system admin can work on before they become vulnerabilities.
Uniqueness in the IT Security Policies in Virginia
The unique points in Virginia are several as they have different needs from their counterparts. There is the presence of a Chief Information Security Officer and Chief Information Officer with defined roles. It is quite important to have personnel designated for security in the agency. There is a provision for asset management, which helps protect different IT components through good management that can include change control and configuration management.
The policy also has a charting framework that shows how the different security components defined are interconnected. This is very important to give users the bigger picture of where they lie in terms of security responsibility. The policy already directs that any user has given their consent to being monitored using any information technology resource in the state agencies. Another thing unique to the Virginia policy is having a chart showing the history of revisions. This helps any stakeholder track the changes and improvements of the policy.
Uniqueness in the IT Security Policies in Oklahoma
There are areas in which Oklahoma sets itself apart in its IT security policy. The specificity in which they describe password confidentiality is unique to Oklahoma. The policy talks about the different checks for password validation, the length of time each password is valid before it is reset and even who is in charge of giving out the passwords. Another unique thing is the clear definition of staff rights in terms of computer and email usage.
There is more transparency on what is being monitored for the users; hence the rights of the agency will not be stretched. Transparency increases inclusion (Trois et al., 2017) and helps the executives in the agency not to misuse their power. The staff also feel more trusted and trust their seniors more if everything is open. The presence of help desk management is quite important, from voice mail security to secure support calls. It would be dangerous if anyone were sniffing in the system. The Oklahoma policy also provides guidance on the disposal of media containing sensitive information.
Evaluation of the two IT security policy documents
From the analysis of the two policies, we see an effort put by both states to protect their information technology assets through IT policies. The Oklahoma policy seems to be more thorough and detailed than the Virginia policy document. The Virginia policy document leaves a lot of grey areas. Both states should make the frequency of policy updates part of the policy document. The last review of the Virginia policy was done in 2014, while in Oklahoma it was in 2017.
Technology moves fast, and leaving such a gap in policy review leaves the state agencies at risk of many vulnerabilities. I would also recommend an expansion of the areas covered by the policies like live updates, firewalls, virtual networks, and the continuous education of staff about cybersecurity policies. The state of Virginia should make its policy document more detailed and provide links to external documents when need be. The state of Oklahoma should review the roles of the IT security personnel they have put.
Conclusion
States must take the creation and updating of information security policy documents as a priority. Structures should be put in place that also allow for public participation. The states of Oklahoma and Virginia are on the right track, but there is still much more work to be done. The language used in the policies should also be simple and concise. The state of Oklahoma has a better policy document, but it seems to have been neglected as much has not changed since 2017. The state of Virginia should review its documents and cover more scope in the policy. It must be emphasized to the different agency heads that the implementation of the policy is not an option, and the state must be strict to prevent the loss of public funds in mitigating cyberattacks. It is important for each state to have a policy document to prevent security incidents and also have procedures set in place in case any incident happens.
References
Barrère, M., Hankin, C., Nicolaou, N., Eliades, D., & Parisini, T. (2020). Measuring cyber-physical security in industrial control systems via minimum-effort attack strategies. Journal of Information Security and Applications, 52, 102471. Web.
Cangemi, M., & Brennan, G. (2019). Blockchain auditing – accelerating the need for automated audits!. EDPACS, 59(4), 1-11. Web.
Cram, W., Proudfoot, J., & D’Arcy, J. (2017). Organizational information security policies: a review and research framework. European Journal Of Information Systems, 26(6), 605-641. Web.
Freire, F., & Padilla, V. (2019). A Contingency Plan Framework for Cyber-Attacks. Journal of Information Systems Engineering & Management, 4(2). Web.
Paci, F., Squicciarini, A., & Zannone, N. (2018). Survey on Access Control for Community-Centered Collaborative Systems. ACM Computing Surveys, 51(1), 1-38. Web.
Stewart, H., & Jürjens, J. (2017). Information security management and the human aspect in organizations. Information & Computer Security, 25(5), 494-534. Web.
Trois, C., Weingaertner, D., Pasqualin, D., Maciel, E., Almeida, E., & Silva, F. et al. (2017). Transparency Meets Management: A Monitoring and Evaluating Tool for Governmental Projects. 2017 IEEE/ACS 14Th International Conference on Computer Systems and Applications (AICCSA). Web.