Having a clearly articulated information technology (IT) security policy is crucial for any organization, including state agencies and offices in the executive branch. A well-established IT security policy prevents unauthorized disclosure, access, use, or modification of information assets of an organization (Briffa et al., 2020). Illinois Department of Innovation and Technology (DoIT, 2019) stated that the purpose of establishing an IT security policy was “to prevent or limit the adverse effects of a failure, interruption, or security breach of State of Illinois Information Systems” (p. 3). The IT security policies define the boundaries of information use within government organizations.
The importance of an IT security policy for a government organization is difficult to overstate. Such policies provide employees and other stakeholders with guiding principles concerning the secure management of information, as well as specific rules concerning what should and should not be done to maximize the security of information (Pourkhomami, 2018). A good IT security policy needs to include descriptions of acceptable use, confidential data, email use, mobile device use, response to incidence, network security, acceptable passwords, physical security policy, wireless network use, and guest access rules (Briffa et al., 2020). Any state needs to have a comprehensive IT security policy regardless of whether it is a resource-poor state or a wealthy state, as all government agencies operate with sensitive data that should be protected. Without such a policy, government agencies are vulnerable to attacks from malicious users that may lead to theft, loss, or disclosure of sensitive information.
The present paper aims at discussing the similarities and differences between two IT security policies accepted in Illinois and Virginia. Additionally, the paper provides an evaluation of the policies and provides recommendations for further improvement.
Common Principles in IT Policies
While IT policies of different states may differ in some aspects, they have several similarities that should be mentioned. First, the policies have similar purposes stated at the beginning of the document describing IT policies. Both policies were established to minimize threats associated with loss, disruption, or corruption of information (DoIT, 2019, Virginia Information Technologies Agency [VITA], 2014). Both policies were based on the principles of confidentiality, integrity, availability, and system resiliency (DoIT, 2019; VITA, 2014). Moreover, the purpose of the policy was to comply with federal and state laws. Second, the documents establish key roles and responsibilities in the IT security sphere. While the described key roles vary, both documents state that Chief Information Officers, Chief Information Security Officers, and agency heads play key parts in the implementation of the IT security policies.
Third, both policies give increased attention to personnel security. DoIT (2019) stated that personnel security practices include ensuring that appropriate personnel has appropriate, limited access, changes in employee status are associated with timely provision or restriction of access to sensitive information, and appropriate documentation follows the access permission and restriction. Apart from the three aspects of personnel security mentioned above, VITA (2014) includes personnel security training in this aspect of the IT security policy. Fourth, both documents pay close attention to IT contingency planning, which allows quick recovery from any attacks, breaches, or system breakdowns (DoIT, 2019; VITA, 2014). Finally, both policies acknowledge that there may be exceptions from the policy, which should be approved by the agency and have a clear justification. While there are some other similarities in policies, the five aspects mentioned above are the most vivid examples.
Unique Aspects of Illinois IT Security Policy
The appearance, length, structure, and level of detail provided by different states differ considerably. The present section describes unique aspects of the Illinois IT Security Policy in comparison with the IT security policy issued by VITA. The central unique feature of the policy provided by DoIT (2019) is the level of detail given to every aspect of IT security. Even the purpose and key roles are carefully described in detail, while the level of detail in the document by VITA (2014) was limited. Second, DoIT (2019) put a great emphasis on communicating acceptable use of information to all the employees as well as third parties that deal with sensitive data. Third, DoIT’s (2019) policy includes a clear authentication and identification policy, which aims at minimizing authentication attacks and preventing unauthorized connections to the networks of the state of Illinois. Fourth, DoIT (2019) includes a media protection policy, which requires personnel to apply proper Information System media markings on all approved media, devices, and systems property. Finally, DoIT (2019) gives particular attention to controlling the physical environment and physical access to the devices, which may be a significant source of risk of information loss, unauthorized disclosure, or theft.
Unique Aspects of Virginia IT Security Policy
While VITA (2014) provides a less-detailed IT security policy, some unique features should be acknowledged. First, VITA (2014) acknowledges the guiding principles of the framework, while DoIT (2019) does not do so. The principles include a clear definition of sensitive information and information security. Second, VITA includes a visualized security framework in one figure, which helps the stakeholders understand the big picture of the IT security policy. Third, VITA (2014) unites several aspects of personnel security, which are control over access limits of different roles, IT security training, and awareness increase about acceptable use requirements for IT systems and data. Fourth, VITA (2014) provides a detailed explanation of compliance with the IT security policy through monitoring and audit. Finally, the IT security policy developed by VITA (2014) includes a form that needs to be filled out to justify the exception from the rules. This form includes a description of the exception, an assessment of associated risks, and an acknowledgment of all uncontrolled risks.
Assessment and Recommendations
Both documents discussed in the present paper have their strengths and weaknesses, which should be acknowledged. The analysis demonstrated that VITA (2014) provided a clear definition of guiding principles and a visualized framework of IT security. While these features are valuable, VITA (2014) seems to lack enough detail on crucial features of IT security. In particular, the policy provided by VITA (2014) lacks information regarding acceptable use, acceptable control, identification and authentication, and media protection in comparison with the policy by DoIT (2019). Moreover, Virginia’s IT security policy for government agencies has not been updated or revised for seven years. In the quickly changing environment, it is recommended that IT policies are revised as often as possible (Williams, 2018). Thus, even though VITA (2014) created a sound IT security policy, the document developed by DoIT (2019) appears to be more useful for guiding IT security practices in government agencies.
A list of recommendations for both states’ policies is provided below.
- Both states’ policies need to promote the adaptive implementation of IT security policies. This implies that states should adopt cybersecurity practices “based on previous and current cybersecurity activities, including lessons learned and predictive indicators” (National Institute of Standards and Technology, 2018, p. 10).
- The states need to acknowledge the top-five barriers to overcoming IT security challenges and include mitigation strategies to minimize associated risks. These risks include a lack of sufficient IT security budget, inadequate staffing in IT security, outdated infrastructures and solutions to emerging threats, lack of dedicated IT security budget, and low availability of cyber security professionals (Ward & Subramanian, 2020).
- Both states need to include a formal process in place to deal with complaints about handling the privacy of the information as well as include a program for privacy compliance (Deloitte & NASCIO, 2018).
- Both states need to have a clearly stated time frame for revising the policies to ensure that they can be sued to address the growing complexity of cyber security threats (Deloitte & NASCIO, 2018; Williams, 2018).
- Since the number of remote workers in the public sector is growing, the policy should clearly describe principles for protecting information used by remote employees (Open Access Government, 2021). The policy may include Zero Trust Network Access, which is a strict authentication procedure (Open Access Government, 2021).
The present paper included an evaluation of two IT security policies developed by the governments of Virginia and Illinois. A comparative analysis revealed that the policies have several common and unique features. The careful assessment led to the conclusion that Illinois has a better IT security policy in comparison with that Virginia. Finally, five recommendations for both states were provided to address the emerging threats to cyber security in the public sector.
Briffa, K., Bugeja, A., De Maria, J., Pillow, M., Falzon, A., Portelli, C., & Francesca Hili, F. (2020). The importance of having an IT security policy in place. Mondaq.
Deloitte & NASCIO. (2018). 2018 Deloitte-NASCIO cybersecurity study.
Illinois Department of Innovation and Technology. (2019). Overarching enterprise information security policy.
National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity.
Open Access Government. (2021). 5 cybersecurity issues that the public sector faces and how to protect it.
Pourkhomami, P. (2018). IT Security Policies: Why Every Organization Must Have Them. OSIbeyond.
Virginia Information Technologies Agency. (2014). Information technology security policy. Web.
Ward, M., & Subramanian, S. (2020). States at risk: The cybersecurity imperative in uncertain times. Deloitte.
Williams, M. (2018). How often should our IT policies be reviewed and updated? Pensar.