At least 16 states have a statewide executive branch chief information security officer (CISO) position or equivalent established by statute. Other states have created CISO positions through executive orders or agency actions. CISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected.
Examples of responsibilities of the CISO position under state laws include:
- creating statewide security policies and IT standards,
- requiring information security plans and annual assessments or reporting, and
- requiring periodic security awareness training for employees.
Privacy and security go hand-in-hand, and at least five states—Arkansas, Massachusetts, Ohio, Utah and Washington—have expressly designated, in statute, a statewide chief privacy officer (CPO). Just as for CISO positions, however, some states have created CPO positions through executive orders or agency actions, or may include privacy protection within the responsibilities of a CISO or other position.
Statutory language follows the table of states below, indicating the duties and responsibilities assigned to the position in each state.
Information Technology Governance and Structure
Establishing a statewide Chief Information Security Officer and specifying duties and responsibilities is increasingly a part of consolidated oversight and management of state agency IT resources.
Examples of state laws creating a consolidated information technology agency include: