At least 15 states have a statewide executive branch CISO position or equivalent required by statute. Other states have created CISO positions through executive orders or agency actions: all 50 states have a statewide chief information security officer (CISO) or equivalent, according to a Deloitte-NASCIO Cybersecurity Study. CISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected.
Examples of responsibilities of the CISO position under state laws include:
- creating statewide security policies and IT standards,
- requiring information security plans and annual assessments or reporting, and
- requiring periodic security awareness training for employees.
Privacy and security go hand in hand, and at least five states—Arkansas, Massachusetts, Ohio and Washington—have expressly designated, in statute, a statewide chief privacy officer (CPO). Just as for CISO positions, however, some states have created CPO positions through executive orders or agency actions, or may include privacy protection within the responsibilities of a CISO or other position.
Statutory language follows the table of states below, indicating the duties and responsibilities assigned to the position in each state.
Information Technology Governance and Structure
In addition to establishing a statewide Chief Information Security Officer and specifying duties and responsibilities, an increasing number of states are consolidating oversight and management of state agency IT resources under a single statewide agency.
Examples of state laws creating a consolidated information technology agency include: