Statewide Chief Information Security Officers

1/15/2020

At least 15 states have a statewide executive branch chief information security officer (CISO) position or equivalent established by statute. Other states have created CISO positions through executive orders or agency actions. CISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected.

Examples of responsibilities of the CISO position under state laws include:

  • creating statewide security policies and IT standards,
  • requiring information security plans and annual assessments or reporting, and
  • requiring periodic security awareness training for employees.

Privacy and security go hand-in-hand, and at least five states—Arkansas, Massachusetts, Ohio and Washington—have expressly designated, in statute, a statewide chief privacy officer (CPO). Just as for CISO positions, however, some states have created CPO positions through executive orders or agency actions, or may include privacy protection within the responsibilities of a CISO or other position. 

Statutory language follows the table of states below, indicating the duties and responsibilities assigned to the position in each state. 

Statutes Establishing a Chief Information Security Officer

Arizona
 
Ariz. Rev. Stat. § 41-3507

Colorado

Colo. Rev. Stat. § 24-37.5-403

Delaware

Del. Code § 9030C(a)(2)

Florida

Fla. Stat. § 282.318

Illinois

20 ILCS 1375/5-20

Kansas

Kan. Stat. § 75-7238

Kentucky

KRS § 42.724

Massachusetts

Mass. Gen. Laws Ch. 7D, § 4

New Hampshire

R.S.A. § 94:1-a

Ohio

Ohio Rev. Code § 125.18

Rhode Island

R.I. Gen Laws § 42-11-2.8

Texas

Tex. Govt. Code §§ 2054.5112054.1125

Utah

Utah Code § 63F-2-102

Washington 

RCW § 43.105.215

West Virginia

W. Va. Code § 5A-6B-1 to -6

Information Technology Governance and Structure

Establishing a statewide Chief Information Security Officer and specifying duties and responsibilities is increasingly a part of consolidated oversight and management of state agency IT resources. .

Examples of state laws creating a consolidated information technology agency include: