The State continues to build and maintain the State Policy, Standards and Procedures (PSP’s) framework to ensure that all agencies have a common baseline of PSP’s within the ISO17799 standards framework. PSP’s are refreshed as new and/or updated policies are needed. The ISO17799 standard has recently been updated to version 27002 and is being used by National Institute of Standards (NIST). The State has an enterprise license to provide agencies with the most current version of the ISO Security Standard and Toolkit. The State CIO has adopted and follows a standards/policy review and rollout process to make the latest statewide manual and toolkit available to agencies. As new and/or revised policies are approved, they are rolled out to all executive branch agencies with appropriate training materials provided. All approved security policies and standards that are not classified as ‘confidential’ by law are posted in the Statewide Security Manual on the State CIO’sweb site. As part of the annual review of security standards required under GS 147.33.110, the Enterprise Security and Risk Management Office (ESRMO) reviewed the statewide security standards, industry standards and best practices and sought suggestions from other agencies subject to the standards. Based on the review conducted in 2007 in addition to the ISO27002 upgrade, the Security Manual update initiative includes the following.

Security Policy and Standards Revision Recommendations

• Statewide password policies and standards:
• Include and clearly define requirements by type of user (employees, contractors, vendors, business, citizens etc.).
• Integrate statewide standards with the revised NCID policy.
• Statewide encryption policies and standards:
• Check confidential data references and add requirements to protect personal identifiable information (PII).
• Develop requirements for use of encryption for laptops, USB drives, and other mobile devices.
• Statewide business continuity policy and standards:
• Include guidance with references for planning related to communicable diseases / pandemic planning.
• Other Statewide Security Standards and Policies:
• Review, reorganize, and update when necessary the 16 statewide policies and standards that are currently presented as a supplement to the Statewide Information Security Manual framework.

Selected references include:

• Memo ISO 17799 Security Standard and Toolkit July 14, 2005
• Statewide Information Security Manual
• Memo Recommendations for Statewide Information Security Manual Standards June 26, 2007

The files on this page are available as Adobe Portable Document Format (PDF) files. To view them, you will need Adobe® Acrobat® ReaderT 3.0 or greater. Adobe® Acrobat® ReaderT is free, and freely distributable, software that lets you view and print Adobe Portable Document Format (PDF) files. It is available for download at http://www.adobe.com/products/acrobat/readstep.html.