State CIO Issues Data Security Advisory Memo

There have been a number of recent reports in the news regarding the exposure of sensitive personal information involving veterans, students, and beneficiaries. In light of these events, Mary F. Carroll, State Chief Information Officer and Director of the Office of Information Technology (OIT), issued an advisory memorandum on June 14, 2006 to agency directors. The memorandum outlines in more detail the recent security events, identifies recommended areas on which to review security policies and practices, and announces a revision to Ohio IT Policy ITP-B.7, “Security Incident Response.”

Pursuant to Section 125.18 of the Ohio Revised Code (ORC), OIT issued a revision to Ohio IT Policy ITP-B.7
< http://oit.ohio.gov/IGD/policy/pdfs_policy/ITP.B.7.pdf >. The policy was revised as follows:

* Section 1347.12 of the ORC. Section 1347.12 of the ORC outlines state agency requirements for contacting Ohio residents if unencrypted or unredacted personal information is accessed or acquired by unauthorized persons. Ohio IT Policy ITP B.7, “Security Incident Response” has been updated to include the recently enacted ORC 1347.12 disclosure requirements in the event of a breach of personal information.

* OIT Service Delivery Division (SDD) Enterprise Operations Security. The OIT SDD Enterprise Operations Security office, the designated IT security incident response coordinator for the state, updated their telephone and e-mail address information. This information was updated in both the procedures and contacts section of the policy.

Copies of State of Ohio IT Policy may be obtained online at www.ohio.gov/itp.

Should you have questions regarding this or any policy issued by this OIT, please direct inquiries to Brooke Speert, Senior IT Policy Analyst, by telephone at 614-644-7856 or via e-mail at State.ITPolicy.Manager@oit.ohio.gov.