EXECUTIVE ORDER
03-25

WHEREAS, on November 9, 2001, I appointed members of the Missouri Homeland Security Panel, the membership of which was charged with comprehensively reviewing the State of Missouri's situation with regard to homeland security, recommending changes if necessary, and identifying federal funds with which to implement the recommended changes; and

WHEREAS, on September 11, 2002, I issued Executive Order 02-15 establishing the Missouri Security Council for the express purposes of coordinating homeland security­-related activities between executive agencies and local political subdivisions and effective development and implementation of homeland security policies; and

WHEREAS, the Director of Homeland Security was charged with determining the agenda of Missouri Security Council meetings, ensuring necessary papers are prepared, recording Council actions and recommendations, serving as the principal liaison to any federal Homeland Security offices or agencies and advising the Governor on all state Homeland Security issues; and

WHEREAS, the Director of Homeland Security, in meeting his charge, did establish a Cyber Security Committee for the express purpose of studying and making recommendations to ensure the security of cyber space with respect to Missouri's critical information technology infrastructure; and

WHEREAS, cyber attacks seek to threaten public safety, individual privacy, corrupt valuable data, and disrupt the capability of public and private entities to function effectively, thereby eroding public confidence; and

WHEREAS, cyber attacks have been increasingly more frequent and disruptive and commonly recognized as a threat to Homeland Security; and

WHEREAS, CyberSecurity is the protection and defense of Cyberspace, a critical infrastructure made up of digital information that is electronically communicated. CyberSecurity encompasses the people, processes and techniques for protecting and defending cyber assets, so that they are available to authorized users and cannot be compromised or changed by unauthorized individuals; and

WHEREAS, the continued confidentiality, integrity, availability, authenticity and continuity of operation of State of Missouri information technology and information assets are an essential element of Missouri's Homeland Defense, e-government and day-to-day business capability:

NOW, THEREFORE, I, BOB HOLDEN, GOVERNOR OF THE STATE OF MISSOURI, by virtue of the authority vested in me by the constitution and the laws of the state of Missouri, do hereby order the following:

Section 1. Policy. It shall be the policy of the state of Missouri that each state department or agency shall work diligently to combat cyber attacks and to protect the cyber assets of the state.

1. Each agency shall adopt policy consistent with the guidelines and model policy developed by the Cyber Security Committee of the Missouri Security Council and recommended by the Information Technology Advisory Board and establish appropriate procedures to ensure that information technology assets and information are adequately protected from cyber attacks.
2. Each agency shall specifically address the issue of cyber security with any entity with whom it conducts business electronically to determine if they have appropriate cyber security controls in place to afford the state protection from cyber attacks initiated through those electronic business connections.

Section 2. Office of Information Technology. The Office of Information Technology (OIT) shall be the principal inter-agency forum to improve state policies and procedures with respect to cyber security. OIT, in its role as chair of the Cyber Security Committee of the Missouri Security Council and in consultation with the Information Technology Advisory Board, shall provide advice and make recommendations to the Chief Information Officer regarding appropriate government-wide measures to carry out this order. Minimally, the OIT shall:

1. Make cyber security a high priority and treat it as a public safety issue; and
2. Take steps to establish a centralized information security management organization capable of executing and supporting industry recognized security provisions, programs and assessments; and
3. Ensure the state's enterprise information technology architecture has as a prominent element a security domain; and
4. Ensure the issue of privacy is equally considered in the development of cyber security policy and procedures and formulate government-wide recommendations on privacy as appropriate and consistent with cyber security recommendations.

Section 3. Chief Information Officer. The Chief Information Officer (CIO) shall issue statewide cyber security and privacy policy consistent with recommendations put forth by the Cyber Security Committee of the Missouri Security Council and the Information Technology Advisory Board. In administering policy, the CIO shall utilize appropriate oversight mechanisms to foster agency compliance with policies issued to carry out this order.

Section 4. Alteration of Authority. This order shall not be construed to alter the existing authorities of any executive agency or department, except that all executive departments and agencies are directed to assist the Chief Information Officer in carrying out the purposes of this order.

IN WITNESS WHEREOF, I have hereunto set my hand and caused to be affixed the Great Seal of the State of Missouri, in the City of Jefferson on this 10^th day of December, 2003.

[Bob Holden's signature]
Bob Holden
Governor

ATTEST:

[Matt Blunt's signature]
Matt Blunt
Secretary of State