Enterprise Information Security Consulting and Support

Service Description

Information Security Consulting and Support services are offered by the Enterprise Security and Risk Management Office to help State agencies safeguard citizens' data and meet the requirements of the security standards legislation, N.C.G.S. § 147-33.110 through 33.113, and other legal and regulatory requirements.

Services provided:

  • Security consulting
    • Provide supporting analysis to help agencies resolve information technology risks, threats, and vulnerabilities and to implement adequate risk mitigation measures
    • Provide consultation to help agencies respond to audit and/or security assessment findings
  • Security manual development and ongoing review of statewide policies, standards, and procedures
    • Provide security framework and manual
    • Assist agency with understanding and interpreting statewide security policies and standards and legal and regulatory requirements
  • Security training and awareness activities and materials
    • Provide security training and awareness events for interested executive branch agency staff
    • Coordinate purchase and distribution of security training and awareness materials for use in State executive branch agencies
  • Coordinate the required agency security liaison support role
    • Perform background checks for agency security liaisons
    • Maintain agency security contact information
    • Notify agency security contacts of statewide and agency security matters
    • Provide authorized agency staff with access to the Enterprise Security and Risk Management Office (ESRMO) security portal
  • Review statewide and agency projects and initiatives for adequate information security risk mitigation provisions
    • Review and/or manage statewide projects/initiatives related to enterprise security technology selection, licensing and centralized management
    • Review agency projects for appropriate security and risk mitigation measures based on legal and regulatory requirements for data classification and handling
  • Enterprise purchasing contracts for security related components
    • Research and evaluate security technologies to identify strategic enterprise approaches for the deployment of security technologies that permit the State to benefit from standardization and economies of scale
    • Strategic planning for statewide security needs

Benefits

  • Use of a standards-based approach to security and risk management
  • Increased understanding and awareness of information security matters that will improve an agency's security posture
  • Active participation in the integration of agency level and state level security processes

Hours of Availability

  • The services are available from 7:00 a.m. to 6:00 p.m., Monday through Friday, except for holidays.
  • On-call staffing is available for emergencies and after hours scheduled work.
  • In the event the agency seeks vulnerability or port scanning, the scanning activity will be conducted within the customer's maintenance window unless other arrangements are made.
  • Emergency maintenance windows will be handled using the urgent change process.

Customer Responsibilities

Business Continuity and Disaster Recovery Plans

  • Identify critical agency business systems and applications.
  • Implement agency data classification, retention, and handling measures based on legal and regulatory requirements as required by statute.
  • Follow appropriate incident reporting procedures, including cybersecurity incident reporting as required by statute.
  • Follow standard processes and procedures for cybersecurity incident reporting.
  • Request and schedule special services (for example, installation of new equipment, after-hours support) well in advance of date required.
  • Be aware of and comply with the security standards, policies, and procedures established by the State Chief Information Officer, as well as DIT policies for DIT provided services such as email and network.
  • Be available to provide critical information to assist in the resolution of cyber incidents.
  • Provide agency staff to support, advise and assist with agency information security matters.
  • Assess, manage, and mitigate agency information security risk.
  • Define and implement appropriate agency internal security policies, standards and procedures.
  • Provide security training to agency staff.
  • Define and implement agency internal information security incident plans and procedures and integrate with the statewide cybersecurity incident plan.
  • Provide internal agency security incident response oversight.
  • Develop and follow agency level project plans to implement agency level security.

How Do We Charge?

Currently, the Enterprise Security and Risk Management office (ESRMO) does not charge for this service.

Request Any Service

Contact Our Service Desk:
Phone: 919-754-6000 or 1-800-722-3946
Email: dit.incidents@its.nc.gov