Florida: The cybersecurity state

[InfoSec News <isn () c4i org>]

http://www.fcw.com/geb/articles/2002/1111/web-fla-11-13-02.asp

By Dibya Sarkar 
Nov. 13, 2002

As Florida information technology officials began preparing for the
Year 2000 conversion, they also became concerned about cyberterrorism.

"We were going to have to worry about worms, viruses, hacking and
other acts of cybervandalism and cybersabotage forever, and we felt
that we needed a permanent presence to be able to deal with the
issues," Scott McPherson, who led the state initiative. "Nobody was
thinking about al Qaeda back in those days."

The concern led to the formation of the Office of Information Security
about two years later to handle protection for all Florida state
agency information systems. The office, which is housed within the
State Technology Office, now has a staff of seven and budget of $4
million.

"We tried to always be mindful that we had to take an enterprisewide
approach to this especially with all the interoperability and
connectivity issues between agencies.... Otherwise, you just try to do
this agency or that agency or the other agency, and you're still going
to leave yourself wide open," said McPherson, the chief information
officer for Florida's Corrections Department and the leader in
creating the information security office.

Even before Sept. 11, 2001, state governments increasingly have become
aware of the risk to their information systems and have implemented
statewide strategies to protect their data and critical
infrastructures. Just how many states, or to what degree, is unclear.

The National Association of State Chief Information Officers (NASCIO)  
has led the charge for greater security and, this summer, issued a
report calling for stronger public-sector measures in cybersecurity
protection. It is also developing an Interstate Information Sharing
and Analysis Center to provide aggregate state incident data, early
warnings and notices.

At NASCIO's annual conference last month, McPherson discussed
Florida's approach, which included contracting with a vendor - in this
case, Herndon, Va.-based TruSecure Corp.

Such an arrangement was important, he said, to get a true, independent
assessment. "I've recognized from my prior experience and my Y2K
experience that state agencies when left to their own devices will
rise or fall to their own levels of competence," he said.

TruSecure recently finished a statewide security audit for the state's
three branches of government. Audits included "everything from
penetration tests to war dialing to physical security, inspections,
and looking at policies and procedures, everything from screen savers
to port scans and almost literally everything in between," McPherson
said.

Initially, the governor's agencies were targeted "because those are
the ones we can crack the whip on the easiest," McPherson said. But
after lawmakers saw how well those agencies fared against the Nimda
virus last fall, the legislature provided an additional $500,000 to
expand the program statewide, an effort that began earlier this year
and was completed in late September.

No agency got a clean bill of health from the company's security
assessment, McPherson said, and agencies have to fix any security
deficiencies themselves. The company will now start conducting
supplemental audits, "which come at a moment's notice [and] will be
systematic and ongoing."

If a governor's agency starts to "drag," McPherson said the governor
would get involved. If a cabinet agency doesn't comply, then the
legislature will hold a joint session behind locked doors to hear the
complaint and possibly reprimand the agency. "We have never had to do
this and that's the beauty of having the power," he said. "If you have
the power and other people know you have the power and you're not
afraid to use it, then they will comply."

The security office also is providing training to agency security
officers to bring them up to a specific level of competence. The state
also is developing security policies and procedures.

"Agencies will be allowed to adopt more restrictive policies, but no
agency will be allowed to exempt themselves from the policies," he
said, adding the baseline policies should be finished by year's end.

McPherson said the state "doesn't profess to have the best solution,"  
but is "bore fruit."

"The one thing that we do recognize is that we're only as good as our
next foray into the unknown and that's why it's so important for these
audits and these vulnerability assessments to be ongoing," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.