[ISN] Florida: The cybersecurity state

From: InfoSec News (isnat_private)
Date: Wed Nov 13 2002 - 23:41:04 PST

  • Next message: InfoSec News: "[ISN] Proposed bill could jail hackers for life"

    By Dibya Sarkar 
    Nov. 13, 2002
    As Florida information technology officials began preparing for the
    Year 2000 conversion, they also became concerned about cyberterrorism.
    "We were going to have to worry about worms, viruses, hacking and
    other acts of cybervandalism and cybersabotage forever, and we felt
    that we needed a permanent presence to be able to deal with the
    issues," Scott McPherson, who led the state initiative. "Nobody was
    thinking about al Qaeda back in those days."
    The concern led to the formation of the Office of Information Security
    about two years later to handle protection for all Florida state
    agency information systems. The office, which is housed within the
    State Technology Office, now has a staff of seven and budget of $4
    "We tried to always be mindful that we had to take an enterprisewide
    approach to this especially with all the interoperability and
    connectivity issues between agencies.... Otherwise, you just try to do
    this agency or that agency or the other agency, and you're still going
    to leave yourself wide open," said McPherson, the chief information
    officer for Florida's Corrections Department and the leader in
    creating the information security office.
    Even before Sept. 11, 2001, state governments increasingly have become
    aware of the risk to their information systems and have implemented
    statewide strategies to protect their data and critical
    infrastructures. Just how many states, or to what degree, is unclear.
    The National Association of State Chief Information Officers (NASCIO)  
    has led the charge for greater security and, this summer, issued a
    report calling for stronger public-sector measures in cybersecurity
    protection. It is also developing an Interstate Information Sharing
    and Analysis Center to provide aggregate state incident data, early
    warnings and notices.
    At NASCIO's annual conference last month, McPherson discussed
    Florida's approach, which included contracting with a vendor - in this
    case, Herndon, Va.-based TruSecure Corp.
    Such an arrangement was important, he said, to get a true, independent
    assessment. "I've recognized from my prior experience and my Y2K
    experience that state agencies when left to their own devices will
    rise or fall to their own levels of competence," he said.
    TruSecure recently finished a statewide security audit for the state's
    three branches of government. Audits included "everything from
    penetration tests to war dialing to physical security, inspections,
    and looking at policies and procedures, everything from screen savers
    to port scans and almost literally everything in between," McPherson
    Initially, the governor's agencies were targeted "because those are
    the ones we can crack the whip on the easiest," McPherson said. But
    after lawmakers saw how well those agencies fared against the Nimda
    virus last fall, the legislature provided an additional $500,000 to
    expand the program statewide, an effort that began earlier this year
    and was completed in late September.
    No agency got a clean bill of health from the company's security
    assessment, McPherson said, and agencies have to fix any security
    deficiencies themselves. The company will now start conducting
    supplemental audits, "which come at a moment's notice [and] will be
    systematic and ongoing."
    If a governor's agency starts to "drag," McPherson said the governor
    would get involved. If a cabinet agency doesn't comply, then the
    legislature will hold a joint session behind locked doors to hear the
    complaint and possibly reprimand the agency. "We have never had to do
    this and that's the beauty of having the power," he said. "If you have
    the power and other people know you have the power and you're not
    afraid to use it, then they will comply."
    The security office also is providing training to agency security
    officers to bring them up to a specific level of competence. The state
    also is developing security policies and procedures.
    "Agencies will be allowed to adopt more restrictive policies, but no
    agency will be allowed to exempt themselves from the policies," he
    said, adding the baseline policies should be finished by year's end.
    McPherson said the state "doesn't profess to have the best solution,"  
    but is "bore fruit."
    "The one thing that we do recognize is that we're only as good as our
    next foray into the unknown and that's why it's so important for these
    audits and these vulnerability assessments to be ongoing," he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 02:40:13 PST