http://www.fcw.com/geb/articles/2002/1111/web-fla-11-13-02.asp By Dibya Sarkar Nov. 13, 2002 As Florida information technology officials began preparing for the Year 2000 conversion, they also became concerned about cyberterrorism. "We were going to have to worry about worms, viruses, hacking and other acts of cybervandalism and cybersabotage forever, and we felt that we needed a permanent presence to be able to deal with the issues," Scott McPherson, who led the state initiative. "Nobody was thinking about al Qaeda back in those days." The concern led to the formation of the Office of Information Security about two years later to handle protection for all Florida state agency information systems. The office, which is housed within the State Technology Office, now has a staff of seven and budget of $4 million. "We tried to always be mindful that we had to take an enterprisewide approach to this especially with all the interoperability and connectivity issues between agencies.... Otherwise, you just try to do this agency or that agency or the other agency, and you're still going to leave yourself wide open," said McPherson, the chief information officer for Florida's Corrections Department and the leader in creating the information security office. Even before Sept. 11, 2001, state governments increasingly have become aware of the risk to their information systems and have implemented statewide strategies to protect their data and critical infrastructures. Just how many states, or to what degree, is unclear. The National Association of State Chief Information Officers (NASCIO) has led the charge for greater security and, this summer, issued a report calling for stronger public-sector measures in cybersecurity protection. It is also developing an Interstate Information Sharing and Analysis Center to provide aggregate state incident data, early warnings and notices. At NASCIO's annual conference last month, McPherson discussed Florida's approach, which included contracting with a vendor - in this case, Herndon, Va.-based TruSecure Corp. Such an arrangement was important, he said, to get a true, independent assessment. "I've recognized from my prior experience and my Y2K experience that state agencies when left to their own devices will rise or fall to their own levels of competence," he said. TruSecure recently finished a statewide security audit for the state's three branches of government. Audits included "everything from penetration tests to war dialing to physical security, inspections, and looking at policies and procedures, everything from screen savers to port scans and almost literally everything in between," McPherson said. Initially, the governor's agencies were targeted "because those are the ones we can crack the whip on the easiest," McPherson said. But after lawmakers saw how well those agencies fared against the Nimda virus last fall, the legislature provided an additional $500,000 to expand the program statewide, an effort that began earlier this year and was completed in late September. No agency got a clean bill of health from the company's security assessment, McPherson said, and agencies have to fix any security deficiencies themselves. The company will now start conducting supplemental audits, "which come at a moment's notice [and] will be systematic and ongoing." If a governor's agency starts to "drag," McPherson said the governor would get involved. If a cabinet agency doesn't comply, then the legislature will hold a joint session behind locked doors to hear the complaint and possibly reprimand the agency. "We have never had to do this and that's the beauty of having the power," he said. "If you have the power and other people know you have the power and you're not afraid to use it, then they will comply." The security office also is providing training to agency security officers to bring them up to a specific level of competence. The state also is developing security policies and procedures. "Agencies will be allowed to adopt more restrictive policies, but no agency will be allowed to exempt themselves from the policies," he said, adding the baseline policies should be finished by year's end. McPherson said the state "doesn't profess to have the best solution," but is "bore fruit." "The one thing that we do recognize is that we're only as good as our next foray into the unknown and that's why it's so important for these audits and these vulnerability assessments to be ongoing," he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 02:40:13 PST