> > Andrew, what sort of standards would you suggest? I think the best way to approach this is like any complex security project. Rather than obsessing over a single technology and making blanket mandates like "EVERYBODY MUST USE THIS TECHNOLOGY," the ideal way would be to draft some standards and then require agencies to fulfill those standards. And fortunately, I don't need to suggest standards. There is already a good template: HIPAA and/or GLB. The whole process might break down like this: Phase One - Adopt Standards Fortunately, we already have two very useful standards out there: HIPAA and GLB. Both provide a good framework for increasing security. These standards could be relatively easily retrofitted into the state's requirements. Hire a firm to draft a standard, circulate it, take comments, and get them signed off. In order for this to happen the governor or legislature needs to commission this and also discourage people from the normal in-fighting and technology holy wars that erupt from these standards. Phase Two - Publish Standards and Set Roadmap for Adoption The next step is to publish those standards and then setup a roadmap for agencies to adopt them. Money needs to allocated from the state budget to help agencies fulfill the standards. A deadline should be set, similar to HIPAA and GLB for all agencies to become compliant. Phase Three - Implement Agencies have a set amount of time to begin implementing the standards. I am sure a crop of third party vendors would pop up to do the work of securing systems. And the good thing is, that once those standards are in place, each vendor can be held to that standard. Phase Four - Auditing and Compliance The last step is for each agency to undergo an audit by a DIFFERENT firm to make sure each agency is in compliance. Non-complaint agencies will be reported and agency directors should have their feet held to the fire if they fail to be compliant. The HIPPA and GLB standards are pretty complex, but do not mandate any specific technology or solution. They establish basic goals like "encrypt data when it moves" and "monitor for intrusions" and "have a process to handle issues." Clearly if the implementation could be centralized, that could reduce costs. But it also would mean monolithic solutions. Ideally, each department should have the freedom to implement what it wants - provided the end result is heightened security. And I would side would Crispin that one of the standards should be that any custom designed software or systems must be "owned" (not to be confused with 0wned) by the state. That is they must hold the source code. ------------------------------------ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com ------------------------------------
This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 18:07:56 PDT