|
FEATURE
STORY
 Surfing the Digital Beat
New York takes the security lead with
the first state and municipal information-security
officers.
By John Marcotte, NULL - January 28, 2001
It took New York state's freshly-minted Information Security
Officer Laura Iwan just two months on the job before she felt the
love. Unfortunately, it was the ILOVEYOU virus.
"We have a
discussion list for all ISOs [Information Security Officers] in
state agencies. We routinely post things that we think are of
interest that they should be aware of. As soon as we got word about
the Love Bug, we broadcast the word out to the agencies - but it was
already too late," she said ruefully.
Story continued below
advertisement
Iwan, a lifetime civil
servant with 12 years experience in information security, didn't
single-handedly stop the Love Bug virus in its tracks. But her
office provided a centralized source for the distribution of
information, and after her baptism by fire she has plans to improve
how the state handles the next security hole that crops up. After
the virus hit, Microsoft released a security patch for Outlook.
"[Our agencies] were all in competition with the rest of the world
trying to download these patches as soon as they became available,"
she said. The congestion delayed the implementation of the fix. Next
time, Iwan plans to download a copy of the patch and distribute it
via the statewide intranet.
Information security officers
are an old idea in the private sector, but New York is the first
state to create the position. "Security has always been a focus for
the office since we were a task force," said Will Pelgrin, executive
deputy commissioner of the Office for Technology (OFT). "As we
decided to move forward, we decided that a statewide approach with a
statewide security officer made sense."
"Security is
becoming a much higher priority," Tom Duffy, deputy director of
administration of the OFT, said. "With Y2K behind us, we are
starting to focus more on security, as I assume all public and
private institutions should be doing."
One public
institution that focused on security even earlier than New York
state is New York City. It has been over a year since NYC created
its own information-security officer, a first for any major city.
"We meet with [the city] regularly to talk about common
issues or joint initiatives," Duffy said. "They're developing a
security office also - sort of a different approach than ours."
The Naked City
The difference in approach could
be attributed to a difference in organization. Iwan's office is
organized under the state Office for Technology, an IT management
office. The chief information-security officer for the city, R.A.
Vernon, works for the Department of Investigations, a law
enforcement agency.
"The approach that the state is using is
the approach that has been used historically," Vernon said.
"Information security has for the most part always fallen under an
IT director or CIO. It wasn't until three or four years ago that the
private sector started to look at the position a little bit
differently."
"It's not good enough to just develop
standards and set them out there," he said. "You really have to take
time to educate and re-educate your population, so that they have a
true appreciation for the things you're asking them to do."
Vernon came from the private sector, where he held the
position of information security officer for several banks and large
corporations. Although he feels the challenges facing the private
and public sectors are similar, Vernon admits that he was not quite
prepared for dealing with governmental bureaucracy. "It's been a
culture shock," he said dryly.
But he adapted quickly and
has been instrumental in expanding and redefining the role of an
information security officer.
"The position in the minds of
the individuals that were trying to push this thing forward was
stated as the 'Internet Security Officer' or something like that. So
it was very Internet focused, " he said. "The city is moving rapidly
to becoming an e-government. They had concerns with being on the
Internet, so that was the slant they put on it."
Inside
Jobs
"Once I got in, I had to go through a process of
educating everybody that the Internet is a small piece of a bigger
pie," Vernon continued. "Information security has a broader
spectrum. People have always used this clichι: 'You're only as
secure as your weakest link.' But it's true. You can have all the
security to protect yourself to the Internet. But if you have a
workstation open on someone's desk that has access to the same
information you are trying to protect, there's an open door right
there."
"Statistically, the majority of the security threats
or penetrations happen internally," he said. "That's another thing I
had to really sell to the management throughout the city, because
they truly didn't understand or appreciate that. They thought that
most of their vulnerabilities would be once they connected to the
Internet. There have been a number of statistics generated that show
that the majority of your threats are internal."
Vernon has
positioned his office as an authority on security issues and a
resource that agencies can turn to for advice. But he is taking
steps to institutionalize his role in IT policy decisions.
"What we've been successful at doing is to position
ourselves so that we are part of the approval process," Vernon said.
"As applications are being developed, we're looking to be part of
the project lifecycle, so that we make sure the applications are
being developed with the proper controls in place. At the end of the
day, if all of that has happened, then the sign-off is not a
problem."
Iwan's office at the state focuses on
consensus-building as a means of distributing information. "We're
not a control agency," Iwan said, "so we don't impose things on
agencies. We make recommendations through our technical policy and
our best practices."
"I think it's consistent with the
philosophy not to necessarily carry the big stick -- to do it
through persuasion," said Duffy. "When we develop policies, we have
workgroups composed of the agencies. Stakeholders have input in
helping us develop what the policies are. So we're not putting
anything on them that's over-burdensome."
Iwan is still
defining her role and has been exceedingly busy in her first few
months as she meets with information-security officers from agencies
around the state.
"I need to take a few moments, define some
positions and start hiring staff," she admitted. "I think if I took
the time to do that, it would be a great help to me at this moment
in time."
Team-Building
Iwan is not alone. Almost
a year ago, the OFT required that every agency have an
information-security officer. Iwan uses this network of about 70
security experts to collect and disseminate data and ideas regarding
security issues.
"One of the challenges that I see is
winning the confidence of the ISOs, so that they are willing to
share their concerns and issues, so that we can work collectively to
bring a statewide solution to problems," she said. Iwan said the
bulk of her effort to date has involved meetings around the state to
take input and promote security-consciousness.
Coordination
is just the first step, Vernon emphasized. "This type of unit can
only grow and get better with time," he said. "Technology is only
going to get more and more complicated. Technology will always have
the risks that are inherent to technology."
"Since Laura
started three months ago, it's amazing how much has been
accomplished already, and it's just the beginning phase of this,"
Pelgrin said. What's even more amazing is that evidently no other
jurisdictions are considering following New York's example. Both
Vernon and Iwan report that no one has called to inquire about
setting up similar posts.
John
Marcotte, NULL
RECENT
FEATURES
Employers
Try New Way to Pay Employees
Did you want paper or
plastic?
February 2003 - Adam Geller
FCC
Phone, Internet Rules Send Mixed Messages
The new FCC
decisions will likely face legal challenges.
February 2003 -
David Ho
Researchers
Working on Total Information Awareness Program
The
controversial TIA program is looking for help in creating a database
for collecting and analyzing personal records of millions of
people.
February 2003 - Sharon L. Crenson
NCSL:
States Caught in Fiscal Storm
Next year looks even worse
for states, said the National Conference of State
Legislatures.
February 2003 - Jason White
Internet
Pharmacies Draw Scrutiny
The growth of Canadian
pharmacies using the Web to administer medications to U.S. customers
raises regulatory questions.
January 2003 - Tom
Cohen
|
E-Government
