|
MAXIMUM
SECURITY
New
York is one of the first cities to appoint a data-security
chief
By Steve Towns
In a rare move
for local government, New York City appointed a chief
information-security officer to take a comprehensive look at the
city's data security.
R.A. Vernon, a
former private-sector security consultant and security manager,
became New York City's chief information-security officer late last
year. Acting much like a CIO on information-security issues, Vernon
is creating citywide security standards and building a security
architecture designed to protect government software applications
and networks.
"I was brought
in to develop a new organization for the city that deals with
information security, risk management and computer threats," said
Vernon, who operates within New York's Department of Investigation.
"We'll be developing processes to ensure that the information
infrastructure is protected, both internally and externally. We'll
be evaluating security products and developing security solutions."
While
executive-level security positions such as Vernon's are unusual
today, observers expect them to gain popularity as electronic
commerce forces governments to rethink the way they protect
information assets. "The Internet has thrown security to the
forefront," he said. "In the mainframe days, it was more of a
back-office type of thing."
One of Vernon's
key responsibilities is to take a strategic view of information
assurance. "New York City has more than 60 different agencies. A
majority have security groups that maintain the security controls
and parameters for a particular agency," he said. "But there was no
one to look at it from a higher level, to do some of the analytical
things that are needed."
He said a
cracker trying to break into city computers may try to enter systems
at several different agencies. But while agency security personnel
battle individual attacks, the incidents have not been reported to a
central security official until now.
Vernon intends
to standardize how the city reports and analyzes security incidents,
allowing him to examine security threats. "At a higher level, I may
see five of my departments being attacked -- so there's a bigger
thing going on," he said.
SHOWING COMMITMENT
Creating
executive-level security positions is a relatively new trend in
government and private industry, according to Laurie Wagner, senior
vice president of marketing of ICSA.net, an Internet-security firm
based in Reston, Va. More commonly, organizations assign
data-security responsibilities to network administrators, or even to
human-resources personnel.
However,
high-level security posts are beginning to appear at organizations
expecting to make significant use of Web-based transactions, said
Wagner. "It's a reflection of their commitment to both the type of
information that's going to be available over the Net, and the type
of transactions."
The birth of
these positions also reflects the growing complexity of protecting
electronic data in a Web-enabled age.
"In a mainframe
environment, the way you controlled security was by restricting
access, but the old ways of looking at security don't work very well
in the Internet world," said Wagner. "One of the transitions that
has to be made -- and I think this speaks to the creation of these
new types of positions -- is to have a new way of thinking about
implementing your security.
"You need to
achieve security with this data at the same time you're giving
everyone access to it," she said. "It's completely opposite thinking
from traditional IT security."
TWO ISSUES
At the root of
the problem, according to Lee Mandell, director of information
technology and research of the North Carolina League of
Municipalities (NCLM), is that local governments are beginning to
pry open the barrier that once shielded their back-office computer
systems from the outside world.
Thanks to
Internet technology, cities and counties are experimenting with any
number of electronic-commerce transactions. At the same time, they
are linking field workers and telecommuting employees to important
IT applications via remote-access tools.
But while the
technology promises vast benefits, it comes with significant risks.
"You are opening up your core systems to threats from the outside
and that's very new and scary," said Mandell. "Although you can
build-in multilevel security systems, you still don't have total
confidence."
He expects local
governments to face significant challenges in identifying and
authenticating citizens performing online transactions. Securing
assets like portable computers also will become a major worry as
government workers become more mobile.
"There's a lot
of concern about having a laptop stolen," said Mandell. "If it's a
remote-access PC, people can get into your system with it. A lot of
people automate the password, so all you have to do is log right
onto the system."
Wagner said
organizations with a Web presence must pay closer attention to
information security. "There's a misconception that you have to be
doing some type of financial transaction to have security become an
issue," she said. "But the fact that you're giving Internet access
to your system at all -- even if it's just an informational site --
potentially puts at risk other information that's on your network."
NOT FOR EVERYONE 
These and other
issues will push large local governments toward the creation of
central information-security positions, said Mandell. But that won't
be an option for small cities and counties. Instead, smaller
jurisdictions, like those represented by NCLM, will rely on state
government IT organizations to set security policy and devise
strategic solutions.
"There are some
things you probably need in-house staff to handle. But the
deep-thought-type things and the exploration and experimentation --
we can't afford to do that on the local level," he said. "We're
letting the state take the lead on some of these security issues,
and, as much as possible, we will piggyback."
Mandell expects
North Carolina's IT organization to sort out how government will use
public-key infrastructure to authenticate e-commerce users, as well
as to develop broad security and privacy guidelines. Local
governments throughout the state will then have the option of
adopting the state's security policies.
Mandell, who
represents local government interests as a member of the Information
Protection and Privacy Committee of North Carolina's Information
Resource Management Commission, said organizations like NCLM are
conduits to deliver information on state-level data-protection
activities to local officials.
Regardless of
whether they appoint internal security officials or look for
guidance from state-level organizations, local governments need
clear leadership to safeguard their systems and information assets,
added Mandell. "You need a strong leader -- and someone who's
recognized as a strong leader -- because these security decisions
will affect all operations."
GET WITH THE PROGRAM
Vernon said
establishing his position within New York's Department of
Investigations signals that the city is serious about implementing
enterprise-wide security procedures. The department investigates
corruption among city workers and contractors. It also studies city
operations to recommend improvements.
"You'll find
that the department is well respected throughout the city. If the
department says something needs to get done, there are really no
ifs, ands or buts," he said.
Vernon is
charged with reviewing all new city projects to assess security
risks, a task complicated by increasing use of e-commerce. One
priority is ensuring that security concerns aren't trampled in the
rush to provide citizens with convenient new Web-based information
and transactions.
"My challenge is
to make sure all of the players are enlightened about what the risks
are," said Vernon. "They are advocating that we march forward -- go,
go, go, go -- and I'm standing at the door saying, 'We need to slow
down. There are certain steps that need to happen before we can push
forward."
Another item on
his agenda is boosting security awareness among city employees. He
is creating a program of seminars and training aimed at helping
workers understand their information-security responsibilities.
"Security isn't
just my job; it's everyone's job," said Vernon. "For example, we'll
be telling city employees, 'If you see somebody strange sitting at a
computer, challenge them.' Something as simple as that could save
the organization a lot of headache."
And while
Vernon's position appears to be rare in government organizations
today, he doesn't expect it to remain that way. "You'll find a lot
of governments are starting things like what we're doing here --
creating a central body to oversee other agencies and steer them in
the right direction," he said. "You're going to see a growing number
of government agencies heading down the same path."
Steve Towns is editor
of Government Technology Reseller.
| 
