As a result of a breach of the state's tax IT system that exposed Social Security numbers and other personal information of nearly 4 million people, South Carolina's inspector general calls for the state to centralize the way it governs information security.
The existing approach creates a statewide IT security posture that's inadequate, Inspector General Patrick Malley writes in the 18-page interim report issued Dec. 3. The report points out that no state entity has the authority or responsibility to provide IT security standards, policy and oversight statewide. The Division of State Information Technology, led by a chief information officer, can suggest policies and provide ad hoc support to other agencies, but it has no power to require agencies to adopt IT security policies.
"The lack of standard policies produces uneven quality in individual agency security postures," Malley says. "This decentralized approach also prevents the state from understanding, let alone managing, statewide infosec risk which has the capacity to impact the entire state government."
A hacker, believed to be from Eastern Europe, this past summer stole a state employee password that led to the breach of the South Carolina tax system, resulting in the exposure of records of more than 3.8 million individual and 700,000 business tax filers. The breach is likely to cost the state at least $12 million [see Stolen Password Led to South Carolina Tax Breach].
Agencies CIOs Back Centralized Approach
The IG says his office interviewed the CIOs at 18 state agencies, and nearly all of them contend the existing state approach to IT security is less than adequate and a statewide standard to secure its digital assets should be adopted. "There was a sense agencies were conducting mission critical infosec, but had little capacity to be proactive in an increasing threat and vulnerability environment," Malley says.
Leaders at the state Division of State Information Technology told Malley they agree with the agencies' CIOs assessment that IT security should be centralized in state government.
Citing a 2012 national survey of state CIOs, Malley points out that its two top findings focused on information security funding and working in a highly decentralized environment with little central authority over agencies' security.
"The motivation to address these same two issues now in South Carolina looks completely different through the prism of the post-DOR breach," Malley says. "We recognize security breaches can be far more costly than robust infosec programs, especially when coupled with the incalculable cost of regaining lost citizen trust. Given the state's low risk tolerance for another significant data loss, the current level of statewide infosec risk is not acceptable."
Steps to Take to Improve IT Governance
Malley offers six recommendations:
- Establish a statewide information security program;
- Establish a federated governance model;
- Establish a CISO position outside of DSIT to lead the development and implementation of a statewide information security program;
- Designate a leader to take responsibility for proactively driving statewide information security issues while legislative alternatives pertaining to the statewide CISO position are weighed;
- Establish a steering committee to expedite and provide oversight of the development of a statewide information security program;
- Hire a consultant to assist building the governance framework and developing statewide information security implementation options.
Malley says that if the state accepts his recommendations, a governance framework should be constructed in a highly collaborative manner with state executive leaders and agency representation.
The IG says he's planning another report that will focus on the costs and timetable to develop a long term and sustainable information security program to reduce risk at the agency and state level.