GOVERNMENT TECHNOLOGY/Managing the risks of going online
In the fast-paced world of information technology, local governments are pressed to keep up with hardware and software needs, leaving little time for them to stay in step with changing liability and security issues. As a result, a growing number of local governments are facing IT-related dangers without even knowing they are at risk.
That was the case in Issaquah, Wash., which, unaware of changes in its licensing agreement, was charged with software piracy when it added users based on its previous agreement. And there are other, grayer, risks that threaten the online government. For example, equality issues relating to the digital divide and access of disabled persons to online services; questions of security regarding the use of e-mail for “discussion” of official business; and problems related to hacking, as illustrated by recent denial-of-service attacks on systems in Sunnyvale, Calif., and Denver, all are potential threats.
As part of the Technology Risk Assessment Project, sponsored by Washington, D.C.-based Public Technology Inc., local government representatives – including IT professionals – from nine communities gathered recently to identify online risks and discuss the actions they are taking to minimize exposure. Not surprisingly, security and privacy topped the list.
Participants in the workshop agreed that, to secure online data, a local government must first define the parameters for sensitive information (i.e., what constitutes sensitive information?) and identify the data that falls within that classification. It must then define the nature of a security breach as well as a privacy violation.
Security and privacy are partners in the operation of online services. While local governments may differ on their definitions of privacy, almost all agree that it should be protected.
Many local governments are using a combination of firewalls, encryption, security alert software and system auditing to ensure that their web sites and computer systems remain secure. Others, such as Tucson, Ariz., and Greensboro, N.C., are centralizing their computer systems to limit access and to bolster protection of data and technology.
Additionally, many local governments have posted privacy policies on their web sites, and at least one state (Virginia) has made such postings mandatory. Typically, the policy defines the activities that are permissible and those that are not permissible, and it identifies the data that will be collected from users’ computers and explains how that information will be used.
The presentation of public information on the Web produces endless questions about privacy and liability. For example, many local governments are struggling with the issue of putting court records online. Similarly, there are questions about the receipt of information through online transactions: How does the government protect itself against fraud? How will receipt of “outside” information affect the accuracy of the government’s database? Is there liability if data is lost or stolen during an online transaction?
Workshop participants offered a variety of recommendations for minimizing risk when conducting business online. For example, they approved of digital signatures as a means to improve security, and they supported the use of transaction confirmation software (i.e., a program that will send a note to the customer confirming that a transaction has been successfully completed). Additionally, they recommended that transactions originating from anonymous e-mail addresses not be accepted – if it becomes necessary to trace a transaction, the government should be able to trace it back to a real person.