GOVERNMENT TECHNOLOGY/Locking down on computer security
Gaithersburg, Md., learned the importance of managing a comprehensive security program following two significant computer security breaches in June. Those incidents made clear what computer security experts have been saying for years: Everyone is a potential target for a security violation. More importantly, the incidents taught the city that security must never be an afterthought.
The security violations began when a hacker guessed an employee’s e-mail password and sent off-color messages to city employees. If the hacker had not sent the e-mails, the city likely would not have known its computer security had been compromised. Unfortunately, an infrequently communicated password policy combined with an inability to automate e-mail password changes made the city susceptible to that type of attack.
Immediately, city technology staff reiterated the e-mail policy at staff meetings and via e-mail. Those measures heightened awareness for all city staff about how each employee plays a role in securing the city’s computer environment. In turn, technology staff received feedback and support for implementing enhanced security measures in other areas of the city.
Soon after the e-mail password problem was solved, a worm used a well-known security hole to hit one of the city’s Internet-connected servers. Fortunately, the worm only defaced an internal Web site before moving on. The IT department used two third-party consultants to help secure the compromised server and other Web servers and to enhance internal procedures regarding patches to servers.
Gaithersburg learned quickly why many experts refer to securing information systems as an exercise in risk management. Because it is impossible (if not impractical) to completely secure information systems, local governments must assess the potential for loss for each of the components of their information systems and develop a plan to minimize the risks for loss.
IT departments can determine each of their systems’ or databases’ risks by predicting the operational effect of unavailable or compromised systems. That inventory is best accomplished through a series of frank, open discussions with city or county management and possibly elected officials. With risk rated for each system, IT staff are equipped to establish appropriate user access and security measures.
Technology staff then must commit to implementing and managing a security program. Commonly recurring tasks in a security program include educating users, monitoring the effectiveness of the security program, identifying and reviewing new security risks, and constantly adapting the security policies and procedures to meet the needs of the city or county infrastructure.
A few good things resulted from Gaithersburg’s computer security violations. First, city management became much more aware of the risks associated with deploying and managing technology projects. That led to more involved discussions about rolling out future online services, such as registration for Parks and Recreation activities. Now, security and risk management is discussed by all of the city’s computer users and not only by technology staff.
Second, city management learned of the growing depth and breadth of security issues facing technology staff. Finally, the IT staff was able to demonstrate its value to the city by responding to security problems quickly and capably.
There are potential online security holes in any organization. Once a local government calculates the risk related to its particular situation, it can assign resources and develop an effective, practical security program.
The author is IT director for Gaithersburg, Md.