State and local governments tackle security projects

State and local governments around the country are worrying as much as any business enterprise about protecting the sensitive data they hold, based on a look at security projects in places such as Arizona, Indiana and Florida.

Arizona's government last year decided to create state-level positions for both CISO and chief privacy officer (CPO), after the Federal Trade Commission ranked Arizona first among all states in identity theft, though the exact reason wasn't cited by the FTC. After the state passed legislation for more oversight, David VanderNaalt, named CISO, began working with Mary Beth Joublanc, the state's CPO, in the newly created Statewide Information Security & Privacy Office at the Statewide Information Technology Agency.

"This is an oversight agency," says VanderNaalt, formerly CISO for the City of New York for eight years and a witness to the Sept. 11 attacks.

VanderNaalt and Joublanc report directly to Arizona's governor, among others, about whether dozens of state agencies are complying with state legislation requiring agencies to report security incidents.

"In my role I see we have 100 different business models," VanderNaalt says about Arizona's dozens of agencies and their departmental activities. While many agencies collect data about security incidents, there needs to be a centralized way to automate collection from technical sources in addition to manual reports, he says.

Just last month, for example, to comply with state law, Arizona's Department of Economic Security had to notify the families of about 40,000 children that their personal data may have been compromised following the theft of hard drives from a facility where they were stored.

VanderNaalt says one approach he's testing to report and track incidents statewide is a tool from Agiliance called RiskVision at the agencies, though he adds when it comes to identity theft, the private sector is likely to be at least as big a source of the problem.

But the purpose of the statewide office on security and privacy is to tackle wider concerns, too, including major online attacks, in order to respond with as complete a picture as Arizona's government can muster.

To do that, VanderNaalt knows he needs the trust from Arizona's employees.

"We're trying to position ourselves that reporting is a good thing, and you will get help," VanderNaalt says. The state oversight agency will also be conducting assessments of agency practices and technologies with an eye toward identifying statewide approaches to safeguarding security and privacy of data.

Securing Indiana

Indiana has already adopted a centralized approach in IT and security and it appears to be working well, according to Paul Baltzell, director of distributed services. His department is responsible for desktops used across the agencies.

Four years ago, Gov. Mitch Daniels, annoyed that even the state's e-mail systems weren't fully connected (although its state WAN was), made the decision that there should be a state-level CIO office defining infrastructure requirements, including security policies.