By Gretel Johnston
With the new year on the horizon, public sector CIOs face many of the same security threats as their counterparts in the private sector. In addition to implementing protection solutions against the growing assortment of viruses, worms, and other malicious code such as spyware, government CIOs are concerned about protecting data and developing more effective disaster recovery plans.
A recent Forrester Research survey of state and local government IT executives showed 71% said the job of upgrading their security environment was a critical or a high priority.
Other high priorities include consolidating their infrastructure and working to upgrade their infrastructures to support mobile employees, as government is the leading vertical industry for mobile deployments. The Forrester survey found that 63% of respondents said infrastructure consolidation was a critical or high priority, while 54 % said they were going to increase wireless network deployments in the next 12 months.
Among the major IT security concerns of state and local governments are viruses and worms, enterprise network security, disaster recovery, and data integrity. One issue is no less important than another, but state and local governments are never going to have enterprise network security if they don't first deal with virus, Trojan horse, and worm issues, says Shawn P. McCarthy, program manager for government and education markets for International Data Corp.
"Some agencies consider that they have a disaster recovery plan if they back up all of their PCs every night," he added. "In general, the more business and mission-critical the data, the more likely a government agency will have a full back-up plan, redundant data centers, back-up power supplies, and so on."
Doug Robinson, executive director of the National Association of State CIOs (NASCIO), says the members of his organization take security very seriously. "If you asked all 50 state CIOs where security falls in terms of their priorities, its going to be number one or number two," Robinson says. "Some would say it's just built into everything we do today."
State and local government CIOs are paying a great deal of attention to network protection, primarily focusing on keeping out those people who want to do harm. That has resulted in investments in enterprise-class protection with multiple layers of boundary defense, intrusion detection, and firewalls. Added to that are search and destroy functions that wipe out dangerous email before it even gets into anyone's system.
In addition to protecting against attacks from hackers and other intruders, state and local government CIOs have the following priorities for their IT organizations in 2006:
- Disaster preparedness and recovery In the wake of the September 11 terrorist attacks, and natural disasters such as Hurricanes Katrina and Rita, there is a move among states to perform enterprise-wide assessments and security training. NASCIO also is encouraging the U.S. Department of Homeland Security to include cyber security in state and local planning and preparedness process.
- Addressing network availability Government IT executives strive to make their systems as accessible as possible for employees working in the field and from home. For example, many municipalities' building inspectors file reports from laptops or PDAs, and police officers can access city or county databases from computers in their vehicles.
- Quick assessment of threats Is it a terrorist or a bored 15-year-old? A cyber attack could be a prelude to a physical attack or an attempt to cripple or completely shut down state government. There are new threats appearing regularly, and governments must be quick to assess them and take appropriate action.
State and local governments have discovered that good security is expensive. Some states may spend 10% to 15% of their annual IT budget on security, but that must be weighed against protecting a critical infrastructure necessary for such things as law enforcement, homeland security, and public health.
At the same time, there has been a marked increase in cyber attacks, and states have had to budget money not only for enhanced security, but also for response measures and incident reporting, Robinson says. Automation can help coordinate information shared among state agencies, notify all of them that an attack is underway, and then analyze it. The more state and local governments are able to automate such processes, the better; typically they cannot afford to do it manually.
State and local government also cannot overlook privacy issues, especially as their workforce becomes more mobile and wireless networks become more ubiquitous. There is no question they must secure data in transit, but now they must find ways to secure it while it's "at rest," Robinson said. There are also privacy issues surrounding consumer devices such as iPods and digital cameras that employees bring into work. Many states have done a good job crafting very broad policies that address personal electronic devices.
State and local governments also have found they must do a balancing act when it comes to some of the newest technologies such as wireless PDAs and smart phones, which provide obvious benefits to the mobile workforce but raise security issues. Many states don't have specific security policies that address the wireless and mobile environments, so their CIOs are revising security policies to include these environments.
Some additional ways state and local government CIOs can tackle IT challenges in the coming year include the following:
- "Focus on a single application with the greatest RIO," McCarthy says. City inspector work forces, for example, could be a good place to start because those employees must get out of the office to do their work, so there is the potential for ROI in terms of savings on labor.
- Consolidate home grown financial and human resource systems to greatly reduce software licensing fees and system maintenance costs. Implementation of enterprise-wide software to run financials and human resources is among the top 10 issues on the state CIOs' list of priorities, Robinson says.
- Appoint a chief security officer who can set and enforce standards for everything from firewall configuration to patch management.
- Pay attention to the best practices of other government agencies. States can turn to organizations such as NASCIO, while counties have the National Association of Counties. Individual states often have their own CIO councils and best practices groups. The General Services Administration offers an Intergovernmental Best Practices and Innovations group that can help state and local governments collaborate on process security improvements.
Conclusion
State and local governments face an almost overwhelming number of challenges in enhancing the security of their IT systems. That's why they are investing in enterprise-class protection for their networks with multiple layers of boundary defense, intrusion detection, and firewalls. At the same time, they must step up to the challenges of quickly identifying what's behind an attack, crafting privacy policies to cover wireless PDAs and smart phones, and assessing disaster preparedness.
Gretel Johnston is the former Washington correspondent for the IDG News Service. Her work has appeared in such publications as ComputerWorld, NetworkWorld and Federal Computer Week. She is now a freelance writer based in Washington, D.C.