The security programs of state government systems, which span multiple agencies, departments and other organizations,
lack sufficient oversight, according to a new study that analyzes cybersecurity readiness at the state level.
The state agencies don't do any type of compliance checking against any of the frameworks.
directorDeloitte and Touche LLP
Many state CISOs lack the authority to ensure personally identifiable information (PII) is protected in all agencies and departments, according to a new study that analyzes cybersecurity readiness at the state level. The lack of authority is resulting in the failure of states to adequately measure the effectiveness and progress of security programs and security program management , according to the 2010 Deloitte- National Association of State Chief Information Officers (NASCIO) Cybersecurity Study. Making matters more difficult is the growing use of third-party providers that increasingly deal with PII that needs to be protected, the study found.
"In terms of governance, the chief information security officers should have solid-line reporting relationships to the individual agency security officers," said Srini Subramanian, director of Deloitte and Touche LLP and co-author of the report.
CISOs from 49 states participated in the Deloitte-NASCIO Cybersecurity Study, which asked questions about governance, security strategy, budget and internal and external threats. The report, which will be released Tuesday, found states making progress bolstering network security and endpoint protection, but the process of managing risk and measuring the effectiveness of security programs is lacking in many states, with each agency and department running disparate security programs.
A majority of the states in the survey indicated an alignment toward guidelines issued by the National Institute of Standards and Technology (NIST), a move that could further strengthen systems against internal and external attacks. Still, the move could fall short, according to the study, because federal agencies are somewhat held accountable for implementing and documenting agency security programs under the Federal Information Security Management Act (FISMA).
"The state agencies don't do any type of compliance checking against any of the frameworks," Subramanian said. "Most of the states seem to have a desire to align with NIST, but there is still nothing that really demands that they need to measure and do risk assessments against a particular framework on a regular basis."
The report recommends that states follow a single security framework. Subramanian said state legislatures should enact a law putting in place audit and compliance mechanisms to measure the effectiveness of security programs within each state agency -- a move that is being done in some states.
In addition, the economy has taken its toll on state security programs. Nearly half, about 46% of those surveyed indicated that their budget was reduced in 2010. The survey found that information security makes up only 1% to 3% of the overall IT budget. When state agencies receive a boost in federal funding, IT security saw only minimal increases, Subramanian said.
The economy has also caused some states to look at third-party service providers to administer social services and other programs, further complicating data security at the state level. About 20% of the respondents reported they were "not very confident" at all in the information security practices of their third parties, and 69% of those surveyed said they were only "somewhat confident."
"Most of the states seem to resort to the use of contractual ways to transfer risk and protect the states, but most of these providers are small enterprises and don't have the wherewithal to implement adequate security measures," Subramanian said.
The study recommends that states continue to push third-party providers to improve security, but states could benefit by adding compliance checking and auditing. The addition of data loss prevention technology could help prevent data loss when third-party providers tap into state systems.
Despite spending on network security and endpoint protection -- nearly all states have firewalls, intrusion prevention systems and antivirus measures in place -- the study found a noticeable lack of attention to internal threats. State CISOs said 55% internal breaches over the past year resulted from an accidental loss of an unencrypted laptop or hard drive.
The increasing use of Web-based applications is also causing a problem with inadvertent loss of information. Employees can access applications from home and generate reports that may contain PII, with little or no control over protection of the data, Subramanian said.