Gines Auto Service
Hole in the Ground
On the Rise
David Hoopes: Putting People First
Candice Davis: In the Driver’s Seat
Home Sweet Office
The State of Security
Don’t Stand on the Sidelines
Cutting Through the Haze
Industry Outlook: Higher Education
In the Hot Seat
Losing its Luster
Utah’s Control4 Goes Public
Companies to Watch
When hackers broke into a state Medicaid server in March 2012, they stole the personal information of 780,000 Utahns, including 280,000 Social Security numbers. Fallout from the breach resulted in the ousting of Utah’s Chief Information Officer, Stephen Fletcher. His successor, Mark VanOrden, who came to the Utah Department of Technology Services (DTS) from the Department of Workforce Services, has been on the job as state CIO for a little more than a year.
What led up to the breach and what has the DTS done to shore up data security at the state level since VanOrden took the helm? Under questioning by lawmakers shortly after the breach, VanOrden highlighted a variety of security flaws he had found: breakdowns in protocol, human errors, management issues and security holes (such as unencrypted data).
In the 18 months since he became state CIO, VanOrden’s security response has been thorough, even exhaustive. “The people that are attacking us are very sophisticated and they are persistent. We block, on average, 50 million potentially malicious attacks a day through our firewalls in our data center,” he says.
Security measures VanOrden has implemented include the reorganization of the entire security group, putting all of the security people under Tim Hastings, state chief information security officer (CISO). Previously, some of the security people were working in the hosting group and others in the desktop support group. Hastings further divided the group into two teams, one that monitors statewide issues and security products and another that focuses specifically on supporting the state agencies with their risk-based security decisions.
VanOrden also went to bat for more money from the State Legislature to fund an increase in cyber security. He upgraded the state’s firewalls and security monitoring software and implemented 24/7 monitoring of the data center. VanOrden says two people are onsite at the data center at all times, including holidays. One person monitors network operations while the other monitors all incoming and outgoing network traffic.
“We are constantly looking for things that are not right and then taking immediate action according to what we see,” he says.
Other measures include the revision of all state information security policies to meet the specifications of the National Institute of Standards and Technology (NIST). He also updated all processes and procedures for developing and deploying new applications. “We’ve tightened everything up and revised our entire change-management process for implementing any hardware and software changes,” he says.
The DTS recruited auditing firm Deloitte & Touche to perform an information security assessment of all 22 cabinet-level agencies. VanOrden’s team is currently working through each of the assessments and taking action on security issues identified by Deloitte. “The assessment identified things we could certainly do better,” he says, noting that some of the state agencies pushed back regarding the new information security efforts until the Deloitte & Touche assessment was complete.
“After that, most of them saw the light now and understand the security. No one wants to be the next agency to have a security breach,” he says.
VanOrden says other improvements include the organization of a new incident response team and additional security training for the development teams. The mistakes that were made a year ago were typically in the development team areas, he explains, noting that after the security breach in 2012, the department didn’t respond as well as it should have.
VanOrden has also implemented a statewide security council under the direction of the governor’s office that includes five cabinet members, the chief operating officer and the CISO. The council meets monthly to discuss security issues, policies and best practices, and guides the implementation of statewide information security policies. Thanks to the security council, each state agency is getting more involved in information security than ever before.
“Now they are compelled to do so because of the security council,” says VanOrden.
The DTS recently assisted the state agencies in completing risk assessments for each one of about 1,100 applications the agencies use and the classification of agency data. The assessments helped determine where the vulnerabilities are. The DTS then categorized the vulnerabilities as high, medium or low.
“We’ve looked at where we have high risks and are taking immediate actions on those,” he explains. “We needed help from the agencies and they needed to take charge, so we supported them in the assessments, but it was under their direction.”