• About GTA
  • Board of Directors
  • GTA Leadership
  • Career Opportunities
• News & Information
  • Headlines
  • IT for State Executives
  • Multimedia
  • GTA in the News
  • GTA Blogs
  • GTA e-Newsletters
• Services
  • Data Sales
    • Bulk Corporations Data
    • Dealer Internet Inquiry
    • Georgia Felon Search
    • LicenseMatch
    • Motor Vehicle Reports
  • IT Infrastructure Services
  • Managed Network Services
  • Professional Services
  • Unified Messaging
    • Unified Messaging FAQs
• Initiatives & Programs
  • State Technology Transformation
    • Contracts Overview
    • Service Management Organization (SMO)
    • Service Transition Planning
    • Assessment Briefings - 2007
    • Procurement Briefings - 2008
    • Definitions of Terms
    • FAQs
    • Related Documents
  • IT Expenditures Report
  • Wireless Communities Georgia
  • State Portal
• Procurement
  • Hardware Contracts
    • 2-Way Radio
    • Apple Computer
    • Digital Copiers
    • Network
    • RISC Workstation
    • Video Conferencing Equipment
    • WSCA
  • Services Contracts
    • Employee Time and Attendance Management Solution
    • On-Site Computer Equipment Maintenance (PC Maintenance)
    • Two-Way Radio Maintenance
    • Wireless Communications Devices and Services
  • Software Contracts
  • All Contracts - Alphabetical Index
• Governance & Planning
  • Enterprise Information Security
  • Enterprise Policy, Standards & Architecture
    • Application Development
    • IT Management
    • Operations
    • Security
    • All Policies and Standards
  • Enterprise Strategic Planning
  • Enterprise Program and Project Management Office
    • Agency Project Requests
    • Project Management Training
    • Project Management Methodology Library
    • Enterprise Performance Life Cycle
    • Project Assurance and Independent Verification & Validation (IV&V)
    • Portfolio Management
• Contact Us
  • Driving Directions
  • Find Your Service Delivery Consultant

Home > News & Information > GTA Blogs

Georgia Is On The Right Track With Security As Well

Mark Reardon, State Information Security Officer

04/24/2008

Governor Perdue’s Executive Order regarding information technology security reporting requires GTA to develop the format and required content for annual agency information security reports (ISRs). With his Executive Order, Governor Perdue is taking the leadership role in addressing the information security needs of the state. For the first time, agencies will produce uniform ISRs that will allow senior state leaders and citizens alike to measure the effectiveness of the state’s information security efforts.

In further moves to improve Georgia’s overall information security posture. GTA’s Board of Directors approved 27 new technology security policies and Patrick Moore, CIO for the State of Georgia, approved 41 technology security standards for use by all state agencies, including the new reporting standard required by the Executive Order.

This is an awful lot of information to take in, so what does it all mean? Simply stated, Georgia needs to improve its overall IT operations (see GAIT 2010) and this includes our information security practices. The GAIT 2010 project includes many operational security improvements, but more is required to have a successful program that supports the Governor’s goal of becoming the best managed state.

The vision of the information security program is, “That each state information system has an owner that has made an informed decision to accept the risks associated with operating that system.” Therefore, the practice of information security is to identify those associated risks and properly manage them. It is not an absolute science, but it should be based on fact-based decisions and processes. The annual ISRs will provide state decision makers with the facts necessary to ensure that future decisions are well grounded in fact.

Another important point regarding our information security program is that it’s based on the management of risks, not vulnerabilities. Vulnerabilities are one component of risks, but they are not the complete picture. Risks are actually based on the combinations of threats, vulnerabilities and the potential impact of a security incident. When an organization focuses simply on vulnerabilities, it loses sight of that larger picture.

Dr. Peter Tippett points out that only 3 percent of the computer vulnerabilities that have been discovered are ever exploited. That means an information security practice that simply focuses on remediating vulnerabilities is wasting a lot of its effort. Few organizations can afford that amount of waste. Additionally, those that have tried to remediate all vulnerabilities quickly discovered it is an endless challenge. It is not uncommon for new vulnerabilities to be discovered at the rate of 5 to 10 per day. This creates a race that no organization can win.

With limited resources, a risk-based focus prioritizes Georgia’s security spending based on threats, vulnerabilities and the potential impacts should a system be compromised. If any of these three values is close to zero, then the risk is also close to zero, and our focus should be elsewhere. Those systems with the highest potential impact and that are vulnerable to active threats should be given priority. This may sound basic, but it is important to remember. The focus is risk management, not vulnerability management.

The federal government recognized the importance of focusing on information risk management when Congress passed the Federal Information Security Management Act (FISMA) in 2002. It instructed the National Institute of Standards and Technologies (NIST) to develop a risk management framework to be used for all federally owned information, such as tax, medical and educational records. The FISMA Implementation Project at NIST has made a vast amount of documentation available for public use as well as for those using federally owned information.

Many of Georgia’s agencies use federal information, and those agencies must use the FISMA risk management framework. For simplicity and consistency, Georgia’s new information security policies and standards are based on this framework.  By using one framework and one reporting standard, our focus will be on risk reduction and mitigation rather than supporting multiple families of standards.

The federal government has spent millions of dollars to develop the FISMA risk management framework. It has been vetted by industry and federal agencies, and it continues to be improved based on issues and feedback. By using this proven methodology, Georgia will leverage this federal spending, and more importantly a proven methodology, for the good of our state.

There is one more important point to make about Georgia’s new information security program. Our legislature excluded security plans and vulnerability assessment information from disclosure under the Open Records Act. This is very important for the proper protection of our information and information systems. The ISRs will be publicly available. This will lead to transparency regarding the effectiveness of our security program and the development of confidence from our citizens whose personal information we are entrusted and obligated to protect.

While our primary focus within information security is on risk management, the current Information Security Strategic Plan includes other areas of focus: business continuity planning, workforce training and awareness, standardization and collaboration. GTA will constantly evaluate the risk landscape and consult with industry and state agencies to develop new strategic focuses for state security improvements. By continually adjusting our focus areas, and measuring and reporting on our progress in these areas, information security will become a strength of Georgia’s government.

Feedback Georgia Is On The Right Track With Security As Well

*Name:
*Email address:
*Enter your feedback below:
*Enter enter both words, click refresh for new words: