State government chief information officers need to focus on information security threats within organizations as well as those coming from outside the firewall.
That’s the view of a National Association of State CIOs brief released today. The report details five insider threats that “warrant effective CIO action.” Those are:
Malicious employees.
Inattentive, complacent or untrained employees.
Contractors and outsourced services.
Insufficient IT security compliance, oversight, authority and training.
Pervasive computing.
To address the insider problem, the report advocates a cooperative approach that involves the state’s executive management and human resources departments and the CIO’s office.
“We’ve always had the focus on the perimeter, but everyone is beginning to take a strong focus on what is inside now,” said Tom Jarrett, Delaware’s CIO and co-chairman of NASCIO’s Security and Privacy Committee. “We’re beginning to do a lot of work to get people to understand that they have to be as cautious, if not more cautious, about issues inside the perimeter than they do outside the perimeter.”
The NASCIO report cites two prominent types of malicious insiders: information technology experts with the access and ability to crack systems and disgruntled employees who might be tempted to steal data. NASCIO suggests auditing employee access to IT systems as one way to deal with the problem. In the case of disgruntled employees, the report recommends “cutting off access privileges before an employee is terminated or immediately after an employee resigns.”
The report suggests, however, that lackadaisical insiders are more of a threat than those who aim to do harm. Security breaches, the report states, “tend to stem from a general lack of attention to standard business processes rather than from a malicious intent to cause harm.”
Security education and training address this problem, according to NASCIO. Educating employees on phishing schemes and social engineering can help secure IT, the report states.
Jarrett said all employees, not just those in IT, need for training. He noted that people may be appointed to IT jobs but may not have the right skill sets for them. Delaware last year required all network administrators in the state to go through a training and testing regimen that included IT security.
Digg
De.licio.us
Slashdot
Technorati
