[ISN] State takes new look at computer security

InfoSec News isn at c4i.org
Wed Feb 1 07:24:03 EST 2006


Staff Writer
January 31, 2006

AUGUSTA -- The state is taking steps to limit access to critical
computer systems in response to a report that showed deficiencies in

The Office of Program Evaluation and Government Accountability
released a report Monday that revealed weaknesses in the way the state
runs its computer systems.

Part of the report, which was given to lawmakers and others in a
closed session last month, indicated that the state needs to make sure
only those who have proper credentials can get access to critical

However, the state system was not affected by hackers who tapped into
Rhode Island's state Web site and got access to credit card numbers,
said Richard Thompson, chief information officer for the state. The
company that manages the Rhode Island site also works for the Maine
government Web site.

The breach, which occurred in December, was made public Friday.

Thompson said he had staff working all weekend, but they did not find
any record that Maine's site had been illegally accessed.

"We are convinced, at least as of today, we are in good shape," he

Rep. A. David Trahan, R-Waldoboro, said he's heard from people who are
concerned about the security of state computer systems.

"The urgency of this is greater now because of what just happened," he

A review of state computer security procedures conducted by Jefferson
Wells International found that "system access controls do not measure
up to industry standards."

Also, the state has not adequately put in writing what steps it would
take if a major computer system fails or if offices could not be used
because of a terrorist threat, according to the report.

Thompson, who is in the process of reorganizing how state agencies
purchase and manage computer systems, said at least some of the
criticism is due to a lack of paperwork.

"The weaknesses Jefferson Wells identified was, 'We can't tell you
what we've got' ," he said. "It wasn't that we didn't have enough

Other parts of the report detailed a piecemeal approach in state
government when it comes to purchasing new computers.

State agencies, often using federal government money, move ahead on an
individual basis without consulting other agencies.

And although Thompson is in charge of the executive branch computer
systems, he does not have jurisdiction over the Legislature or
judicial branch.

Also, it's difficult for the program evaluation office to find out how
much is being spent on computers and computer software because it is
scattered throughout state government, said Beth Ashcroft, director of
the evaluation office.

"The goal here from (the program evaluation office) perspective is to
shine a light on information technology and how it's being managed,"  
she said. "Right now, there's no good way to get a handle on that."

Another inefficiency is that it's hard to combine data from different
agencies and some data is duplicated in several systems, she said.

The program evaluation oversight committee, which is made up of 12
legislators, will meet again to discuss what action it can take to
address some of the concerns in the report.

Copyright © 2005 Blethen Maine Newspapers Inc.


More information about the ISN mailing list