Counties dance to Dickey’s tune

Kevin Dickey vividly recalls his initiation as CISO for Contra Costa County in the San Francisco Bay Area. At a formal meeting, the county's then CIO introduced him to department heads as "the guy who's going to hack into your systems."

Dickey moved quickly to defuse the intimidating introduction. "No, time out. I'm here to help. I'm here to make sure we don't have problems, not to find them," he countered.

That was seven years ago, when Dickey broke ground as the first information security officer in California's 58 counties. Since then, he has established infosec standards throughout Contra Costa's 38 departments. He has also helped develop a set of infosec best practices and policies that many California counties are implementing.

Today, about a dozen counties have someone in charge of information security – a key component of an infosec program, according to Dickey. His infosec career dates back nearly 20 years to when he worked for the California State Controller's Office.

Throughout California county governments, there has been a change of behavior – an increased awareness that makes security a priority rather than an afterthought, he believes.

The effort to create a baseline infosec program for California counties came out of an offshoot of the California County Information Services Directors Association (CCISDA) called the Information Security Forum (ISF). Started by Dickey, the forum brought together county officials who met regularly to develop a standard way for counties to secure information assets.

"Our objective was to standardize security principles throughout California county government. We all tend to have similar applications and customer bases, yet of differing sizes, so a similar program seemed to be warranted," says Dickey, who also has the title of deputy CIO.

With California in a budget crisis, saving taxpayer money was a major goal. By creating a foundation for them to use, counties would not have to invest in developing one from scratch. Many counties would not be able to implement an infosec program without having the baseline provided by ISF, he says. "Government's primary objective should be sharing solutions with one another because we're not in competition with each other," Dickey says.

He notes that the CCISDA ISF best practices infosec program, which is readily applicable to the private sector, is modeled after the International Organization for Standardization's Code of Practice for Information Security Management (ISO17799).

Integrating information from resources such as the National Institute of Standards and Technology and ISF members' expertise, the program outlines nine general components: CISO, infosec advisory committee, policies, security awareness training and education, information identification and classification, information risk assessment, implementation of infosec controls, monitoring of effectiveness and assurance, and business continuity and disaster recovery.

The policies drafted by ISF are based on an information security guide for state and local government from Sheshunoff Information Services, a division of Thomson Media. ISF bought multiple copies of the how-to guide and, with the vendor's approval, modified the policies to fit California.

ISF published two sets of policies last year after publishing the program in 2002. One, aimed at end users, is non-technical and covers policies for email, passwords and remote access. The other targets IT staff, with policies for backup and recovery, change management, encryption and patch management.

"It's about economy of scale," says Dickey. "If you do everything very much the same, you can be considered trusted. If you're behaving the same way that I'm behaving, and I know you have good security practices, I can share information with you more easily."

When Dickey joined Contra Costa County, he had several years of security work for the state already under his belt. After the Controller's Office he worked at the California Lottery where he was responsible for logical and physical security (including the games). Where infosec was a significant part of the process at the lottery as well as other state agencies, that was not the case in local government, Dickey remembers.

He was given a tough task – securing 38 departments ranging from the assessor and treasurer to public works. "I was trying to implement standards based on best practices – a general set that you should follow, regardless of whether you're animal services or the sheriff. That's the program's foundation. I'm looking at security from the business aspect – how to help a customer and continue business," Dickey says.

He went to each county department and asked for a representative that he could meet with and train, regarding his or her department's particular assets and security issues. The result was the Information Security Advisory Committee (ISAC), a body that meets monthly. In the meetings, Dickey explains various policy issues, system transitions and the security repercussions. "You look at it in a business sense and get everybody's viewpoints," he says of the ISAC, which is a component of the ISF program and one that other counties are adopting, including San Joaquin.

Contra Costa's infosec program was formally adopted by the county's board of supervisors in March, something that provides the benefit of "top-down" support, Dickey says.

In addition to the ISF program and policies, Dickey also wrote an infosec handbook for end users that he shared with other local governments to use as a template. Currently, his county is working to develop standards for business impact analysis, risk assessments and business continuity planning methods for use across all of its departments.

Once Contra Costa has some successes with the program, Dickey plans to share it with CCISDA. If counties have similar business continuity plans, that will help state officials in the event of an emergency, such as an earthquake, because they will not have to figure out each county's process, he believes.

In addition to continuity planning, Dickey is focused on succession planning. With older employees retiring, the county will have applications that cannot be supported by new employees, which will create significant security issues. He also keeps an ear out for new projects in the county – such as e-commerce or web-enabling programs – so he can try to get staffers to consider security up front in their planning.

Looking ahead, Dickey is concerned about how technology is evolving faster than its security. For example, PDAs are easily lost but people put confidential information on them. Instant messaging also worries him – "everyone's on IM; how do you control it?" he asks.

While he still can find himself fighting the stereotype of security as the roadblock, Dickey is proud of the increased security awareness in Contra Costa. Its culture is now one in which employees back up their data and treat the email system as a government asset. But he adds, "I assure you, it's no small task. I'm not done yet."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.