Marcia Savage asks IT heads of four California counties how the ISF document has strengthened securityFor Lake County, in rural northern California, the ISF best practices document was invaluable.
"It's helped the county out enormously," says Jim Garrison, deputy director of information technology for Lake County. "There was just no way we would have the resources necessary to produce something like that."
Lake County modified the program for its own purposes, but did not have to make many changes. Garrison said: "The way it's written, it could suffice as a security document for our county."
Based on the best practices document, Lake County has developed training to get its users up to speed security-wise, and has implemented some of the essential security protocols. For example, the county has a two-page form on internet usage rules that employees must sign for web access.
"It's very important that our users be partners in information security," Garrison explains. "A lot of the county's data is public domain, but issues associated with people getting in and maliciously changing or destroying data could potentially cost the county a lot of money and downtime. Just the little bit of awareness an end user has about controlling viruses on their PCs has been extremely valuable to us."
Garrison, an ISF member, plans to take its infosec program to the Lake County Board of Supervisors for official approval in a few months. A lot of counties have implemented the ISF program and have taken it to their supervisor boards for adoption, he notes.
San Joaquin County, in central California, tailored the ISF program to suit its managerial structure and the board adopted it last year, reports Sonny Johnson, the county's information security officer and a contributing author to the ISF effort.
"Right now we're busy working on the policies that go with that program. We had some in place but these are more comprehensive so we're having them approved by HR and county counsel," he says.
The ISF program helped bring focus to San Joaquin's security efforts, Johnson states: "It formalizes everything from a business impact analysis to risk assessment and assigns responsibility for getting all those things accomplished. It puts it in law that we have to do those things, whereas before it was, 'Sure we're doing them.' They may or may not have been accomplished, but now it's something that has to be done."
Johnson describes Contra Costa's Kevin Dickey as the "guiding light" in the ISF effort. "He pushed forward when everyone else got tired. Without him, it wouldn't have happened."
In Fresno County, the ISF document provided a check-off list, or reference tool, says Wincy Carr, division manager in charge of data administration and security for Fresno and ISF contributor.
Under the direction of the county CIO after 9-11, staffers had already started overhauling their management directives, security standards and procedures to bring them up to date and make them HIPAA-compliant when the ISF program was published.
Populous Los Angeles County (the largest in the U.S.) also had already embarked on a project to bolster its cybersecurity after 9-11 at the direction of its CIO, reports Al Brusewitz, the county's chief security officer.
"We participated in developing those policies and best practices but those standards apply across the board to anybody trying to implement a good program," he says. "We've implemented a series of initiatives that are specific to Los Angeles. They parallel those [ISF] good practices."
Due to its size, Los Angeles has an additional level of complexity added to its problems, and therefore requires more resources than other counties, he notes. Los Angeles has been working hard to develop security policies that will apply to the entire county.
"I consider that the cornerstone of any security program," Brusewitz says. "If you have policies in place so people know what they're supposed to do, you have a chance of getting people to comply. Once that's in place, you can proceed with a robust employee security awareness program."
CCISDA's ISF provides a way for counties to come together and help each other, he believes: "We may not help each other with the technical answer to a specific problem, but having a forum where we can work together is extremely important and the sharing of ideas can only help."
The cooperation of the counties on the infosec front is helping them communicate better with state agencies, Dickey asserts. Some state agencies view counties – and in some cases, cities – that have adopted the ISF program as more trusted users, he says.
That is the case for the California Department of Motor Vehicles (DMV). Tom Gilbert, DMV information security analyst, reviews the security of public agencies that connect to the DMV for information, or that provide information to the DMV. Before the ISF program, he says, there was no baseline for security among the counties.
"Kevin Dickey's initiative with his best practices has established that, which is great," Gilbert says. "Once I know a county or a city has accepted those practices, or incorporated them in their way of doing business, I have a lot more assurance that things are handled correctly."
He adds that he is using the ISF program to draft a comprehensive infosec requirements manual for DMV partners and customers. "We have a lot of confidence in it [the ISF program] because it's based on industry standards. We really can't go wrong with it," he remarks.
Gilbert credits Dickey with reaching out to state agencies: "We need to have this partnership. We all have our peculiarities and funding problems with our particular government entities, but if we're really going to share information, if we're really going to network, we need to come to this commonality on at least security."
That shared baseline helps California agencies meet their goal – maintaining the public's trust by ensuring that its information is secure, Gilbert says.