A few years ago, Michigan government was hit with two computer virus outbreaks in six weeks. Both situations caused system outages, customer complaints, network slowness and more. After we recovered from the second situation, I received shocking news from my forensic team: The security incident was caused by an infected vendor laptop -- again.
Conventional wisdom in government technology circles is that IT vendors, especially big consulting firms, are secure. Most people take for granted that the "experts from out of town" will do no harm as they integrate new technology into enterprise infrastructures. In my experience, this is a bad assumption.
Many of our private-sector colleagues do a good job of putting the right people, processes and technology in place to protect critical systems. But even the best integrators make mistakes. So how do we build the right security provisions into contracts and manage our vendors well?
When I was at the National Security Agency (NSA), many courses were offered on this topic. Staff dedicated entire careers to becoming certified Systems Acquisition Managers who learned the latest vendor-management techniques. No doubt, we need more NSA procurement rigor in state and local governments.
But beyond the art of contractor and vendor management, there are certain topics that require attention that I regularly ran into as a chief information security officer. Here are five areas I recommend addressing as you build Invitations to Bid or negotiate contracts with vendors.
Ensure contractors comply with the same acceptable use policies and procedures that government staff must meet. For example, what's the policy for vendor laptops entering the enterprise? Are the contractor's portable devices secure? Are laptops checked for viruses before connecting to the network?
A final thought: Gen. George S. Patton once said, "Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity." Public CIOs must ensure that security is a priority - for contractors too.
Read Dan Lohrmann's column from the December 2008/January 2009 issue of Public CIO, Four Government Security Mistakes to Avoid.