The fight for comprehensive IT security seems never-ending . The enemy storms government territories every day with as many types of malware as there are pebbles on a beach -- too many to deal with easily.
Yesterday, the "man-in-the-middle" attack on the county network stole credentials to the treasury funds. This afternoon, the Trojan deleted files from the governor's desktop. And tomorrow, some exotic new code no one's heard of will pop up somewhere unexpected. In these battles, CIOs and their staffs must operate like a machine: Teamwork should exist between the standards and policy writers, data center operators, network administrators, programmers, the help desk staff and others -- seamless coordination.
That's probably what Virginia's technology executives were aiming for when they implemented the Interlocking Spheres of Collaborative Protection project, a complicated endeavor with one simple goal: to unify the policies, infrastructure and culture across state IT that are responsible for keeping data secure. These spheres represent the technology groups that need a common strategy in the unending security war.
John Green, the state's chief information security officer, noted that the end result is rather impressive. "It highlights the amazing things that can be achieved when you get a group of dedicated people together," he said. "I'm talking about all of the employees and information security officers -- when you get a group of dedicated people together focused on the same goal and mission."
The Virginia Information Technologies Agency (VITA) led the charge with cooperation from state leadership, the agencies it serves and Northrop Grumman, which manages Virginia's government IT infrastructure and services. They focused on five areas and separated them into spheres.
The top-down sphere represents the state's movers and shakers, including the governor, state CIO George Coulter, Green, the Legislature and agency leaders -- many of whom were instrumental in creating compliance standards and urging groups to meet them. The Information Technology Investment Board, which oversees Virginia's IT reform, can withhold project funds from agencies that don't keep pace.
In the peer-to-peer sphere, employees join groups to train, share information and network in the name of better security.
In the IT security program sphere, agencies are required to develop risk assessment and management programs for systems with sensitive information.
The infrastructure sphere covers most hardware and software changes, including the opening of a new data center, and the external sphere involves educating citizens about their personal IT security.
The five spheres represent a staggering amount of work for Virginia. And there's always more to do. "Eventually who knows? It may change," said Michael Watson, VITA's director of security incident management. "We may have to add additional input as time goes on. Technology's never a static thing. It evolved into this as we went along with the process."
And the struggle for strong security is everlasting.
"Like anything else, security is a journey. We don't expect to accomplish it all at once," Watson said. "We've grown and introduced the security culture into the different agencies and the rest of the government, and helped propagate the idea that it's a priority within the state. And as time has gone on, we've developed it."
Fixes From the Ground Up
Before the interlocking spheres project began in 2006, Virginia's IT landscape looked much different. The state had more than 90 disparate IT departments within individual agencies, and 60 percent of the state's equipment was between 8 and 10 years old. Even Virginia's primary data center was a security risk. The state's auditor of public accounts reported that 17 percent of 104 agencies lacked an information security program and 63 percent had an inadequately documented program.
Virginia's leadership decided change was due. "The Legislature, the governor and various governing