IT Security Incidents Prompt Nashville, Tenn., to Strengthen Policy, Hire IT Security Chief

Nashville is poised to implement a comprehensive security policy this fall, officials say.

by / August 23, 2010
Nashville illustration by Tom McKeith. Illustration by Tom McKeith

When more than 320,000 Nashville voters' personal information was breached in late 2007, it was a turning point that propelled the incorporated Metropolitan Government of Nashville and Davidson County to assess and define IT security policy, among other internal changes.

A laptop was stolen from the Davidson County Election Commission office, along with other electronic equipment, after someone threw a brick through a window in December 2007, said Metro Technology Chief Keith Durbin. While there was no evidence that voters' Social Security numbers or other personal information was accessed, the laptop wasn't encrypted, so the government had to assume the worst, he said.

"We got a lot of [media] attention, as you might imagine," said Durbin, noting that along with the mayor and City Council members, his voter registration information was on the stolen laptop. "It truly was a defining moment."

That was nearly three years ago. It was a wake-up call for the combined government, which has roughly 60 departments and agencies. Mayor Karl Dean, on the job just months before the security breach, set into motion a series of executive orders that established oversight boards and training programs, in hopes of preventing future security issues. A comprehensive security policy is set to go into effect this fall, and Durbin is in the process of hiring a chief information security officer to lead the effort. In the meantime, a few security faux pas have occurred, but nothing close to the magnitude experienced in 2007, officials said.

Human Error and Outdated Policy Faulted

"There was a cavalcade of security issues ... that really set in motion a series of events that has culminated in us putting together a comprehensive program," Durbin said. "What we've seen has been human error of some sort, or policies that haven't been adhered to."

A recent article in The Tennessean highlighted these issues, the most recent of which involved three Nashville flood victims' banking information being posted online. The assessor's office, in allowing victims to apply online for property tax deferments, disabled the password requirement, which essentially allowed anyone visiting the website to view copies of their canceled checks, Durbin said.

"The human error was taking a secure system and doing the stupid thing of taking the password off," he said.

Another security incident occurred in April, when the county criminal clerk's office, responding to a public records request, inadvertently released the Social Security numbers of the clerk and two other employees. Citing human error -- there was no IT factor -- Durbin said it was strictly an oversight.

And more than a year ago, in August 2009, the Nashville Career Advancement Center exposed the Social Security numbers of 160 clients on its website. Using a Web application that was developed nearly 10 years prior, coupled with outdated security standards, Durbin described the breach as "a huge embarrassment for the organization."

That incident wasn't quite human error, however, as the information wasn't on the city-county network, but was hosted outside the metropolitan system, Durbin said. "And again, at the time, there were no comprehensive policies that said stuff needs to be secure, hosting needs to be secure, applications need to be secure, it needs to meet these standards," he said.

Last, the names and banking records of about 500 juvenile offenders was potentially exposed in February 2009, when an unencrypted flash drive containing that information was lost by an auditor. The city-county didn't have a thumb drive security policy, Durbin said.

Advisory Boards, New Hires and Policy Implementation

Despite these recent setbacks, Nashville is poised to implement a comprehensive security policy this fall, officials said, and has already completed some groundwork to help smooth the transition, Durbin said.

Shortly after Dean took office as mayor, he hired Durbin

and established an executive order that created external advisory boards -- an Information Technology Advisory Board and an Information Security Advisory Board. The security board members are executive-level professionals from private industry, universities and state government, Durbin said, and have been critical to the city-county's success.

Information security training programs also were mandated under an executive order, Durbin said, but that hasn't been uniformly implemented yet. And the capstone effort -- a comprehensive security policy that provides all agencies with a minimum standard -- is still a work in progress.

"We feel that coming back in with well defined, industry standard-based policies and practices that are comprehensively developed and rolled out will give us a much better leg to stand on than the situation where the IT department decrees, 'You should encrypt your data,' but there's no one to enforce that," Durbin said.

And while the directive is coming from the mayor's office, having an enforcer is essential to departments' adherence. Durbin began to push for an IT security officer last fall, and was successful in making his case to the mayor and Council, he said. That person will be charged with managing the implementation of the security policy, which until now has been problematic.

"We've not had anyone who could formally lead this effort in the way it needs to be led," he said. "It's an indication of the commitment we have."

Lessons Learned

Keep it simple and straightforward. That's how Durbin describes drafting information security policy, especially for a diverse agency such as his. "An IT person typically will be more verbose than they need to," he said. "So we worked hard to make sure they were as clean and understandable to the average user as possible. We're tailoring our policies to Nashville and to our government and our users."

Also keep departments involved, Durbin said, as opposed to dictating directions and policy. "And it's crucial in enforcement," he said. "If you have the buy-in from department heads, it makes it much easier to enforce."

For now, completing the overall policy is the next item to cross off the city-county's to-do list.

"We often tell people it would be great if we could just buy a set of policies off the shelf and slap it into place, but that would never work," Durbin said.


Karen Wilkinson

Karen is a former staff writer for Government Technology magazine.