and established an executive order that created external advisory boards -- an Information Technology Advisory Board and an Information Security Advisory Board. The security board members are executive-level professionals from private industry, universities and state government, Durbin said, and have been critical to the city-county's success.

Information security training programs also were mandated under an executive order, Durbin said, but that hasn't been uniformly implemented yet. And the capstone effort -- a comprehensive security policy that provides all agencies with a minimum standard -- is still a work in progress.

"We feel that coming back in with well defined, industry standard-based policies and practices that are comprehensively developed and rolled out will give us a much better leg to stand on than the situation where the IT department decrees, 'You should encrypt your data,' but there's no one to enforce that," Durbin said.

And while the directive is coming from the mayor's office, having an enforcer is essential to departments' adherence. Durbin began to push for an IT security officer last fall, and was successful in making his case to the mayor and Council, he said. That person will be charged with managing the implementation of the security policy, which until now has been problematic.

"We've not had anyone who could formally lead this effort in the way it needs to be led," he said. "It's an indication of the commitment we have."

Lessons Learned

Keep it simple and straightforward. That's how Durbin describes drafting information security policy, especially for a diverse agency such as his. "An IT person typically will be more verbose than they need to," he said. "So we worked hard to make sure they were as clean and understandable to the average user as possible. We're tailoring our policies to Nashville and to our government and our users."

Also keep departments involved, Durbin said, as opposed to dictating directions and policy. "And it's crucial in enforcement," he said. "If you have the buy-in from department heads, it makes it much easier to enforce."

For now, completing the overall policy is the next item to cross off the city-county's to-do list.

"We often tell people it would be great if we could just buy a set of policies off the shelf and slap it into place, but that would never work," Durbin said.

Karen Wilkinson  | 

Karen is a former staff writer for Government Technology magazine.