State agencies will use a ranked scale of severity in security reports that officials hope will improve risk assessment.
The Florida state government’s Office of Information Security (OIS) is developing a management program that will allow state agencies and individuals to report security incidents based on a ranked scale of severity.
With the tool, which will be in Microsoft SharePoint, state agencies will be able to log security incidents by ranking them on a 0 to 3 scale, with three being the most severe, said Security Outreach Coordinator Amy Caldeira of the OIS.
“If the power went out for 30 minutes, it’s a zero. If the power went out and your customers could not get to their services for a length of time, it’s a one because you affected the access to the data,” Caldeira said. “If you were breached to a point to where the data was available publicly, that’s definitely a three.”
The Office of Information Security (OIS), within the state’s Agency for Enterprise Information Technology, plans to fully implement the program by August.
Currently when an incident is reported, agencies e-mail or call the OIS, leaving OIS personnel to analyze the incident and log the information themselves. Caldeira said agencies are legally obligated to report all security incidents to the OIS, but the new program leaves deciphering the incident to the agencies.
By logging the incidents, the state will be able to track where each agency stands in its risk assessment. Having the ranked incident reports will help the state determine what types of training needs to be provided to agencies, as well as determine what other areas need concentration, Caldeira said.
Although many states now have some sort of coordinated program for incident reporting, some have found it difficult to encourage agencies to report the data. For example, an audit last year of Colorado’s cyber-security program concluded that the state was only receiving incident reports on a small fraction of the breaches that were actually occurring within agencies and departments. The audit said a more effective process for the reporting was needed.
Florida’s revamped reporting process is one of many efforts the state is making to update its Enterprise Information Security Strategic Plan, which was established after 9/11 to protect critical assets. The plan has been viewed as a success, Caldeira said, due the fact that only four OIS personnel were involved with the plan’s development and the security office had no budget to carry out the plan’s goals.
Mike Russo, the state’s chief information security officer, wrote in the state’s IT security strategic plan that cyber-crime is a major concern to Florida.
“For criminals, cyber-crime is a low risk, high-profit endeavor and is more attractive during difficult economic times,” Russo wrote. “This means that, not only will attacks increase against Florida’s data infrastructure, but the creativity of those attacks will be enhanced.”
The strategic plan’s five main areas of focus are enterprise IT security policy, training and outreach, risk management, incident response and survivability training.
As part of the plan, Florida is also in the process of completing data center consolidation. According to the Agency for Enterprise Information Technology, the organization finished the first wave last year. The second wave is scheduled to be fully completed by the end of 2011.
As consolidation efforts continue, the plan said primary data centers will provide IT services to the state agencies, which in turn will oversee their own security, disaster recovery and managed services.