WIS Investigates: What's changed in state IT security? - wistv.com - Columbia, South Carolina |

WIS Investigates: What's changed in state IT security?

Posted: Updated:
Kyle Herron, of S.C. Division of Information Security Kyle Herron, of S.C. Division of Information Security

Millions of dollars are expected to be spent as South Carolina officials continue to create better security policies.

When residents file their taxes this year, the Department of Revenue says the information will be encrypted on the state's servers. That's a change from 2012.

Over at the S.C. Department of Health and Environmental Control, work continues to encrypt sensitive data, but employees say they've increased the firewall and Internet filtering controls to prevent a security compromise.

And as Department of Agriculture inspectors submit their field reports, data from their laptops is encrypted. That's a step that was not in place a year ago.

"Most employees use their mobile devices for email and our field inspection staff actually uploads their reports via their laptops in the field, so that was one of the first things we've done," said Aaron Wood, assistant commissioner of the Department of Agriculture.

WIS' investigation found three state agencies all in different stages with the actions they've taken. These security steps fall under the state's new Division of Information Security, which was created last year. The state's new Chief Information Security Officer Marcos Vieyra started last week.

The new agency is charged with creating a strategy and statewide policy to keep state residents' information safe, so that's where WIS took its questions.

When asked if information submitted to the state is more secure than it was two years ago, Kyle Herron, of the state's technology division, said it's a continuous process.

"I will say that we've made a lot of progress, specifically over the last year, we made tremendous strides and we're continuing to do that," Herron said. "There really is no finish point where we can come up and say everything is 100-percent secure."

The state is working with consulting firm Deloitte and Touche to find ways to create better data protection policies. So far, the firm has completed 10 assessments to date, with eight more scheduled. The agency has sent seven policies in place dealing with data protection up to mobile security.

Deloitte and Touche said the estimated cost for 2014 is $14.9 million to implement more security. That is expected to increase in 2015 to $20.8 million with $15 million going towards enterprise technology.

It is up to the state's individual agencies to implement the policies the information security division creates. To keep the state's information safe, officials say it comes down to education and technology.

"Security is not just about technologies," Herron said. "It's also about people and processes, and we really need to change the culture in the state and make people very aware of what a security incident looks like and how to respond to those incidents."

Herron explained that a security incident could be an employee receiving an email and clicking on a link inside the email because the individual thinks it is a real email. Clicking the link will then allow software to be downloaded onto that employee's machine.

At the Department of Agriculture, employees took an online security awareness course, developed by the federal government. For other state employees, the education is just starting.

"How often do you reset passwords? How complicated are your passwords? How many passwords do you have? How many passwords do you need to access a specific system? Is it a password that you generate, or is it a password generated by another system that's been handed to you?" Herron asked of employees.

It's also training employees who to alert if an email is corrupt.

"How do you report this? He asked. "What are the appropriate ways to handle this?"

The state is also improving the technology it uses. It's meant coming up with classifications for all of the state's data and the types of infrastructure needed to secure it.

"You don't want to restrict people from doing their job," Herron said. "You want to let people. You want to allow people to be as efficient as possible, but not compromise security while doing that."

Other than machines that stay on state grounds, some agencies have also installed tracking devices on laptops that are checked out of the office in case the computers are stolen. In other cases, it's restricting what type of access a laptop has to the state's servers.

"If you do not have a certain level of security, you do not have access to those, so it's a measure. It's a weighing out, ease of use versus security," Herron said.

In another instance many agencies are using two-factor authentication now for portable devices, which is similar to a fob that generates a password. It requires something you know, like your password and something you have, like the fob. After someone enters the password, you'll get the second code that allows access to your account.

When WIS questioned what would happen if that laptop and fob were stolen, Herron said, "There's no simple answer to that one."

The state Division of Information Security admits with more than 66,000 state employees, there's more work to be done.

"I think everybody is on the same page, going in the same direction," he said. "It's just a matter of how do we get it done."

Watch the full report tonight at 5:30 p.m. on WIS.

Copyright 2014 WIS. All rights reserved.

Powered by WorldNow