IG: South Carolina Lacks IT Security PlanInspector General Issues Report in Wake of Tax System Hack
South Carolina's government, victimized by a cyber-attack earlier this year that exposed the Social Security numbers of some 3.6 million taxpayers, lacks a statewide information security program, which places its digital assets at risk, the state Office of Inspector General says.
See Also: Webinar | Data Breach Myth Vs. Reality
"It's clear we need some statewide mechanism in order to coordinate and address these issues," Inspector General Patrick Maley tells GreenvilleOnline.com. "Somebody has to be in charge."
The breach, believed to have originated in Eastern Europe, of the state's Department of Revenue tax system in mid-September exposed the Social Security numbers of 3.6 million taxpayers. It also exposed 387,000 credit and debit card numbers, as well as the federal tax identification numbers of some 657,000 businesses in the state [see Silver Lining in South Carolina Tax Hack].
In the inspector general's report posted on the website of the Easley, S.C., Patch, Maley says there are no mandatory state policies, standards, monitoring or enforcement for information security in agencies of state government.
"The state provides a general information security policy model, but the state only suggests each agency tailor it to their environment," he says. "This information security policy approach coupled with the state's decentralized IT environment, creates unique challenges in understanding, controlling and mitigating the statewide information security risk in the over 100 entities in the executive branch, as well as the other branches of government."
Since the breach was unveiled last month, informal and formal meetings have been held among the inspector general office, Division of State Information Technology, private-sector experts and individual agency chief information officers to begin steps to develop plans to better protect state and agencies' information systems and data.
The IG and IT division are asking state agencies to:
- Conduct short term remediation steps: Each agency will double check specific information security procedures having the highest impact on lowering information security risk. Emphasis will be on reviewing these fundamentals in each agency through the new optic of the post-Department of Revenue breach world in which the state operates.
- Agency self-assessment: Each CIO will complete an electronic information security self-assessment survey for their agency, as will each agency head from their perspective. Then, the agency head and CIO will meet to discuss results to ensure agency heads are fully engaged in this statewide issue.
- Data classification: Locate all high risk data, primarily personal identifying information and protected health information. Additionally, request help on any personal identifying information or protected health information not sufficiently secured.
Maley says South Carolina government has established a full-time task force to address statewide information security that will focus on describing current conditions of information security statewide, collecting data to be used develop options and recommendations on information security risk governance models. "A governance model is the first step to provide a sustainable statewide information security platform for leadership, structure/processes and assurance that information security risk, policy and resource needs are coordinated and addressed at the state level," Maley says.
The inspector general says his office plans to provide actionable items in the area of governance models.
A second milestone of the task force will be to develop options on strategy and implementation plans, which Maley says will likely require South Carolina to hire outside experts, as has been done in other states. "The implementation options will likely be a function of time and cost," he says. "Resources will be required to build the governance model selected and mitigate information security risks identified as agencies systematically conduct risk assessments."