• United States



by CSO Staff

Balancing Risk and Responsibility

Oct 07, 20024 mins
Data and Information Security

Contra Costa County CISO Kevin Dickey answers readers' questions about security in local government

Q: Local government uses a lot of commercial off-the-shelf software. How do you manage the risk of an attack originating in a third-party application?

A: Historically, most hacks can be linked to old, known vulnerabilities. I cannot stress enough that IT staffers need to get on all the vulnerability and threat mailing lists to track the solutions for the architecture that they maintain. I know how much information that isbut it’s important. You have to stay on top of patches.

If necessary, there are niche vendors surfacing that will do this for you. They know your infrastructure, and they monitor the various advertised and unadvertised vulnerabilities in your deployed systems, and either make the updates and patches for you or pass the information to your technical staff.

Another consideration is the old concept of maintaining development, test and production environments.

Q: How are you addressing the federally mandatedbut minimally funded at the local levelrequirements for homeland security?

A: The homeland security efforts are still addressing the first responders’ initiatives and are not, unfortunately, addressing the bigger picture of prevention efforts. I’m partnering with our first responders, the sheriff, fire and health-care organizations, in order to leverage their funding sources (federal and state).

As we did in the Y2K efforts, where IT organizations championed the “what if” efforts and then shared that strategy with everyone else, including the first responders, I’m attempting to use the reverse process. That is to say I’m making the connection with the first responders to have them recognize that we all need to share in this current effort, including funding, to address their concerns of silo databases, disparate communications and GIS/GPS enhancements. They need us, and we need them to make this work.

I’m also looking toward the federal agencies for possible grantswatching all federal and state legislation for possible funding opportunitiesand have begun work with our California State Association of Counties, whose prime goal is to represent county government before the California legislature, administrative agencies and the federal government.

Q: Does your responsibility extend to the critical infrastructure and the technology that supports it, and if so, do you have outsourced physical security monitoring and outsourced IT security monitoring?

A: My responsibility as the CISO is countywide, although I administratively report through the CIO. It is IT’s responsibility as the custodian of the informational assets to ensure that the owner’s legal and moral obligation to protect that information is achieved. Information security on the other hand is not hands-on per se, yet CSOs must be the jack-of-all-trades in the IT arenas and also know the business issues, including physical security, disaster recovery and business contingencies. I would make the statement (by policy or through a directive) that critical infrastructure must be maintained, and then the various IT staff would work with their customers (information owners) to determine what is critical, how that infrastructure must be maintained to ensure legal obligations, business continuity and disaster recovery.

Our physical security is centralized through our general service department with alert monitoring internally and with alerts to an outsourced monitoring vendor. The physical monitoring we engage in is indeed 24/7/365. Logical monitoring is the responsibility of the various IT entities throughout the county as each department has some IT responsibilities. The wide area network administration is all done in-house, in a centralized IT department, including the monitoring.

Information security has governance over the domains of access control systems and methodology; telecommunications and network security; business continuity and disaster recovery planning; security management practices; security architecture and models; law, investigations and ethics; application and systems development; cryptography; computer operations security; and physical security.