South Carolina needs to centralize computer systems management, add a chief information security officer and hire a consultant, according to a preliminary report from the state Inspector General released Tuesday.
The report ordered by Gov. Nikki Haley after hackers stole personal information belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue calls for an end to state agencies running their own computer security operations.
“This decentralized approach prevents the state from understanding, let alone managing, statewide (information security) risk, which has the capacity to impact the entire state government,” the report states.
Heads of state agency computer operations rated their own information security capabilities below adequate and rated statewide capabilities even worse, a survey in the report found.
"What scares me is what I don't know," an unnamed agency security chief was quoted in the report.
South Carolina should adopt a system used in most states where agencies operate the same computer security policies run through a central authority. The system, known as federated, gives state agencies independence to run their own computer security networks but with a set of standards to meet.
A new chief information security officer would help oversee protection of statewide computer systems. The job would need to be created by the General Assembly, the report said.
In the meantime, the state should designate an interim leader and create a steering committee to push stricter information security measures.
The report was sent to Haley’s office and top legislators to decide the next steps, S.C. Inspector General Patrick Malley said.
The report did not call for deadline to putting people in charge of statewide computer security, but Malley said: “We want to paddle in a diligent way.”
South Carolina has an agency, the Division of State Information Technology, that provides computer system services at a cost but other state departments are not required to use them and the division cannot establish statewide rules. Before the breach, the revenue department was not fully using a free network monitoring system the division offered.
The report recommends putting the new chief information security officer outside the division that already has a director and security officer.
“DSIT was fully conscious of agencies’ skepticism and distrust toward DSIT owing to a history of friction, primarily related to the cost of services provided,” the report stated. “Having DSIT ‘drive’ any change initiative comes with some historical trust baggage.”
The Inspector General’s report was based on discussions with managers of agency computer systems from South Carolina and other states and experts from universities, private consulting firms and industry trade groups.
Hackers stole tax information belonging to 3.8 million people with 1.9 million dependents and nearly 700,000 businesses in mid-September. The state learned of the breach from the Secret Service on Oct. 10 and informed the public 16 days later.
The state is paying $12 million to offer a free year of credit monitoring to consumers from Experian. Businesses can get free lifetime monitoring from two companies.