States on the UPTIC

WHILE EACH OF THE 50 STATES gets equal billing as a star on the flag, most citizens would agree that the similarities end there. That is certainly the case with security investments.

Some state and local government agencies are spending a significant amount of money on products and initiatives to help build more-secure IT infrastructures. Others have been moderately aggressive in investing in security technology, while some have spent relatively small amounts on tools to protect their IT systems and information. These are among the findings of the State & Local Government Technology Investment Curve (TIC), an assessment of state and local government technology purchasing behavior.

Conducted by CDW Government Inc., the study maps all potential state, county and city government customers against five years of CDW•G customer data. The report encompasses all 50 states, more than 100,000 products from 1,000 manufacturers, and thousands of state and local government customers, providing a vendor-neutral assessment of state and local government technology investment.

CDW•G worked with the Center for Digital Government, a Folsom, Calif.-based research and advisory institute on IT policies, to define the sampling of possible customers at the state, county and city levels for each state. The findings are based on a survey of governments and a state-by-state analysis. CDW•G analyzed the purchase records of customers between 2000 and 2004, focusing, in the initial report, on core information security purchases in network and security hardware, security software, and antivirus, antispyware and antispam software.

INVESTOR CATEGORIES

Of the 24 most-active states in overall IT spending, five have information security investment profiles that are 31 percent to 76 percent higher than the average, according to the TIC report. These states, designated as “lead investor” states in the report, are Ohio, Michigan, Wisconsin, Washington and Massachusetts. (See chart.)

These five states “demonstrate significant, committed investment in core information security technologies at all levels of state government and over the entire time span of the assessment,” according to the CDW•G report.

The TIC report identified common attributes that lead to more aggressive investments in information security, including strong state-level leadership; county and municipal government leadership that supports regional or state initiatives; strong academic programs in information assurance education; statewide user groups or associations that foster discussion, provide training and enable the exchange of best practices across multiple levels of government; early starts, with statewide information security programs operating as early as 1997; and substantial legislative and/or political support for the IT agenda.

The lead investor states tend to have state and local governments that understand the value of technology and its impact on the business of government, according to the report.

A second group of seven states, designated “early investor” states in the TIC report, are described as savvy technology practitioners that readily translate technology to value within the context of government. They continuously look at best practices and adopt IT products as needed. These states also have legislative and/or political support for the IT agenda.

A third group of 12 states, called “early majority” states, are proven technology leaders with a firm grounding in both technology and policy, according to the TIC report. They focus on technologies that have proven success rates and tend to weigh the quality of the IT vendor equally with the quality of the technology.

The breakdown of security investments by category — including network and security hardware, security software, and antivirus, antispyware and antispam software — shows that Ohio government agencies are the top investors in every category. The five lead investor states are in the top 10 in each of the three categories. (See chart.)

INVESTMENT LEADERS

Of the five states in the lead investors category, three — Michigan, Ohio and Washington — shared information on their security efforts with StateTech. Michigan has made information security a high priority in recent years, spurred, in part, by federal legislation such as the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act and by the growing use of the Internet by state and local agencies.

“We’re putting more and more applications online — everything from campground reservations to licensing to paying taxes,” says Dan Lohrmann, chief information security officer and director of the Office of Enterprise Security for the Michigan Department of Information Technology. “People want to be able to get on the Web to conduct business and gain access to government information, and they expect the applications to be secure.”

Among the state’s key information security investments and projects of the past few years are digital video monitoring systems for state government data centers, encryption management for 800 megahertz (MHz) radio, and disk-testing and network-penetration studies.

One of Michigan’s major initiatives was the launching of a program throughout the state government that involved Internet and antispam filtering, IT security awareness and cyber emergency management.

By blocking spyware and adware, Michigan state government is saving an estimated $765,000 per month. Most of the saving comes from not needing to repair or rebuild machines. “We’ve also been able to cut our bandwidth usage by one-third,” Lohrmann says.

A COMPREHENSIVE EFFORT

Ohio, another lead investor, has launched a series of security efforts through its Office of Information Technology (OIT). These include a comprehensive, statewide effort to provide state IT security policies, assess the security perimeter of agencies and fix any deficiencies discovered.

The OIT has 13 security-related rules and policies in place, and an additional four are near completion. The goal of the policies — which were developed through a collaborative effort between the central statewide authority and individual agencies — is to provide a foundation for the security of information and services. The policy requirements are designed to ensure that due diligence is exercised in the protection of information, systems and services. The policies describe fundamental security practices involving network and security hardware, and security and antivirus software.

The security policy and similar initiatives allow Ohio to decrease costs and enable the OIT to bolster security, while providing a correlation between agencies through one security framework and centralized management, says Mary Carroll, CIO for the state of Ohio.

“By requiring state agencies to deliberately incorporate security into their daily decisions, the state will benefit from a more cohesive security program, and the agencies will benefit by not having the added requirement of developing their own individual program,” Carroll says.

Ohio has also completed a statewide, multiagency radio communication system that’s primarily used by its first-responder community. This system includes wireless voice and data connectivity and runs on an 800MHz network.

The OIT also sponsors a network vulnerability assessment program and conducts agency-level Internet security planning workshops. The main objectives of the program are to assess the IT security vulnerabilities and risks of Ohio agencies and to support agencies in identifying vulnerabilities and fixes.

SECURING ONLINE SERVICES

The state of Washington is also increasing the security of state and local agencies as the government increasingly relies on the Web to provide services. “It’s becoming imperative that we provide online services to constituents and that we ensure they are protected,” says Agnes Kirk, chief security officer for the state.

One effort, which is called SecureAccess Washington, is a single sign-on (SSO) authentication gateway that enables individuals and businesses to access multiple applications on agency Web sites via a user identification and password. Only authorized and authenticated users are permitted access, Kirk says. A similar gateway, called Transact Washington, provides access to highly sensitive applications, such as those related to health care and law enforcement, using SSO with digital certificates.

Kirk says the state government is improving the security of its statewide network through a “layered” approach using firewalls and intrusion-detection and intrusion-prevention software.

“By providing these centralized gateways and protecting the perimeter of the state governmental network and intergovernmental network, we’re allowing the agencies to spend time and money on their core operations,” Kirk says.

Another initiative, the Washington Computer Incident Response Center, involves all the state agencies, plus representatives from county and municipal governments. The response center provides alerts about any network-based risks or security incidents.

The technology investments made by the states mentioned in the TIC report show strong, consistent leadership in making security a top priority.