Sep 11 2007

Connecticut Shores Up Security

After notebook theft, Connecticut seeks to thwart further damage with new policies.

After a recent security breach, the state of Connecticut’s CIO is drawing up new security policies aimed at reducing the loss of sensitive information in case another state-owned notebook computer goes missing. On August 17, a state Department of Revenue Services employee’s notebook containing Social Security numbers of 106,000 citizens was stolen.

“It’s a little like closing the barn door after the horse has been let out,” says Chris Dixon, manager of state and local industry analysis at consulting firm Input in Reston, Va. “But it does pull the reins on this problem.”

Through a state media relations spokesperson, Diane S. Wallace, CIO at the state’s Department of Information Technology (DOIT), declined to comment on the policy before it was delivered to Governor M. Jodi Rell. But based on information shared by Rell in a press conference late last month, the policy will include “common sense” practices as well as detailed guidelines about the use of encryption and virtual private networks (VPNs).

Connecticut employees will be required to “call the Department of Information Technology as soon as a [notebook] is lost or stolen,” she said. In this case, the employee from the state’s Department of Revenue Services waited 11 days before the notebook was reported stolen. Rell called the delay “unfortunate.”

In some cases, the IT department might be able to take measures that can help, she added. While the governor did not elaborate, there are software programs that allow IT managers to remotely kill all of the data on a portable device if stolen or lost. These so-called kill pill tools often use wireless data networks to reach the lost or stolen devices.

Rell went on to say that the policy will “restrict sensitive data from being placed on [notebooks] or any other portable device, especially if that information is available through another secure source.”

Input’s Dixon says that the state has a VPN and might now require all mobile employees to use this technology, which encrypts data before it’s transmitted. He adds that Connecticut’s new policies could affect employee productivity if they, for example, now restrict certain types of remote access, such as free Wi-Fi hotspots, because these are often viewed as not as secure. But some IT shops often sacrifice productivity for a more secure environment.

Rell also ordered the DOIT to accelerate selection and deployment of enterprise encryption tools for use by state agencies. This could include full-disk encryption software that encrypts all data on individual notebooks. Such technology would prevent a criminal from deciphering sensitive data stored on a stolen notebook.

IT departments exploring this technology should look for tools that support Advanced Encryption Standard (AES), which encrypts and decrypts data in 256-bit blocks. The higher the bits, the harder the encryption is to crack. Products that support AES include PGP’s Whole Disk Encryption and GuardianEdge’s Hard Disk Encryption. Tools that encrypt notebook hard drives should also support dual- or triple-factor authentication, such as password, secure token and biometric.

Rell said that after the state’s new security policies are reviewed and approved, they’ll go into effect immediately.