190 likes | 347 Views
ASSESSING INFORMATION SYSTEMS SECURITY WITHIN LOCAL GOVERNMENTS : A PILOT STUDY FOR CENTRAL PENNSYLVANIA. Charlotte E. McConn, Jungwoo Ryoo, Tulay Girard, Penn State University, Altoona College. Overview. Rationale Methodology Theoretical framework Small local government interviews
E N D
ASSESSING INFORMATION SYSTEMS SECURITY WITHIN LOCAL GOVERNMENTS: A PILOT STUDY FOR CENTRAL PENNSYLVANIA Charlotte E. McConn, Jungwoo Ryoo, Tulay Girard, Penn State University, Altoona College
Overview • Rationale • Methodology • Theoretical framework • Small local government interviews • Study results
Malicious Threats Interruption of service Denial of service attack SPAM Interception of data Packet Sniffing Modification of data Fraud Embezzlement Social Engineering Phishing Extortion Natural Threats Fire Flood Hurricane Tornado Normal technical Problems Hardware Power failures or surges Disk crashes Downtime Threats & VulnerablititesCould be internal (employees) or external to the organization
Importance of Security • Data loss / Identity Theft • Financial loss-$$$$$$$? • Loss of privacy / peace of mind • Employment risks / liability • Criminal prosecution • Personal productivity / time wasted
Rationale • Preliminary literature search indicated • Information systems security is a major concern of many organizations • Security policies have been developed and security funding is available for large federal and state governing bodies. • Not much research has been published on security issues faced by small local governments, policies in place and enforced, and funding available for security.
Research Objectives • Build an assessment framework and measurement model that can quantify the overall information systems security readiness of a specific type of organization. • In particular, measure the vulnerabilities and security readiness of small municipalities.
Methodology • This is a preliminary study that was carried out in the following four steps: • Step 1: research the structures of local governments in central Pennsylvania, • Step 2: form an advisory board with expertise in Pennsylvania local governments, • Step 3: interview key individuals who have first-hand knowledge of the information systems used in local governments, and • Step 4: analyze the interviews to discover and document what types of information technologies local governments use, security challenges they face, how they provide security for their systems, and the level of security readiness
Theoretical Framework • Measurement models for information systems security readiness have a core set based on these dimensions • (A) Infrastructures, • (B) Policies, Education, and Training, • (C) Enforcement,
A. Infrastructures • Security Software • Secure operating systems • Firewalls, virus scanners, anti-spyware • Intrusion detection software • Encryption software • Physical Security • Locks, perimeter alarms, access restrictions • Human resources • Employees designated to handle security-related tasks including planning, risk assessment, technical support, monitoring, auditing, etc.
B) Policies, Education, and Training • Are policies are well developed and readily available to employees? • Is periodic security training mandated and funded? • C) Enforcement • What are access and authorization controls? • Are employee activities monitored? • What are accountability practices for deviations from published policies?
Local governments in PA • 57 Cities • Major metropolitan areas: • Philadelphia (East) & Pittsburgh (West) • More than 900 Boroughs • Populations vary from less than 100 to over 38,000 • About 1/3 are urban • Rest are rural • Townships • Larger in area and typically surround borough or city • 91 urban & 1400 rural townships
Interviews Conducted • Case 1: an urban borough • Population: over 5000 • 47 Employees • 7 networked workstations • Case 2: a rural township • Population: over 4000 • 18 Employees • 2 stand-alone microcomputers • Case 3: a rural borough • Population: over just over 900 • 10 Employees • 2 stand-alone PCs, one with internet connection • Local computer consultant • Provides support to #1 and #3 as well as many other small local municipalities
Initial Interviews • How is each local government organized? • What types of computer applications are used? • Which individuals within each organization have access to the computer systems and sensitive data? • Who is responsible for information systems and security? • What types of information systems security training do employees receive? • What types of computer security systems are installed? • Who is responsible for technical support for the information systems? Is the support provided within the organization or outsourced to an external firm?
Study Outcomes A. Infrastructure • i. Software security: the local government officials in this study were aware of the importance of firewalls and anti-virus software. However, they were less aware of the possibility that their information systems might have been compromised. • ii. Physical security: needs to be improved. In two of these communities, doors were locked at the end of the day, but no alarm systems were installed. • iii. Human resources: there is a need for a designated person to handle risk assessment, security planning, employee monitoring, and intrusion detection/prevention which was minimal or non-existent in the communities in this initial study. • iv. Outsourcing: the case studies show that many local governments outsource their information technology projects. More oversight is necessary to prevent outsourcing from becoming another source of security vulnerabilities.
Study OutcomesB. Policies, Education, and Training • This category demands the greatest need for improvement. • There seems to be a widespread lack of well-defined and well-documented information systems security policies. • Training appears to be sparse. All the key informants in the case studies expressed an interest in more security training, but they agreed that funding is the biggest obstacle. • A minimum set of security policies needs to be established to address: • the enforcement of strong passwords and periodic changes in them, • the encryption of data, especially on back-up devices and laptops, • the specification of more secure locations for back-up data storage devices, • the regular information systems security training of any employees who have access to sensitive data.
Study OutcomesC. Enforcement • Although finding that one local government does have limited security policies in place, this study suggests that the policy enforcement is weak because supervisors are not monitoring employees’ activities relevant to information systems security. • Local government employees must not only be better trained, but their usage of the information systems must also be monitored. Employees violating published information systems security policies should be held accountable.
Future Directions • This study will serve as a basis for a more exhaustive study of communities throughout the state.
Questions & Contact Info • Charlotte Eudy McConn, M.S., CDP • cxe6@psu.edu • www.personal.psu.edu/cxe6 • Jungwoo Ryoo, Ph.D. • jxr65@psu.edu • www.personal.psu.edu/jxr65 • Tulay Girard, Ph.D. • tug1@psu.edu