After the January Vermont State privacy breach through a remote attack that compromised Social Security numbers and bank account numbers for nearly 70,000 people, Governor Jim Douglas ordered a security review of the computer systems.
Today it was reported that no other vulnerabilities were found in the online applications and systems.
“”The penetration testing of the State’s web applications have not exposed any vulnerability in the web-based systems,” according to the report, issued Thursday. “Agency reviews of their security measures and applications have not uncovered any serious issues.”
Department Commissioner Thomas Murray said the review uncovered a number of minor administrative concerns about which the state needs to be more diligent.”
“Among the recommendations, the report advises the state:
_implement a more thorough process for system support, documentation and managing the impacts of changes in the system;
_implement a system of data access procedures that ensures the appropriate level of access to confidential data;
_strengthen its security policies and standards;
_set up new “demilitarized zones” the state’s main computer network, Govnet, to allow key partners like the federal government access to some state systems while barring them from wide-open access to the network.
Murray said the many of these steps were under way.
Other changes include a new encryption policy, stepped-up employee training on security issues and annual audits with funding for new equipment hinging on problems being fixed.
Over the next few months all state departments and agencies will be asked to complete an inventory and risk assessment of their computer systems, he said. “All systems with confidential data will be required to submit a security plan and each system will be audited based on need and risk,” the report said.
Douglas also has asked the department to create long-term protocols to strengthen the state’s computer security.
Completing those steps could take up to a year, Murray said.”
Good plans. Hopefully they will be fulfilled.
Tags: awareness and training, encryption, Information Security, IT compliance, penetration test, policies and procedures, privacy, privacy breach