Exclusive: Emails Show South Carolina's Security Scramble

7:20 PM, Nov 20, 2012   |    comments
  • Share
  • Print
  • - A A A +

Columbia, SC (WLTX) - Emails turned over to News19 show a draft of  the state's  plans to execute a "short term cyber security action plan."

Related Coverage: Gov. Says Mistakes Made in Hacking, Revenue Director Resigns

Through a Freedom of Information Act request, News19  requested all email correspondence between Inspector General Pat Maley and more than 70 Chief Information Officers (CIO's) of South Carolina's State agencies.

The files received from the Budget and Control Board show that the first email from Inspector Maley to the CIO's is dated on October 26th.

"I need your help. I am not an INFOSEC expert.  My expertise is taking a mission, assembling the right team, developing objectives, collecting data on the objectives, and arriving at option and recommendations," said Maley.

"I will be assembling a team of subject matter IT experts to work full-time on this task force. I will ask each agency CIO to think about voluntarily contributing a qualified staff member to this full-time task force."

On October 30th, the Inspector General requests "four full-time volunteer subject matter experts from agencies to fully staff the initial task force of six. The same email schedules a non-mandatory meeting for all state agencies CIO's.

A follow up email sets a meeting with Chief Information Officers for November 1st, "the primary purpose of this meeting will be to seek input on immediate measures/protocols that can be deployed to agencies state-wide to increase our collective information security confidence in the short-run, as well as identify critical weaknesses needing immediate attention."

Attached to one of the emails are two drafts of recommendations from the Department of State Information Technology  (DSIT) and  the Inspector General asks all state agencies to complete.

The first attachment is "Short Term Remediation Steps." A list of eleven steps "all agencies should review and implement." The steps recommend steps like monitoring and reviewing logs of remote access to making sure local accounts and domain accounts have different names and passwords.

The second attachment is an "Agency Self-Assessment." In this four page survey, DSIT recommends that "self-assessments provides a cost-effective technique for agency officials to determine the current status of their information security programs."

The survey's ask "yes," "no," and "don't know" questions that fall under a number of categories including security training, security management, security policies, and encryption. Under the encryption section the survey asks specifically if the agency knows if "encrypted protocols are used when remotely managing systems, routers, and firewalls."

No answers or responses were provided in the emails obtained by News19.

One of the final documents provided asks that each agency head must have completed the 11 steps and self-assessment survey by November 16th.

News19 has asked if these steps have been complete and are awaiting a reply from officials at DSIT who are on holiday until November 26th.


Most Watched Videos