South Carolina’s inspector general recommends centralizing the cyber security functions of state agencies to help prevent another loss of personal data, according to a report released Tuesday.
“Without question, the current highly decentralized model needs to be eliminated,” Inspector General Patrick Maley wrote. “South Carolina needs a traditional federated model with central responsibility.”
While oversight and standard-setting should be centralized, agencies should be allowed to tailor their policies according to their needs, he wrote.
Maley said leaving the responsibility of data security to each agency leads to uneven data protection and prevents officials from managing or even understanding risks that could affect all state government.
He notes the Division of State Information Technology can only suggest policies and lacks any authority to mandate statewide standards. The division offers federally funded security-monitoring services free to state agencies, local governments and school districts.
Maley recommends creating a new statewide chief security officer independent of the division, largely because of agencies’ historical distrust of the division, which is part of the Budget and Control Board.
He also believes the state should hire consultants to help transition to the centralized model.
“Consultants will be costly, but the state can’t develop this government-wide initiative without their assistance,” he wrote.
The argument to centralize represents an about-face from five years ago, when a nine-member committee created by former Gov. Mark Sanford found that information technology services were too concentrated. At the time, the computer division was criticized for charging agencies for services with no explanation. The committee found it had amassed too much authority with no direct responsibility or accountability.
“The working environment lacks the trust, cooperation and collaboration required for successful operations in such a complex and interactive environment,” reads the 2007 report from the Government Efficiency and Accountability Review, or GEAR, Committee.
The inspector general was asked to review cyber security after the tax returns of 3.8 million residents and 700,000 businesses were stolen from Revenue Department computer servers – representing the largest hacking of a state agency in the nation’s history. Stolen data included unencrypted Social Security and bank account numbers.
Gov. Nikki Haley issued an executive order calling for the review Oct. 26, the same day she initially announced the breach.
“The governor is grateful for the work Inspector General Maley and his team have put into the report – it’s exactly what she wanted when she asked him to undertake a comprehensive review of our data systems,” Haley spokesman Rob Godfrey said.
Maley noted residents wouldn’t tolerate another such security disaster.
The 18 chief information officers of state agencies interviewed for the interim report were “nearly unanimous that the statewide risk tolerance for another significant breach is near zero,” he wrote.
He characterized regaining residents’ lost trust as the most important reason for revamping the state’s cyber security model.