A three-year effort to evaluate and upgrade computer security systems at state agencies should begin in March, state officials said Tuesday.
The yet-to-be hired contractor will be asked to start with three agencies and issue recommendations by May 1 that include cost estimates, Budget and Control Board director Marcia Adams told the agency's oversight board. The report would come in time for budget discussions in the Senate.
Adams said her agency was collecting proposals and hoped to hire a contractor March 5.
That would be nearly six months after a cyber-thief stole unencrypted personal and financial data of millions of taxpayers from Department of Revenue computer servers. The state hired Mandiant, a Virginia-based information security firm, to immediately address the issues at that agency.
Gov. Nikki Haley said the consultant was needed to help officials upgrade data security across state government.
“I'm very happy with the progress made,” Haley, chairwoman of the five-member oversight board, said after the meeting. “This is going to be something ongoing.”
Senate Finance Chairman Hugh Leatherman, a board member, made clear the recommendations would be followed.
“Whatever comes out, the agencies will do it. They won't have the ability to say, `No,“’ he said.
The contractor will evaluate 18 agencies over three years, but the goal for May is to determine the most immediate security vulnerabilities, Adams said.
Her agency had help writing the request for expertise. Last month, the board approved hiring a consultant to help with the search. Cedric Bennett, former information security director at Stanford University, was awarded that $6,000 contract Dec. 20. He'll continue to help through the hiring process.
The agency initially posted its request Jan. 11. Companies should submit their proposals by Feb. 11. The March 5 start date assumes no one protests the state's selection, Adams said.
The consultant being hired will help the state centralize data security responsibilities. Currently, each agency develops its own computer security standards.
The Division of State Information Technology, which is part of the Budget and Control Board, can only suggest policies and offers security-monitoring services at no cost to agencies and local governments.
Inspector General Patrick Maley has said the current decentralized model is a recipe for disaster, and residents won't tolerate another security disaster.
“We have to be consistent across the board for every agency. We've got to have them under one umbrella,” Haley said. “My only input to the consultant is, help us put as many walls up but make it consistent as possible.”
Maley conducted a quick review of agencies' cyber security as per an executive order Haley issued Oct. 26, the same day she announced the mid-September hacking at the state's tax collection agency.