ASSESSING INFORMATION SYSTEMS SECURITY WITHIN LOCAL GOVERNMENTS: A PILOT STUDY FOR CENTRAL PENNSYLVANIA

1
ASSESSING INFORMATION SYSTEMS SECURITY WITHIN
LOCAL GOVERNMENTS A PILOT STUDY FOR CENTRAL
PENNSYLVANIA

• Charlotte E. McConn,
• Jungwoo Ryoo,
• Tulay Girard,
• Penn State University, Altoona College

2
Overview

• Rationale
• Methodology
• Theoretical framework
• Small local government interviews
• Study results

3
Threats VulnerablititesCould be internal
(employees) or external to the organization

• Malicious Threats
• Interruption of service
• Denial of service attack
• SPAM
• Interception of data
• Packet Sniffing
• Modification of data
• Fraud
• Embezzlement
• Social Engineering
• Phishing
• Extortion

• Natural Threats
• Fire
• Flood
• Hurricane
• Tornado
• Normal technical Problems
• Hardware
• Power failures or surges
• Disk crashes
• Downtime

4
Importance of Security

• Data loss / Identity Theft
• Financial loss-?
• Loss of privacy / peace of mind
• Employment risks / liability
• Criminal prosecution
• Personal productivity / time wasted

5
Rationale

• Preliminary literature search indicated
• Information systems security is a major concern
  of many organizations
• Security policies have been developed and
  security funding is available for large federal
  and state governing bodies.
• Not much research has been published on security
  issues faced by small local governments, policies
  in place and enforced, and funding available for
  security.

6
Research Objectives

• Build an assessment framework and measurement
  model that can quantify the overall information
  systems security readiness of a specific type of
  organization.
• In particular, measure the vulnerabilities and
  security readiness of small municipalities.

7
Methodology

• This is a preliminary study that was carried out
  in the following four steps
• Step 1 research the structures of local
  governments in central Pennsylvania,
• Step 2 form an advisory board with expertise in
  Pennsylvania local governments,
• Step 3 interview key individuals who have
  first-hand knowledge of the information systems
  used in local governments, and
• Step 4 analyze the interviews to discover and
  document what types of information technologies
  local governments use, security challenges they
  face, how they provide security for their
  systems, and the level of security readiness

8
Theoretical Framework

• Measurement models for information systems
  security readiness have a core set based on these
  dimensions
• (A) Infrastructures,
• (B) Policies, Education, and Training,
• (C) Enforcement,

9
A. Infrastructures

• Security Software
• Secure operating systems
• Firewalls, virus scanners, anti-spyware
• Intrusion detection software
• Encryption software
• Physical Security
• Locks, perimeter alarms, access restrictions
• Human resources
• Employees designated to handle security-related
  tasks including planning, risk assessment,
  technical support, monitoring, auditing, etc.

10

• B) Policies, Education, and Training
• Are policies are well developed and readily
  available to employees?
• Is periodic security training mandated and
  funded?
• C) Enforcement
• What are access and authorization controls?
• Are employee activities monitored?
• What are accountability practices for deviations
  from published policies?

11
Local governments in PA

• 57 Cities
• Major metropolitan areas
• Philadelphia (East) Pittsburgh (West)
• More than 900 Boroughs
• Populations vary from less than 100 to over
  38,000
• About 1/3 are urban
• Rest are rural
• Townships
• Larger in area and typically surround borough or
  city
• 91 urban 1400 rural townships

12
Communities StudiedCentral Pennsylvania, USA
13
Interviews Conducted

• Case 1 an urban borough
• Population over 5000
• 47 Employees
• 7 networked workstations
• Case 2 a rural township
• Population over 4000
• 18 Employees
• 2 stand-alone microcomputers
• Case 3 a rural borough
• Population over just over 900
• 10 Employees
• 2 stand-alone PCs, one with internet connection
• Local computer consultant
• Provides support to 1 and 3 as well as many
  other small local municipalities

14
Initial Interviews

• How is each local government organized?
• What types of computer applications are used?
• Which individuals within each organization have
  access to the computer systems and sensitive
  data?
• Who is responsible for information systems and
  security?
• What types of information systems security
  training do employees receive?
• What types of computer security systems are
  installed?
• Who is responsible for technical support for the
  information systems? Is the support provided
  within the organization or outsourced to an
  external firm?

15
Study Outcomes A. Infrastructure

• i. Software security the local government
  officials in this study were aware of the
  importance of firewalls and anti-virus software.
  However, they were less aware of the possibility
  that their information systems might have been
  compromised.
• ii. Physical security needs to be improved. In
  two of these communities, doors were locked at
  the end of the day, but no alarm systems were
  installed.
• iii. Human resources there is a need for a
  designated person to handle risk assessment,
  security planning, employee monitoring, and
  intrusion detection/prevention which was minimal
  or non-existent in the communities in this
  initial study.
• iv. Outsourcing the case studies show that many
  local governments outsource their information
  technology projects. More oversight is necessary
  to prevent outsourcing from becoming another
  source of security vulnerabilities.

16
Study OutcomesB. Policies, Education, and
Training

• This category demands the greatest need for
  improvement.
• There seems to be a widespread lack of
  well-defined and well-documented information
  systems security policies.
• Training appears to be sparse. All the key
  informants in the case studies expressed an
  interest in more security training, but they
  agreed that funding is the biggest obstacle.
• A minimum set of security policies needs to be
  established to address
• the enforcement of strong passwords and periodic
  changes in them,
• the encryption of data, especially on back-up
  devices and laptops,
• the specification of more secure locations for
  back-up data storage devices,
• the regular information systems security training
  of any employees who have access to sensitive
  data.

17
Study Outcomes C. Enforcement

• Although finding that one local government does
  have limited security policies in place, this
  study suggests that the policy enforcement is
  weak because supervisors are not monitoring
  employees activities relevant to information
  systems security.
• Local government employees must not only be
  better trained, but their usage of the
  information systems must also be monitored.
  Employees violating published information systems
  security policies should be held accountable.

18
Future Directions

• This study will serve as a basis for a more
  exhaustive study of communities throughout the
  state.

19
Questions Contact Info

• Charlotte Eudy McConn, M.S., CDP
• cxe6_at_psu.edu
• www.personal.psu.edu/cxe6
• Jungwoo Ryoo, Ph.D.
• jxr65_at_psu.edu
• www.personal.psu.edu/jxr65
• Tulay Girard, Ph.D.
• tug1_at_psu.edu