As the home of U.S. Cyber Command headquarters and the classified operations of several federal agencies, it's natural to assume that Maryland would have one of the more enlightened cybersecurity perspectives in the country. However, a recent audit of the data protection policies and practices at state agencies revealed a number of concerning oversights.
Diffusion of responsibility
Four years ago, the Maryland Department of Information Technology (DoIT) was founded in the hopes of unifying the maintenance and regulation of computer systems used by state and local government offices. According to the Baltimore Sun, the newly-formed agency quickly got to work on an outline of data security best practices for all of the state's departments to follow. This included everything from alignment with Health Information Portability and Accountability Act (HIPPA) mandates to proper protocols for data breach notification and resolution.
But as Department of Legislative Services auditors discovered in their assessment, policy implementation and enforcement has been inconsistent at best. The report revealed that DoIT administrators almost entirely delegated regulation efforts to the individual agencies – and had no formal oversight process to ensure they were up to code.
"Our review of the security programs of the five state agencies that maintain confidential data on information systems disclosed that all five agencies could improve their policies and practices," auditors stated. "Specifically, none of the agencies had implemented all of the DoIT policy requirements we selected for review."
For example, only one of the five agencies had formally documented security levels for all of its information systems – a fundamental component for effective risk management strategies. This oversight likely factored into the observation that several of the agencies authorizing storage of personally identifiable information on employee-owned laptops and mobile devices did not employ standard data protection measures such as full-disk encryption.
Caveats and considerations
While these data security vulnerabilities can hardly be excused, according to the Washington Post, there are a few likely explanations. First and foremost, the DoIT is facing some notable staffing issues. Only four of the agency's employees fill cybersecurity roles – with each worker responsible for a litany of separate IT tasks as well. As a result, the delegation of policy enforcement efforts may have been out of necessity rather than laziness.
Also, several significant revisions and improvements were made to the agency's overarching policy framework back in April. Officials insist that it is too early to tell whether these changes have generated the desired results and that the audit should be regarded more as a diagnosis than a condemnation.
Data Security News from SimplySecurity.com by Trend Micro