Columbus is taking steps to plug a gap in its computer security, the city's technology director said yesterday.
On May 2, The Dispatch reported that Columbus does not track computer parts that could hold sensitive data after they are taken out of service. An expert said that could lead to the undetected theft of critical data.
The city will begin taking inventory of its retired equipment and will keep it in a central repository until it is turned over to a contractor for disposal, said Gary Cavin, technology director in Mayor Michael B. Coleman's cabinet. In addition, Cavin said, his department is working on a yearlong contract with a computer-security company to provide continuing advice.
"We understand how fast and quickly laws change and security changes," Cavin said.
On Tuesday, Coleman sent a memo to Cavin asking him to explain what security precautions he is taking and plans to take. "Keeping such sensitive information from falling into the wrong hands is of the utmost importance, and it is a priority of this administration," Coleman wrote.
Councilman A. Troy Miller, who leads the committee that oversees technology, said Cavin also met with him to explain the steps he was taking. "There is always room for improvement," Miller said. "As technology changes, we have to make sure we're covering all our bases."
The Dispatch story explained that the city sets aside computer equipment for recycling without keeping records of what it has taken out of service. Contractors disposing of the equipment provide a manifest of the hard drives that have been destroyed, but the city has no way to check that all the drives taken out of service were disposed of properly.
Gene Spafford, who heads Purdue University's computer-security research center, said that unless the city can match serial numbers from its list of drives taken out of service to those destroyed by the contractor, data could be stolen without the city's knowledge.
The last time a consultant tested the city's security, in 2007, it was unable to hack into the city's system from the Internet, according to a summary of the findings provided to The Dispatch under the Ohio Open Records Act. But when consultants attacked from inside the city's offices, the summary said, "several machines were compromised at the administrative level, causing an extensive amount of exposure to various forms of sensitive data."
The city keeps medical records, personal information about its employees and tax information, among other data that must be kept secure.
Cavin said the issues raised in the 2007 report by MicroSolved Inc. have been corrected. The city now has software that tracks who is accessing information. Laptops are encrypted to prevent information from being read if they are stolen, and individual city offices require a key-card swipe to enter.
Coleman issued an executive order in 2007 prohibiting city employees from storing sensitive data on their desktop hard drives, laptops and mobile devices after a data tape containing personal information about 1.3 million Ohioans was stolen from a state intern's car. The state spent $2.2million for identity-theft protection for those whose data was stolen.
More recently, Ohio State University has estimated that it will cost $4 million for credit monitoring and security upgrades after a hacker accessed records of 760,000 people connected with the university.
No comments:
Post a Comment