Addressing it appropriation requests in the 2015 Legislature
As the 2015 Legislative Session moves closer to its final scheduled day, now projected to be April 30, agencies are monitoring proposed bills and new legislation that may impact the way they do business. In the legislative process, state agencies typically have opportunities to provide legislators with information to help them understand requests for appropriations and/or changes to state law.
In early March, SITSD’s Lynne Pizzini had the opportunity to address the House State Administration Committee to address information technology security and Montana’s security profile. She also provided background on DOA-SITSD’s request for nearly $1.9 million to continue the state’s “Data Protection Initiative,” a plan that addresses the need for continual improvement of security of data maintained on state IT systems. On March 13, I addressed the House Appropriations Committee on the same issue at a hearing for HB10 – Long-Range Information Technology Program (LRITP) – which includes additional IT appropriation requests from DOA-SITSD and the Department of Corrections, Department of Justice and Department of Transportation.
In addition to the Data Protection Initiative, DOA-SITSD has requested nearly $5.6 million in HB 10 for network and security upgrades to replace end-of-life equipment and increase bandwidth on the state network. A $2 million request to support upgrades to the statewide public safety communications system was also in bill. You can learn more about the requests in HB 10.
While the requests are pending legislative approval, I wanted to highlight some of the statements that Lynne made to committee members on March 6 regarding information security. I think it is a good reminder of the challenges that states face every day in keeping their systems secure.
- The State of Montana has approximately 1 billion events every month on state systems. An “event” is defined as an unsuccessful attempt to gain access to computer systems. This is similar to someone trying your locked door and windows on your house to gain access or entry.
- An “incident” is defined as actually getting successful access into a computer system with malicious intent to harm the system. These types of incidents are generally known as a virus or malicious software being installed on a computer system, however data is not accessed or stolen. The state had one incident in 2005 and 498 incidents in 2014. This shows the sophistication of malicious attacks and attempts to access computer systems and data which, in turn, results in the need to for additional protection mechanisms.
- A breach is unauthorized access and use of confidential data. This is similar to someone breaking into your house and stealing your computer, television, etc. The Montana Department of Health and Human Services (DPHHS) experienced unauthorized access to its servers in May of last year, but this was an incident and not a breach, as there was no evidence that data was accessed or misused.
- The estimated cost of a breach is now $195 per record accessed, or $5.85 million, plus reputation and trust. Generally, attempted attacks by hackers increase when an organization announces an incident or breach. After the DPHHS incident, attacks on the state’s network doubled.
Lynne provided additional detail regarding the state’s Data Protection Initiative, which was launched two years ago with a $2 million appropriation from the 2013 Legislature. An enterprise risk assessment, part of the initiative, was completed last October and has provided a “roadmap” to addressing five key areas of improvement in the future. We’ll know if the Data Protection Initiative and other IT appropriation requests get funded after the Legislature concludes its work on April 30.
Ron Baldwin, State CIO
State Information Technology Services Division