Hack Update: Inspector General Releases Preliminary Report

Haley says number of individuals signed up for protection nears 800k.

Gov. Nikki Haley updated the media with the latest information on the Department of Revenue security breach last month.

She said 778,268 individuals had signed up for credit protection as had 7,102 businesses.

As questions continue about where blame will lie and the nature of the state government's information security systems, Haley noted the investigation is still ongoing and asked that there not be a rush to judgment.

Several hours after the governor spoke, Inspector General Patrick Maley released a preliminary report on the breach, which is posted below.

See full coverage of the hack HERE.

The Inspector General's report:

The Office of Inspector General (OIG) fully endorses the Governor’s executive order 2012-10 and requesting a “holistic” review of information security (INFOSEC) policy and procedures to minimize the risk of cyber-attacks and protect the personal information of our citizens kept by state agencies. After two weeks engaged on this topic, the central issue is the state does not currently have a state-wide INFOSEC program. There are no mandatory state policies, standards, monitoring, or enforcement for INFOSEC in agencies of state government. The state provides a general INFOSEC policy model, but the state only suggests each agency tailor it to their environment. This INFOSEC policy approach coupled with the state’s decentralized IT environment, creates unique challenges in understanding, controlling, and mitigating the state-wide INFOSEC risk in the over 100 entities in the Executive Branch, as well as the other branches of government.

As the initial step, informal and formal meetings between the OIG, the Division of State Information Technology (DSIT), private sector experts, and individual agency Chief Information Officers (CIO) culminated in a group meeting with CIOs. It was clear, as well as comforting, to see CIOs’ focus and passion on this topic, as well as their self-initiated efforts within their respective agencies to re-examine their own INFOSEC risk since the recent breach. 

With advice from experts and feedback from the CIOs, the OIG, in collaboration with DSIT, launched a tasking to all Agencies. The tasking had every agency, in a systematic manner, do the following: 

  • Conduct short term remediation steps: Each agency will “double check” specific INFOSEC procedures having the highest impact on lowering INFOSEC risk. Emphasis will be on reviewing these fundamentals in each agency through the new optic of the post-DOR breach world in which we now operate. 
  • Agency self-assessment: Each CIO will complete an electronic INFOSEC self-assessment survey for their agency, as will each Agency Head from their perspective. Then, the Agency Head and CIO will meet to discuss results to ensure Agency Heads are fully engaged in this state-wide issue.
  • Data Classification: Locate all high risk data, primarily personal identifying information (PII) and protected health information (PHI). Additionally, request help on any PII or PHI not sufficiently secured. 

A full-time task force has been established to address this state-wide INFOSEC issue. The scope of this effort will focus on the first milestone describing the current conditions “on the ground” of INFOSEC state-wide in a time-sensitive manner, then collect data to develop options and recommendations on governance models to address the state-wide INFOSEC risk. A governance model is the first step to provide a sustainable state-wide INFOSEC platform for leadership, structure/processes, and assurance that INFOSEC risk, policy, and resource needs are coordinated and addressed at the state level. The OIG plans to provide actionable items in the area of governance models upon completion of this first milestone. 

The second milestone will be to develop options on strategy and implementation plans. Given the necessity of subject matter expertise and experience with implementing INFOSEC programs in other state governments, a consultant(s) will be required. The implementation options will likely be a function of time and cost.  Resources will be required to build the governance model selected and mitigate INFOSEC risks identified as agencies systematically conduct risk assessments.     

The OIG’s role is to synthesize data from the INFOSEC arena into a meaningful options and recommendations document to develop a road map for a “holistic” state-wide INFOSEC program in terms of governance, strategy, and costs. The IG’s role is to address organizational issues which will serve as the enabling platform for subject matter experts, armed with a strategy and an implementation plan, to build and mature a state-wide INFOSEC program to lower risks and enhance long-term INFOSEC capabilities. 

The OIG fully understands the stress and impact of this situation on the citizens of South Carolina, which serves as a motivator to all involved in urgently addressing this issue. I can assure every citizen that there is commitment and resolve to ensure the state does everything possible to protect your information.           

Patrick Maley

Inspector General

Tom Utley November 14, 2012 at 02:23 PM
Good Lord. I could only read about half of that before my head started hurting too much to continue. I'm just amazed at how bass-ackwards, inefficient, and incompetent bureaucracy is. If this were a company in the voluntary sector, they would be getting sued out of existence right now. But no, this is the government, the organized crime gang that we allow to run rampant all over us. So they form a committee and hold a meeting and now we're supposed to be "comforted" because the people responsible for this mess show "passion" about changing policies for the future. The next step is to form a meeting to propose strategies for potential improvements to the current situation. Good Lord. If I worked like this, I'd be out of a job.
Shawn Drury November 14, 2012 at 02:23 PM
Fair enough, Jerry but please note: "Haley noted the investigation is still ongoing and asked that there not be a rush to judgment."
Jerry Stevens November 14, 2012 at 03:02 PM
I agree there should be no rush to judge which is why I say it was a bad idea for her to judge on October 31st that no one was to blame and that it could not have been prevented. How would she know that before the investigation had even begun?
Shawn Drury November 14, 2012 at 03:07 PM
My guess--and it's a guess--is that the Admin wants to keep the focus on the investigation and on people signing up for credit protection rather than pointing fingers.
Don Moffett November 17, 2012 at 07:19 PM
So this committee is destined to create more of the same. The vendors will want to sell the state more of what is not working and the state will be willing to accept a vendor solution because they lack the Information Assurance Skills to determine the best course of action. This is a common problem that state governments have, their reliance on vendors to solve their problems ends up wasting taxpayer dollars. Many states give contracts to vendors, then hire Independent verification and validation companies to make sure the vendors do what they say they will do because the state does not even have the skill to know if they are getting what they ask for. So what is the state to do? Unfortunately, the solution is to hire an advocate who will watch out for the states interest and insist upon skills transfers in contracts, not just operational skills, but skills to expand the use of the solution.


More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something