Gov. Nikki Haley updated the media with the latest information on the Department of Revenue security breach last month.
She said 778,268 individuals had signed up for credit protection as had 7,102 businesses.
As questions continue about where blame will lie and the nature of the state government's information security systems, Haley noted the investigation is still ongoing and asked that there not be a rush to judgment.
Several hours after the governor spoke, Inspector General Patrick Maley released a preliminary report on the breach, which is posted below.
See full coverage of the hack HERE.
The Inspector General's report:
The Office of Inspector General (OIG) fully endorses the Governor’s executive order 2012-10 and requesting a “holistic” review of information security (INFOSEC) policy and procedures to minimize the risk of cyber-attacks and protect the personal information of our citizens kept by state agencies. After two weeks engaged on this topic, the central issue is the state does not currently have a state-wide INFOSEC program. There are no mandatory state policies, standards, monitoring, or enforcement for INFOSEC in agencies of state government. The state provides a general INFOSEC policy model, but the state only suggests each agency tailor it to their environment. This INFOSEC policy approach coupled with the state’s decentralized IT environment, creates unique challenges in understanding, controlling, and mitigating the state-wide INFOSEC risk in the over 100 entities in the Executive Branch, as well as the other branches of government.
As the initial step, informal and formal meetings between the OIG, the Division of State Information Technology (DSIT), private sector experts, and individual agency Chief Information Officers (CIO) culminated in a group meeting with CIOs. It was clear, as well as comforting, to see CIOs’ focus and passion on this topic, as well as their self-initiated efforts within their respective agencies to re-examine their own INFOSEC risk since the recent breach.
With advice from experts and feedback from the CIOs, the OIG, in collaboration with DSIT, launched a tasking to all Agencies. The tasking had every agency, in a systematic manner, do the following:
- Conduct short term remediation steps: Each agency will “double check” specific INFOSEC procedures having the highest impact on lowering INFOSEC risk. Emphasis will be on reviewing these fundamentals in each agency through the new optic of the post-DOR breach world in which we now operate.
- Agency self-assessment: Each CIO will complete an electronic INFOSEC self-assessment survey for their agency, as will each Agency Head from their perspective. Then, the Agency Head and CIO will meet to discuss results to ensure Agency Heads are fully engaged in this state-wide issue.
- Data Classification: Locate all high risk data, primarily personal identifying information (PII) and protected health information (PHI). Additionally, request help on any PII or PHI not sufficiently secured.
A full-time task force has been established to address this state-wide INFOSEC issue. The scope of this effort will focus on the first milestone describing the current conditions “on the ground” of INFOSEC state-wide in a time-sensitive manner, then collect data to develop options and recommendations on governance models to address the state-wide INFOSEC risk. A governance model is the first step to provide a sustainable state-wide INFOSEC platform for leadership, structure/processes, and assurance that INFOSEC risk, policy, and resource needs are coordinated and addressed at the state level. The OIG plans to provide actionable items in the area of governance models upon completion of this first milestone.
The second milestone will be to develop options on strategy and implementation plans. Given the necessity of subject matter expertise and experience with implementing INFOSEC programs in other state governments, a consultant(s) will be required. The implementation options will likely be a function of time and cost. Resources will be required to build the governance model selected and mitigate INFOSEC risks identified as agencies systematically conduct risk assessments.
The OIG’s role is to synthesize data from the INFOSEC arena into a meaningful options and recommendations document to develop a road map for a “holistic” state-wide INFOSEC program in terms of governance, strategy, and costs. The IG’s role is to address organizational issues which will serve as the enabling platform for subject matter experts, armed with a strategy and an implementation plan, to build and mature a state-wide INFOSEC program to lower risks and enhance long-term INFOSEC capabilities.
The OIG fully understands the stress and impact of this situation on the citizens of South Carolina, which serves as a motivator to all involved in urgently addressing this issue. I can assure every citizen that there is commitment and resolve to ensure the state does everything possible to protect your information.
Patrick Maley
Inspector General