Classifying Information AssetsNYS's Cybersecurity Office Helps Agencies with Assessment Tool
Identifying where information is situated plays a big role in controlling it, says cybersecurity office Director Tom Smith. "Not all of the sensitive information is in the data center anymore," he says. "It's on the desktop; it's on the smartphone; it's on the laptop."
The information classification tool is a web-based tool that takes agencies through a series of questions to help them determine - based on confidentiality, integrity and availability - the appropriate classification of a information assets. "It's really intended to make the processes as easy as possible for the individual completing the classification process," Smith says in an interview with GovInfoSecurity.com's Eric Chabrow (transcript below).
State agencies are beginning to get it. Acknowledging IT security is part of their overall business risk assessment. "After we did the executive briefing this year, we had a much stronger uptake with agencies who said, 'Please tell me how I can improve our compliance with the policy,'" Smith says. "We had a much stronger reaction and I think some of that is a natural result of how prevalent reports of breaches are in the press."
In the interview, Smith discusses:
- The evolution and necessity of the state's information asset classification policy.
- The tool that helps automate the process.
- Shifting attitudes among departmental, agency and commission leaders toward IT risk management and security.
Before being named office director in July 2010, Smith served as assistant deputy director and counsel since 2007, where he assisted in the agency's policy direction, managed the agency's large scale procurements, coordinated the agency's legislative program and served as co-chairman of the Multi-State Information Sharing and Analysis Center's procurement workshop. He also served as the agency's ethics officer and records appeals officer.
Earlier in his government career, Smith served as a supervising attorney at the state Office for Technology, overseeing a legal team for the state data center and as legislative liaison. From 1986 to 2000, Smith worked in the New York State Office of the State Comptroller as an associate attorney in the Division of Legal Services/Municipal Law Section and the Division of Legal Services/Investments.
Smith graduated cum laude from Dartmouth College and earned his law degree from Albany Law School.
Information Asset ClassificationERIC CHABROW: In 2008 under your predecessor, Will Pelgrin, New York State implemented an information asset classification policy and last year the Office of Cybersecurity introduced a new tool to help agencies implement that policy. Tell us something about the policy and the tool?
TOM SMITH: What everyone recognized for several years is that information classification is a cornerstone of an effective and efficient security program. We can identify our information assets and then apply appropriate controls. That was really the purpose of the policy that was issued in 2008, and what we've done over the intervening time is try to put in place the resources so that that the process can go forward and to make the processes as easy as possible for state agencies. That included the policy to control materials. Online training was provided in archived video training. Then in the last year we did roll out an online tool to assist the agencies in implementing the policy because we know that it is a resource-intensive process for the agencies to first identify their information assets, who the owners of those assets are and then classify the assets and apply appropriate controls. That is a huge project so we're trying to do things that we can do to make that as easy as possible for the agencies.
CHABROW: Are agencies surprised when they start doing an assessment to find out how many different kinds of information assets they have?
SMITH: It's a combination of how many assets they have and then where they are stored. We are sure that the agencies are retaining more and more information - a lot of it is very sensitive. But they are also now maintaining that information on a wider variety of devices. Not all of the sensitive information is in the data center anymore; it's on the desktop. It's on the smartphone, it's on the laptop, so I think that is a very important part of the process. What information do we have and then where are agency employees using that information? That is one of the most important things to get a handle on and then where do we need to apply the appropriate controls. I think that's something that can surprise some of the agencies, but it's an extremely useable process for them to go through.
We are really looking at the underlying information asset. What is the data that is included in it? Is it a social security number? Is it an application for food stamps? Is it a tax return? We are really trying to say: what information are you collecting and maintaining for your business processes? And then we go to: where are you storing that information?
Information Classification ToolCHABROW: Why don't you explain a little bit more about what the tool is and how it works?
SMITH: The Information Classification Tool is a web-based tool with a portal-style homepage that provides the agency access to all the functionality. There is an authentication process, so it's not a public-facing application. There is security, but what it allows the agencies to do is to open up an asset, say this is an asset that we have identified, and then go through a series of questions that help the agency determine based on confidentiality, integrity, and availability what the appropriate classification for that asset would be. Then once those questions and answers are completed, the application says this information asset should be in this classification, whether it's high, high, high or high, medium, low. Then that drives what the appropriate controls are for that particular asset class. That's all done automatically by the tool based on the questions and answers. Embedded in the tool are help menus, discussions of what the controls are, what some of the terms mean. It's really intended to make the processes as easy as possible for the individual completing the classification process.
CHABROW: At the agencies, what positions are the ones who are using this tool?
SMITH: What we do in the policy is that this process is undertaken by the person who is identified as the information owner, the assumption being that person is going to be the one who has the most familiarity with the asset and where that asset may be currently stored. But what we really do is we encourage the agency to set up a team to undertake this process and have a project plan where individual information owners are required to fill out the information about their assets, and then that gets rolled up to the agency level. The pool includes the process for approval of information classifications and then includes the process where it tracks when those things are changed. There is a central repository for each agency of all of your assets that have been classified. Here are the resulting classifications, the controls that apply to each of those assets and then the tool includes the process for reevaluating and changing those classifications as appropriate.
CHABROW: This was rolled out about a year ago, correct?
SMITH: Yes, last July. The policies apply to more than 60 executive agencies in the State of New York. It can be adopted by state authorities and other agencies outside the executive branch, and it is made available to local governments who have access to our central LDAP system.
Assessing the ToolCHABROW: During the year, as agencies used this tool, did you see some changes you needed to make to that? And if so, what were they?
SMITH: Yes ... we get comments back from agencies about improvements to the tool and automating some of the other portions of the process. We do have a phase two lined up, but because of some constrained resources we haven't been able to roll those out, but we do have, I guess you would call it, the Tool 2.0. We have that lined up to come up as soon as resources permit. In the interim year, a large amount of the effort has been to make sure agencies are aware of the availability of the tool and making sure that they are coming into compliance, because the policy was put into place. We do track every year based on compliance reporting where the agencies stand on fulfilling the information classification policy. And those agencies that are not coming into compliance with the policy and haven't completed information classification, we revisit with them. Here are the tools that are available; here are the resources available. How can we be of assistance to you in moving the process forward?
CHABROW: Is it through your office that agencies are audited?
SMITH: We don't have audit power. We do access compliance with the overall state security policy every year based on a self-reporting process through the individual agencies. The information classification policy is part of the overall policy, so the agencies have to report on compliance and then we do a roll-up every year of GAP reporting and we identify where they are not in full compliance with the security policy. And we've taken the approach of reporting that to the agency executives, identifying where their agencies are falling short and then undertaking the process of trying to assist them into becoming compliant.
CHABROW: Are there any agencies that don't want to use this tool?
SMITH: No, I don't think we've heard anyone who doesn't want to use the tool. I think we have agencies that are, like all of us, having difficulty assigning the resources necessary to start the project. As easy as we've tried to make it, it still represents a significant undertaking. Right now we have about 20 of the agencies who are actively using the tool. We're encouraging the remainder of these executive agencies to pick that up because we know how much it will assist them in protecting their sensitive information and making use of scarce resources by identifying those assets that really need to be secured and not applying those resources to information that doesn't require a high level of security.
We made the investment in creating the tool so that all of that redundant, repetitive work didn't have to be done, and the agency could focus on actually undertaking the classification of information. Having classified it, they would automatically be provided with the set of appropriate controls for the information.
Saving Time & MoneyCHABROW: How does this tool save agencies money or time?
SMITH: We all know what happens when agencies have breaches, when they haven't applied the appropriate control. Really that's the message we bring to state agency commissioners. Here is the Ponemon Institute report and then the cost of each individual's record lost in a breach. In 2010 they pegged it at $214 dollars a record. These are costs that you will incur if information is not protected appropriately. We really haven't been able to quantify cost avoidance in our specific instance, but what we're really looking at is risk management. It's going to be far less expensive for the agency to apply resources to completing information classification then it would be for them to undergo a breach and have to remediate, notify and set their systems up securely after the fact. But we are looking at explaining to them that it's a more efficient process if they do this upfront, they have the controls in place and by doing that they avoid breaches and the costs that are associated with breaches.
CHABROW: How often, when you talk to various people in the agencies, are they saying the non-IT people in there sort of understand it, but they are so pressed for funds that they sort of gamble and say, "Well I hope it doesn't happen." Is that something that you hear?
SMITH: We're still engaged in the process of making sure that the agency commissioners don't view it as the province of the IT department. We are really still engaged in the discussion of making sure that these risk management decisions relating to IT and cybersecurity are rolled up at the highest level. We make the point that everything that the agency does is supported by information technology and all the information that they use to undertake their programs and deliver services involve the Internet, involve electronic transmission and storage of information. They can't put it in the IT box. It has got to be something that they look at. The same way they look at risk management for all their business processes. I don't hear that people are accepting the risk, but we're really saying these are things that you have to look at, at the highest level. The chief information security officer and the person making these decisions about implementing the control, they really need a seat at the table at the highest level to say, "When you make this decision, this is a risk that is present. Are you willing to accept it?" We are having that discussion but we really haven't heard someone saying, "We're going to ignore the risk at our peril." We don't have people saying that.
CHABROW: When you say at the highest levels, are you talking about agency heads?
SMITH: Yes. We really encourage the agency head to meet regularly with their ISO so that they have a view into these processes and the implementation of the control, and that they have a view into where [they] need to extend more resources to protect information. We're really trying to have them engage regularly in that process, and that is something that we try to drive home to the agency commissioners every year when we present their compliance report cards at an annual briefing. Based on the agency's self-reporting we create a report card to show where they're doing well and where they need to improve. The first message is you need to be meeting with your ISO on a regular basis so that you understand this process, you understand the risk and how your agency is mitigating those risks.
Attitudes toward IT RiskCHABROW: Have you observed a change in attitude among the top people in various agencies toward IT risk in the past year or two than maybe three, four or five years ago?
SMITH: I think so. They are really much more understanding of the fact that it's not just a compartmentalized process. It really is part of their overall business and their overall assessment of risk. After we did the executive briefing this year, we had a much stronger uptake with agencies who said, "Please tell me how I can improve our compliance with the policy. Help me get the regular training. Help me move my information classification process forward." We had a much stronger reaction and I think some of that is a natural result of how prevalent reports of breaches are in the press.
There is a clear understanding among the agency commissioners that they want to address those risks before they are the ones who have the breach that's discussed in the news. There is a higher sensitivity to it. I think they are learning the message and the importance of being involved in this process.