Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 06/16/03 issue

South Carolina’s security chief worries about insider mistakes

By Richard W. Walker, GCN Staff

Sometimes it’s the little things that cause the big problems.

Jim MacDougall, director of advanced technologies and acting chief information security officer in South Carolina’s CIO office, knows this well.

Three years ago, when MacDougall and his IT team were preparing to launch South Carolina’s Web portal, at www.myscgov.com, they installed an upgrade to the firewall during testing. Several weeks later, before going live, MacDougall hired a security company to test the site for vulnerabilities.

Surprise. “They walked in like it was Main Street,” MacDougall said.

One of the system’s technicians had left the firewall wide open after an earlier test.

“We locked the system down, and [the technician] will never do that again,” he said. “But I’m not so sure the next guys won’t. That’s really a concern to me.”

At a time when cyberattacks are raining down on government computers, it’s the potential for such insider errors more than anything else that keeps MacDougall awake at night.

Sleepless in S.C.

“Misconfiguration on some of the perimeter of our security mechanism—that’s really what makes me the most nervous,” he said. “After you put the technology in place, are the people managing and certifying it actually doing the day-to-day stuff, like keeping up with patches?”

The portal, which went live in November 2000, now has more than 120,000 registered users. Using the portal, South Carolinians can pay taxes online, renew licenses, apply to state colleges and universities, buy items from state museums and conduct criminal records checks.

Many of South Carolina’s state and local government agencies also process credit card transactions through the site, using it as a gateway to banks, MacDougall said.

That means security, both physical and cyber, must be super tight.

“We’re very sensitive to the privacy of that information,” he said. “We do about everything we can to protect privacy. [Credit card data] is only live during the transaction to the bank, and then it’s protected behind our environment here at the data center.”

More news on related topics: IT Security, State & Local