Centralizing information security for North Carolina

Sep 1, 2001 12:00 PM, By PAUL ROTHMAN

Think being an information security administrator is easy?

Ann Garrett, chief security officer at the North Carolina Office of Information Technology in Raleigh, would probably say “think again.”

Garrett, who began making security changes at the North Carolina Department of Commerce in 1998, has, by 2001, revolutionized the state government's information security procedures.

“[Security] has really grown into what it needs to be — a centralized function,” says Garrett. “We had a need for centralized security, and the pieces have come together as a whole. We're now with the national trend [toward greater computer security] — we have arrived, and it makes me proud.”

MANAGING SECURITY FOR AN ENORMOUS NETWORK

From the beginning, Garrett has been responsible for security administration at the state's data center, which houses a total of 70,000 mainframe accounts. The North Carolina Integrated Information Network (NCIIN) is an Internet service provider for state agencies and local government units. There are more than 2,100 wide-area network connections with more than 100,000 addressable devices throughout the state.

Garrett's top goal is to ensure the network is constantly up and running — no matter the circumstances. Going hand-in-hand with that duty is Garrett's position as the state's disaster recovery manager. Whether facing a hurricane or an e-mail virus, she must support network operations.

Garrett graduated from the University of Connecticut in Storrs, Conn., with honors, earned her master's in business administration at Raleigh's Meredith College and earned a certificate of computer programming at North Carolina State University in Raleigh.

With 17 years of governmental business systems experience in design, development, conversion, testing, security, training, documentation and ongoing support, she has taken steps toward greater information security for the state of North Carolina in just two years.

Garrett helped to create a 10-person staff. She helped institute new security policies and procedures, which continue to be amended and updated. She also developed a documented incident response procedure and a comprehensive security awareness program.

Michael B. Singletary, the state's network security administrator, says Garrett “has taken security to a new level within the state's data center.”

Indeed, Garrett has built something functional and special — where little in the way of security procedures existed before she arrived.

“We operate one of the biggest mainframes there is. In addition, the state network includes 573 entities, including state agencies, public schools and local governments,” Garrett says. “I think the greatest challenge was actually getting my arms around everything.”

CONSTRUCTING A PROCESS

Garrett's first goal was to put everyone — including other state agencies — on the “same page.” She constructed a memorandum of understanding based on a legislative mandate enacting a procedure to manage major incidents in conjunction with the state attorney general's office. From there, she says, incorporating other aspects was easy.

“We put the management process in place, and after working on it for two years, now we work like parts in a whole. Now, expanding it is easy because we have the infrastructure in place.”

Garrett also ensures security measures at the facility where the mainframe is located meet her security requirements.

DISASTER RECOVERY FROM A NEW PERSPECTIVE

Once Garrett had the infrastructure protection procedure in place, her attention turned to disaster recovery — an integrated part of infrastructure protection.

Hurricane Bonnie, which hit North Carolina just weeks after Garrett took her position, was her initiation into disaster recovery management for the state's computer network. Now, after hurricanes Dennis (Aug. '99) and Floyd (Sept. '99), not to mention several disaster recovery tests, Garrett has her response down to a science.

“We're responsible for recovering our mainframe,” she explains. “During Floyd, we operated for three months on our own power. We have contracts with the major vendors to build redundancy into our network. Our plan to recover the technology infrastructure of the state is just a piece of the overall state disaster recovery plan.

“Now that I've been through Bonnie and Floyd, I think I'm very experienced,” she continues. “If the worst goes wrong, you must have a backup. Even with the simplest computer virus, you need some experienced disaster recovery.”

BALANCING SECURITY AND POLITICS

Working with the Information Protection and Privacy Committee currently chaired by Lieutenant Governor Beverly Perdue, Garrett has instituted more than eight new policies — five of them coming within the first year of her tenure.

After dealing with the response to Hurricane Bonnie, Garrett instituted a business recovery policy, an information security policy, a network usage policy, a security breach notification policy and a site security policy — all within her first year.

And instigating policy is just one aspect of Garrett's position. She also must balance the political aspect of handling security in a government environment. That means dealing with literally hundreds of people and entities — agency staff, legislators and other government officials — and the burden of satisfying them all.

Says Singletary: “Being the chief security officer for a governmental entity, one has to deal with the political realities that exist, and that is where Ann is at her best. She has the skill to push when necessary and hold back when it's appropriate. Security is often a hard sell, but Ann's ability to push forward with key security initiatives is quite remarkable.”

“Politics are everywhere, but I'm not sure that's a problem,” Garrett says. “The biggest challenge is not the government entity so much as it is the diversity. We have to handle IRS documents, human resources, criminal justice needs, schools and privacy issues. I have to know the security requirements for just about every possible situation, and my learning about them never stops.”

Garrett's work also never seems to stop. She may have started as the lone protector of the state's huge data mainframe and computer network, but now she manages a staff, makes security presentations to foreign governments, develops guidelines and concentrates on improving existing security measures.

And working for the government doesn't make Garrett immune to money issues. She must deal with tight budgets, just as most security administrators do.

Perimeter security can call to mind fences and gates. But when Garrett speaks of perimeter security, she means firewalls and other security devices deployed on the computer network. She would like to make even more improvements to the network's perimeter security, but those changes have to fit into a budget.

“We're really looking at our perimeter security program,” she says. “We are looking at our best practices, evaluating them, and looking at how we can continue to enhance perimeter security. Given our budget shortfall, we're going to have to work really smart.”

But Garrett isn't worried, thanks to her background that includes positions as a systems accountant with both the North Carolina Office of the State Controller and at North Carolina State University.

“I came from the accounting system, and I had a real concentration in economics and finance,” Garrett says. “I know where the money is and where it's not.”

Thanks to what Singletary calls “[Garrett's] never-ending desire to build the security function into what it should be,” the North Carolina Office of Information Technology Services has entrenched itself as a leader in 21^st-century computer network security technology.

And Garrett only sees positive growth in the future.

“I see myself in a growing program in a growth industry,” she says.

Undoubtedly due to her tireless efforts, users of computers connected to the North Carolina Integrated Information Network can consider themselves protected.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue