Developing an Information Security Program (ISP) for the Town of Nantucket

Executive Summary

This project was sponsored by the Information Technology Department of the Town of Nantucket and its purpose was to improve the security of personally identifiable information that is used, stored, and disposed of by various town departments. Nantucket is a small island which contains roughly ten-thousand year-round residents. Even though Nantucket is smaller than many other towns in Massachusetts, it has numerous municipal departments and offices in various locations. The IT department services and maintains the network for over twenty of these departments. With no formal policies in place, the IT department recognizes the necessity for information security and more specifically the creation and implementation of an Information Security Program, a written management system designed to safeguard sensitive information such as personal information.

The goal of this project was to assist the IT department of the town of Nantucket in the development of a comprehensive ISP. The project team accomplished its goal by completing three objectives. Through surveys and interviews, we identified and compared the current state of information security within the Nantucket town offices to the best practices utilized elsewhere. This allowed us to define what is meant by Personally Identifiable Information (PII) in the Nantucket context and map out the flow of information, from creation to deletion, among Nantucket‟s different departments. Lastly, we developed draft information security policies and procedures that the Town of Nantucket may implement in future.

Background

Every year, corporations and large government agencies research and develop ways to improve their Information Security Programs (ISP). Even with safeguards in place, there are numerous breaches ranging from virus attacks to financial fraud to human error. Given the changing nature of the threats, information security policies and procedures must be constantly monitored and revised to remain effective.

On the federal level, agencies such as the National Institute of Standards and Technology (NIST) issue regulations and standards, such as the Federal Information Processing Standards (FIPS) that are mandatory for all federal government agencies.

Legislation is also passed on the state level, such as 201 CMR 17.00, issued by the Massachusetts Office of Consumer Affairs and Business Regulation. This particular piece of legislation requires all entities that possess and handle personal information to create an Information Security Program, although this does not yet apply to municipal governments in the state.

ISPs vary widely depending on the size, scope and purpose of the organization and there is no standard form. Generally, however, an ISP consists of multiple components. Following an initial risk management exercise to identify the potential risks and sensitive information various policies are developed that address all forms of security issues, from proper disposal methods to the security of physical assets.

Methodology

The project team accomplished its goal by completing three objectives. We identified and compared the current state of information security within the Nantucket town offices to the best practices used by other towns and universities. First, background research was conducted on the best and most current security policies used by towns, corporations, and schools. Based on feedback from the surveys and interviews with town officials, our group formed conclusions about the state of Nantucket‟s level of security and developed an operational definition of personally identifiable information (PII) to directly apply to the Town of Nantucket. Finally, in conjunction with the IT Department our group drafted individual policies that make up an ISP. These drafted policies will serve as a foundation for the IT Department to produce finalized policies that they can implement among the town offices.

Findings

Our group received thirty of the thirty-six surveys distributed to key personnel in each department. From these surveys and seven follow-up interviews, our group assessed each town department‟s level of information security and identified improvements that could be made. Based on the completed surveys our group received, eighty-nine percent of the departments handle PII.

Of the departments that handle PII, only three of them track employee access of PII. In these cases, each employee is tracked using the employee‟s username, timestamp of access, and any editions. Other feedback from the surveys revealed that approximately sixty-three percent of the departments have virus protection systems in place and roughly seventy percent have web access restrictions. Firewalls were utilized by fifty-six percent of the departments, most of these being departments that handle the largest volume of PII. These departments are: Town Administration, Council on Aging, Department of Public Works (DPW), Finance Department, IT Department, Health Department, Our Island Home (OIH), Park & Recreation, and Wannacomet Water Company.

In terms of the physical security of PII, fifty-five percent of the departments surveyed dispose of hard copy files within their offices, all by shredding and then discarding. The same percentage have town issued laptops that are for specific use within the department, however, none of these departments store PII on any of these laptops. This is fortunate because laptops are considered mobile devices and are a high risk for possible theft. Only one of the departments stores PII on external devices which are exclusively used within the office and only for transferring of data from one computer to another. Fifty-six percent of the departments store hard copies in locked filing cabinets and several store filing cabinets within vaults. Finally only two of the departments, the Council on Aging and OIH, conduct peer incident reporting and have established security policies. Of all the departments that were surveyed and interviewed, OIH had the best security practices in place.

Conclusions and Recommendations

Based on the survey results and feedback from our interviews, we conclude that the frequency of changing a password for user login to the server was too high. Employees had to change their passwords every thirty days and most agreed that every ninety days was much more reasonable. It is our recommendation that the time between passwords be no less than ninety days.

Based on the surveys and interviews it was revealed that several department servers were located in common areas very accessible to employees and/or to the public. Although the server‟s had locked doors on them, it is still a security risk to not have the servers in a locked room. It is our recommendation to move the servers in question into locked rooms where only administrators and approved employees have access.

Based on the survey results and feedback from our interviews, specifically with Finance, Historical District Commission (HDC) and OIH, we conclude that there is a lack of information security training for current and new employees within town departments. We recommend that the Town develop a common training program to be administered to current and new employees.

Many respondents in several departments complained that the web access was too restrictive and hampered productivity. A new program for web access, Surf Control, is currently being tested by the IT Department. We recommend that this or similar software be used to give each town department customized web access.

We recommend that the IT Department develop an application that would allow town departments to submit helpdesk and equipment requests to the IT Department online. This application would help organize and prioritize requests and increase efficiencies by streamlining the process for all parties.

Finally, based on the risk assessment that we have conducted through interviews and surveys, as well as the lessons learned from best practices elsewhere, we have drafted a comprehensive ISP that is tailored to the nature of the security risks and the needs of the different town departments (see Appendix C). Within Appendix C are the numerous information security policies that our group, drafted in cooperation with the IT Department. These drafted policies will be the foundation for the future Master ISP that the IT Department will implement in the next year. We recommend that the IT department refine these policies and begin implementing them as soon as possible in order to protect the security of Personally Identifiable Information in the various town departments. Our hope, upon completing this project and policies, is that the Town of Nantucket‟s ISP will serve as an example for other towns.