With 60,000 employees, a $65 billion budget and 22 ministries, the government of Ontario has the unenviable task of providing a secure IT environment in order to, not only carry out its duties, but also provide over 300 services for its millions of citizens.
“To achieve proper security in our environment, we needed to develop a strategy,” said the Doug White, manager of operations and contingency service with the Ontario government, at a recent Toronto security conference. He said this is especially important now that many of the 300 plus government services have an electronic interface with Ontarians. These services include everything from aspects of the justice department to health information to driver’s licenses. When you have 300 services it becomes a “very complex environment to manage,” he said. “It is a case of dealing with everything that surrounds [a] system.” It is not just technology interacting with other technology but also people interacting with technology, he said.
The starting point was to create a strong central corporate security core with liaisons to the various ministries’ own IT people, since a central office would be incapable of dealing with every application running in the government. The result was “cluster security offices,” White said. Every application that is installed in the government has to be signed off by corporate security, in essence saying that they are happy with the level of security built into both the application and the architecture, White explained. Often White’s group has to say no to an application when it is deemed insecure. “That doesn’t make us that popular,” he said. So to help reduce the frequency of nos, White said there is a move to push security further back into the application development phase to harden the app from the start.
The solution “is not (exclusively) an IT security strategy,” White was quick to point out. IT is just one facet of a multi-pronged approach dealing with everything information classification and risk assessment to policy and education.
But all security initiatives, whether public or private, start with people. “We believe that there are 60,000 people in our organization that need to understand the importance of security,” White said. He said this includes every clerical worker all the way to the top at the ministerial level. White fully understands that most individuals are not going grasp the nuts and bolts of security, but he and his team want them to at least understand the importance of security and the basic concepts. To help this process the government has specific policy guidelines for everyone to follow. “A security policy is your first line of [defense],” he said.
“There is no point to ask your 60,000 employees to act in a specific way if you don’t…have a policy in place.” The government’s starts with simple rules like never giving someone a password over the phone to an education program that goes from top to bottom. An important part of the education process is to get senior managers on board so they “do the right thing(s)” when it comes to security, White said.
In order for employees to understand the sensitivity of the information they may be dealing with on a daily basis, the government is introducing a comprehensive information classification system. There will be three levels of classified information (low, medium and high) and one level for unclassified documents. An example of a high level classified document could be something pertaining to a witness in a protection program, White explained.
Like all Internet exposed systems, the Ontario government’s network, one of the largest in Canada, has to deal with the mundane (almost daily viruses) to the serious (hack attempts). But unlike the corporate world where a down system tends to affect only the bottom line, “for us it can mean life and death…if police systems are down, or ambulance systems are down,” White said.
If all of the services could be run independently it would make security much easier, but Ontarians “don’t care which level of government supplies the service,” White said. Because of this there is a need to have a certain level of interconnectivity not only between ministries but also with the federal government and the hundreds of municipalities in the province.
This is the third year of the comprehensive security strategy. The first years dealt with everything from risk assessment and security education, to the identification of mission critical applications and the start of information classification system. Subsequently, the government will deal with mobile computing – “it is not something that we have embraces cheerfully, but we have embraced it,” – and overall increases in threats to its systems. There will also be improved efforts around business continuity and resilience. White said there will be a three fold spending increase for continuity and disaster recovery planning from previous years.
