The
Public
Eye

From Assemblyman Jeff Klein
Chair, Committee on Oversight, Analysis and Investigation

Following up on a February 2003 finding that the Governor’s Office for Technology (OFT) had not completed a statutorily-required computer inventory, Assemblyman Jeff Klein, Chair of the Assembly Committee on Oversight, Analysis and Investigation released For The Sake of Security, a report detailing a Committee investigation on State Computer Security. The June 2003 report found:

• At least one State server was hacked as recently as May 2003.
• The State’s computer security is at risk. The State cannot even say where all of its computers are, or how many it has. A statutorily required report was 9 months overdue at the time of the report.
• Sixty-nine percent of surveyed agencies were using outdated software to run their web server.
• More than 3/4 of the surveyed State agencies could not identify an Information Security Officer – despite a state policy requiring one.
• State law contains no provision for informing the public about hacks that might endanger personal information held by the state in their name.
• OFT continues to post technology standards that advocate the use of software that is no longer manufactured or supported by vendors. The analogy is like endorsing the use of horse-drawn buggies on busy state highways. That’s simply a bad idea.
• Five newly created state entities now share similar or overlapping functions with OFT – thereby raising questions about who is in charge.

• The past due, statutorily-required inventory, addressing all the requirements set forth in State law, must be completed and maintained. As of July 30, OFT had still not submitted the required report to the Legislature.
• Consumer information held by state agencies and authorities must be protected against any breach of security.
• Victims of any breach should be notified in a timely and secure manner and legislation to ensure this protection should be developed.
• OFT standards should be updated to reflect current industry standards and best practices.
• OFT should tighten the criteria for the selection of Information Security Officers, including qualifications and training.
• Clear lines of accountability and responsibility should be established to clarify the structure and management of the State’s information technology and cyber security policies.

As recently as May of this year, somebody out there figured out how to break into and corrupt at least one agency’s web site. For the sake of security – the Governor’s experts need to do a better job. Key to that happening is completion of the required Inventory Report. The Director of the Office for Technology had advised Chairman Klein that the Inventory would be provided by June 30, 2003. After that date had come and gone, Committee staff requested the report from OFT – there was no response. Chairman Klein sent a July 30th letter, again asking for the report. Klein’s Public Eye will keep watching.

PUBLIC EYE #3 (August 2003) is the third in a series of updates from Chairman Jeff Klein detailing his work as Chair of the NYS Assembly Oversight, Analysis and Investigation Committee. Other issues will follow. The Committee is charged with reviewing implementation and adequacy of laws and programs to ensure compliance by the public and government agencies. Through its monitoring and investigative activities, it seeks to determine whether programs are operating as required and whether funds allocated for programs are spent effectively, efficiently and in accordance with legislative intent.

District Office: 728 Lydig Avenue, Bronx, NY 10462, 718.409.0109
Albany Office: Room 637, Legislative Office Building, Albany, NY 12248, 518.455.5844
Committee Office: Agency Building 4, 12th Floor, Albany, NY 12248, 518.455.3039
kleinj@assembly.state.ny.us