California Deputy Chief Information Officer Chris Cruz said the state is aggressively pursuing measures to protect its sensitive data with a new cybersecurity operations center and a comprehensive security strategy.
Meeting with state technology leaders at the National Association of State Chief Information Officers’ midyear conference on Tuesday, Cruz said California is increasing and improving its security footprint through collaboration with initiatives led by the National Governor’s Association — a group that is developing a set of national protocols for basic security — and through dialogue with federal agencies like the Department of Homeland Security.
In September last year, California’s legislature unanimously passed a bill that would require the state to create the comprehensive statewide cybersecurity defense plan for critical infrastructure, a standard that is due by July 1.
In an interview with StateScoop, Cruz shared how the state is now developing that cybersecurity plan.
StateScoop: How does California feel about the NGA’s 10 basic protocols for cybersecurity and how is California seeking to collaborate with other states on security standards?
California Deputy Chief Information Officer Chris Cruz: I think California is really open to adopting federal and other state standards and leveraging those. You know we brought Peter Liebert in to be our chief information security officer. Peter came from Washington D.C. so he’s well-versed in those practices and procedures. We’re also opening up and collaborating with other states and sharing industry lessons learned and best practices. We have a cybersecurity program in California that I believe is leading-edge that we’ve integrated into with the Department of Defense, our California Highway Patrol and Office of Emergency Services — not only for I.T. infrastructure, but really federal and state infrastructure to ensure that we’re preserving the state’s most important critical assets. We’re definitely willing to work in partnership with other states. We see a high value in states collaborating and having sustained repeatable processes. And we think this is very important to not only cybersecurity but other security within our nation.
It’s often hard to ensure everyone is on the same page with security tactics and policy measures. Is California working on any new cybersecurity training to educate staff about the latest threats?
Yeah, actually it’s a great time for this, California is working on revamping our security methodology and framework which includes state staff training, which includes ISO training, which includes following a fundamental methodology of how incidents and risks and breaches are reported within our process. And so we put together a pretty elaborate methodology and framework based on Gartner Research’s best practices of how we should be doing information security. So I think we’re getting to a level of maturity within our program to define some clear roles and responsibilities and how that is getting directed to the Department of Technology. We have statutory responsibility for information security under our ISO, and so and so by revising those policies and procedures we’ll be able to develop a more streamlined approach that’s more understandable and clearly defined for our customers and those that fall under our jurisdiction.
California is investing in a new cybersecurity operations center that will launch sometime this summer. How is this work is going?
Sure. We’re setting up a Security Operations Center (SOC) at the California Department of Technology. We’re going to integrate within our statewide data center and the SOC will come in a phased approach. We are going to protect our security endpoints here and protect all mission critical data that comes in and out of the state’s firewall through the statewide data center and then look at endpoint encryption, intrusion detection and putting intrusion prevention services on throughout other networks that come in and integrate with our statewide network. We think this is the right approach to take in California and that way we’ll ensure that we’re securing the state’s most mission critical systems that will have encryption both in transit and encryption at rest across our statewide California network. So we’re hoping to leverage other partnerships in California, like academia, including the California State University systems, systems in K-12 education and any peer to peer relationships so we can also protect those endpoints as well.
Looking at emerging technologies, and especially the Internet of Things, what do you think the state’s role should be in directing cybersecurity policy for cities and counties?
Obviously California is a very complex and unique state with 58 counties and a lot of times a provision of services happen at the county level. So I would think that we should provide guidance and procedures on the Internet of Things in terms of how to secure that and then it’s up to those respective counties to take that guidance into consideration to ensure the necessary safeguards are in place before we move forward with a lot of Internet of Things capabilities. It’s really all is about risk prevention and it’s really all about the levels of maturity within our respective counties and cities on whether or not those things will be moving forward. But, all in all, what we’re trying to get to is a common security standard and footprint within the state.