Standards are the key to a successful security strategy, says Robert Pittman, chief information security officer of Los Angeles County.
These policies are deployed county-wide, overseen by security engineering teams within the county’s 34 departments.
These teams report to the department information security officers along with county-wide community emergency response teams, which act like a “neighbourhood watch”, said Pittman
The departmental officers report to an information security steering committee, which meets monthly to review the county’s IT security status.
The steering committee has identified ten top priorities, said Pittman, which include web application protection, risk management, and compliance with all the major regulatory frameworks such as HIPAA, HITECH and PCI DSS.
Encryption is one priority, with the country implementing full disk encryption in 2007 for around 12,000 laptops.
Incident response is another priority and includes threat intelligence and relationship-building with law enforcement.
“Incident response is important because our systems are being probed all the time, with about 21 incidents a year,” said Pittman.
The top ten list includes non-technical priorities such as the county’s annual recognition awards programme that promotes competition around security between departments, and the socialisation of security initiatives by involving business units, the help desk and county psychologists.
Re-emphasising the importance of policies and standards, Pittman said: “Policies influence behaviour like traffic signs and standards influence technologies and business models.
“They also ensure consistent operational support and risk architecture across the county, and potentially reduce cost by reducing technical complexity,” he said.