CCAP implementing security improvements
By Ken McKelvey, CCAP Deputy Chief Information Officer
Scenario 1: It seems like a routine Monday morning. A clerk of circuit court comes to work and sits down at her desk. She logs in to her computer and starts up the Consolidated Court Automation Programs (CCAP) applications - just like she has for the past 15 years. Only this time, when she searches for a set of cases, she receives the following message "no cases found." "Hmmm…," she says. "I wonder what's up?" After doing further searches, she finds that no cases can be found anywhere on her CCAP system. After calling CCAP, it is determined that someone had gained unauthorized access to their network and erased all of their historical case data. She is exasperated… "How could CCAP have let this happen?
Scenario 2: It's a cold Sunday morning, and a circuit court judge is sitting down to enjoy his hot coffee and read the Sunday paper. At the top of the local section, he reads the headline in large, bold print: "Confidential Circuit Court Records Exposed on the Internet." He later discovers a disgruntled ex-employee had made an electronic copy of these records and placed them on a public Web site. He is dumbfounded... "How could CCAP have let this happen?"
 |
CCAP SAG Members (from left to right) Mary Feldman, Jeff Standiford, John Hutchins, Ken McKelvey, Kevin Baeten, Kevin Grittner, Pete Klukowski, and Bill Severson. Not shown: Peter Brant. |
Fortunately, nothing like the above has happened in the Wisconsin court system. CCAP security policies, desktop standards, and network controls have so far been sufficient to protect against malevolent and/or unauthorized access to critical court system data. But, as mutual fund managers are fond of saying, "past performance does not guarantee future results."
The fact is, absent a dedicated attempt, we can never be sure we are doing enough. The best CCAP can do is to make sure we don't lose sight of our very important responsibility to protect the integrity of the court system networks and data.
To that end, CCAP created an internal working group called the Security Advisory Group (SAG). The CCAP SAG consisted of experts from a cross-section of internal CCAP disciplines. The group objective was to "identify potential internal and external security exposures to court system data, and make recommendations that will reduce or eliminate these exposures."
The group met weekly during summer 2008, and ultimately came up with a list of 55 recommendations. These prioritized recommendations were forwarded to CCAP Chief Information Officer Jean Bousquet, who approved the majority of them, clearing the way for implementation over the next several months.
Work has already begun on the "top 20" recommendations. The majority of these recommendations will have an impact only on CCAP staff, but some will be noticeable to CCAP users. They include the following:
Improving transaction tracking
Some CCAP computers are placed in common areas, such as a window or counter workstation, where multiple people use the computer throughout the day. The computers are set up so that multiple people can quickly perform transactions without having to log in with their specific user account. As a result, some transactions completed on these computers cannot be traced back to a specific user. CCAP will make modifications to the applications to ensure all transactions can be traced back to a specific user.
Authenticating new users
Currently, CCAP cannot be 100 percent positive that the person calling the CCAP Call Center is actually who they say they are. In most cases, it doesn't matter. However, when calls are received requesting that CCAP set up a new user account, a more robust verification procedure is warranted. CCAP will define and implement a procedure that provides this additional verification for these types of calls.
Implementing OS patches
In order to protect against computer viruses and close potential OS-level security holes, it is very important to keep up-to-date on Windows OS patch levels. CCAP will implement procedures that ensure Windows patches are applied at frequent intervals. This may impact users by requiring them to reboot their computers after patches are applied.
Implement hard drive encryption
Documents and other data stored on laptops represent an unsecured source of potentially sensitive or confidential court information. Encrypting the hard drives on laptops will render them useless to anyone but the authorized user.
Securing router connections
Many CCAP networks are connected to the local county network so clerks of circuit court, registers in probate and other county employees can access applications hosted by the county. CCAP has no control over these county networks, and therefore these connections represent a potential risk to the CCAP network. CCAP will configure and install firewalls that provide protection to the court system network. Applications that currently pass through these connections may have to be reconfigured to work correctly with these newly configured firewalls.
We can't think that by implementing these recommendations, we are 100 percent protected. But we do believe they represent a significant step in our ongoing, proactive efforts to secure our networks before a dedicated attempt to gain access occurs. If you are affected by these changes as a CCAP user, we ask your patience and understanding. We hope you take comfort in knowing CCAP takes its network security responsibilities seriously. It is our goal to never have to answer the question… "How did CCAP let this happen?"
Back to top
Back to The Third Branch current issue
|
