September 12, 2018

Secretary Michael Leahy

100 Community Place
Crownsville, MD 21032

Dear Secretary Leahy:

I am writing regarding the state’s Information Security Policy (“Policy”). One of my

constituents recently alerted me to the fact that the Policy on the Department of Information
Technology’s (“DoIT’s”) website is dated February 2013, over five years ago. I was surprised
that in a field as rapidly changing as information security, the Policy was not updated more
frequently. I would like to understand how the Policy is developed and whether or not DoIT is,
in fact, primarily responsible. Moreover, I would like to understand how the Policy is distributed
to other units of state government and whether or not they also develop their own, independent
policies.
A review of the current state policy with some best practices my office researched found
a few immediately noticeable areas where the Policy appears to be lacking, perhaps because of
age:
1. Security Awareness
Keeping users informed of ongoing security threats is important in maintaining a
secure network.
• Recommended: A monthly security awareness newsletter sent to all employees,
covering the latest threats, including ransomware attacks and social engineering.1
• Current Policy: Only specifies that agencies must ensure that all information
system users and managers are “knowledgeable of security awareness material
before authorizing access to systems.” No detailed memos regarding new
threats or recommendation of best use practices are distributed by the state.
2. Use of Personal Technology for Work (BYOD): Bring your own device (BYOD)
refers to the use of personal devices such as smart phones, laptops and IPads to access
information protected by the state IT systems.

1
George Grachis, Critical IT Policies You Should Have in Place, CSO Online (May 26, 2016),
https://www.csoonline.com/article/3074825/leadership-management/critical-it-policies-you-
should-have-in-place.html.
 • Recommended: When accessing state systems through personal devices users
should have certain operated systems installed for maximum security. For
mobile devices: Android 6.0 or later, iOS 9.x or higher.2
• Users are advised not to use “jailbroken” phones or have any software/firmware
installed designed to gain access to prohibited applications.
• Users must not load pirated software or illegal content onto their devices.
• Applications must only be installed from approved sources such as Google Play or
the Apple app store. Users should contact IT before downloading an app from any
other source.
• Users should only use devices with up-to-date and enabled anti-malware
protection that comply with the state policy.
• Current Policy: No specific policy regarding best use practices when
accessing state emails and other systems from personal devices.
3. Vendor Access: Coordination with the vendors who provide the state system with
software and hardware management is critical to maintain a secure system.
• Recommended: Policy should set limits and controls on what can be seen,
copied, modified and controlled by vendors.3
• An agreement with the vendor must be reached regarding:
a. The company information the vendor should have access to.
b. How the company information is to be protected by the vendor.
c. Acceptable methods for the return, destruction or disposal of
company information in the vendor’s possession at the end of the contract
d. The vendor must only use company information and information systems for
the purpose of the business agreement.
• Policy: No specific details regarding what information vendors have access to and
for what purpose.
4. Device Destruction Policy: Disposing of outdated devices is common, but must be
done in a safe and secure way to ensure that all sensitive system information is
protected.
o Recommended Policy: Create a log of the serial numbers for all devices that
need to be destroyed.4
o Request lockboxes with RFID tags to be issues for complete audit trail.
o Only use accredited secure electronic hardware disposing companies.
o Disposal company should contact you when the product arrives and confirm
o Policy: There are currently instructions for disposal of technology, including
using accredited disposal companies. However, there are no specific

2
George Grachis, 5 More Critical IT Policies You Should Have in Place, CSO Online (Aug. 08,
2016), https://www.csoonline.com/article/3101861/leadership-management/5-more-critical-it-
policies-you-should-have-in-place.html?page=2.
3
Id.
4
Id.
 recommendations for following up with disposal companies once the technology
has been handed over to ensure that the device was disposed of properly.
A review of Title 3A of the State Finance and Procurement Article reveals that
information security is not among the core responsibilities of DoIT. Indeed, DoIT’s role in this
area relies on the general authority of the Department found in Sections 3A-303 and 3A-305,
neither of which explicitly reference information security. Therefore, I applaud DoIT for the
work it has undertaken on security issues. But I would also like your opinion as to whether
further legislative direction on information security issues in DoIT would be helpful.
I look forward to further discussions on these issues. Thank you for your attention to
these matters.
Sincerely,

Marc Korman