Florida courts work to strengthen IT security

Florida court officials are moving toward a more viable information security program by providing new minimum standards and implementing automated technology to help improve network management.

State officials are reviewing a draft Judicial Branch Information Security Program that would enact comprehensive policies to help improve and maintain the court system's information security. Officials said the policies are necessary because Florida's system consists of several tiers of autonomous courts.

The system includes Florida's Supreme Court, five district appeals courts, 20 circuit courts and at least 67 trial or county courts.

"Now as far as security that is deployed throughout the state court system, each one of these courts is basically an entity unto itself," said Alan Neubauer, operations manager and chief information security officer at the Office of the State Courts Administrator (OSCA).

Neubauer said he's not aware of any breaches or incidents that prompted the program's development. But with the spread of worms and viruses and increasing public awareness of vulnerabilities, the judicial branch has become more focused on the issue, he said.

For example, each county government dictates policies for maintaining the security of its local court system. So each county court could administer cybersecurity differently.

Although OSCA officials provide technical support, they do not offer mandates, Neubauer said. They research technology and determine the best solution to resolve a problem and then make recommendations. By providing uniform minimum information security standards, the office helps all entities that manage or maintain court records protect against breaches.

"We're not trying to micromanage the local court system, but at a minimum, they must meet certain conditions — thereby the standards that have been created — when they deploy certain technologies," said Mike Love, OSCA's chief information officer.

Neubauer said the circuit courts' 20 technology officers support the draft security program. He said he hopes officials will approve the program by the end of the year.

Although those draft guidelines are still under evaluation, court officials saw a need to audit their internal systems to ensure that they comply with the proposed information security requirements.

To meet their goal, OSCA officials are implementing Hercules, Citadel Security Software's automated vulnerability remediation product. Neubauer said the software will help the office determine which servers are appropriately configured and patched. "It's going to support all of the servers that are providing any kind of service in the circuit and trial court community and that includes some district courts of appeal service," he said.

Kerri McEwen, OSCA's senior network support analyst, said that before the office implemented Hercules, it couldn't centrally manage vulnerability assessments and fixes. "We tackled each server individually and then provided the essential management of these services or servers," she said. "We would physically touch that server or [get remote access] into that server to check its status." Now the office can schedule patches through Hercules' dashboard, she said.

State officials said employees would save substantial time, effort and money by using the software. Neubauer said that of the nine people in the operations section, only two are devoted to supporting the court system's servers.

The software provides the status of a server's configuration and records it in a database, he said. When it scans the server again, Hercules compares the configuration with the baseline configuration or most recent update. If it finds a discrepancy, it will facilitate the delivery of necessary patches.

Tom Bossie, Citadel's director of state and local government sales, said the heart of the product is its ability to automate remediation when it detects vulnerabilities.

"We have a remediation library that has 24,000-plus fixes in it that spans operating systems," Bossie said. "And we don't really look at just patches of software — malicious software — but look at unassigned accounts, unmanaged services. A lot of times people will load something on the local machine that really shouldn't be there, but it looks at four classes of vulnerability that really go beyond patch management."

All organizations want their servers to be as secure as possible, but in applying patches, they also need to ensure that the patches do not disable or break services, Neubauer said. For example, a patch could disable a biometric authentication process that users need to log in to their systems. An agency could use the patch, rendering the service useless, or conduct a risk assessment and not apply it.

"It's not something you like to be in a position of, but sometimes you can't always run out and apply a patch the day it's released," he said.