Cmp~rt. Emirm. Urban System Vol. 8, Na. I, pp~ 33.-38. 1983 Printrd in Great Britain

0198-9715/83/010033-06$03.00/O Pergamon Press Ltd

Dort0n-n L. EUMBERC~ER

2033 M Street NW, Suite 300, Washingfon, DC 2OU3Ei, USA.

BACKGROUND

DATA-PROCESSING (DP) experts participating in the Mont St. Marie Workshop identified *‘dependence and vulnerability”’ as one of the fundamental issues requiring serious con- sideration in any strategy to apply new information technology in local government. While no consensus was reached on a single approach required to minimize or eliminate y~lnerability~ a number of afternate and somewhat divergent strategies were developed, ‘~arti~ipa~~ts ail agreed, however, that the economic, political, social and legal environ- ments would be major deterrn~~an~s of the overall electiveness of any strategy contem- plated.

When addressing the impact of information technology on local governmentF DP professionals have traditionally concentrated on the more positive aspects of the tech- nology because of the need to convince users of the advantages of computerization. As a result, vulnerability was often ignored as an issue. Now that the users are becoming more sophisticated about the uses of computer-based information systems, the question of resulting vulnerability of the organization is receiving greater attention.

While the issue of vulnerability of the organization as a whole is the more critical issue, the data center is a focus of concern because it is a centralized repository of information for and about citizem, it sqpxts the vitd f~~~t~~~s of ~~~er~rn~~~ and it supports the orderly dis~ibutio~ of public services. The ~ons~~~e~~es of the d~sruptjun of these vital functions would have a significant impact on the or~anjzation as a whole.

With these consequences in mind, participants gave considerable thought to this workshop topic. The following summary will:

r) Define and substantiat,e the concept of vulnerability and consider why it has become a critical issue in the local-government DP environment,

0 Describe the elements of vulnerability and identify the primary sources, a Discuss the changing role of MIS in relation to vulnerability. * Review the changing role of the auditor in the dynamic MIS environment. e Consider the user response ta MIS. 0 Sum up the working group discussion.

R.egardless of the responses developed, it was generally agreed that the elements of vulnerability were dynamic and should be monitored continuously.

WHAT IS VULNERABILITY?

While no consensus was reached on a definition of vulnerability, there was general agreement that vulnerability is the economic, political, social and legal risk to the organ- ization resulting from the collection, maintenance, update, dissemination and use of data from the corporate information system. How the organization responds to vulnerability also depends on the structure and maturity of the organization?.

During the past decade what was once caIled DP has evolved into ~~f~~ai~#~ processing. Ten years agu DP involved primarily the prog~mmi~g and use of large mainfi-ameq batch processing and providing printouts and other informa~on to users.

33

34 DOROTHY L. BOMBERGER

Today, information processing generally involves office automation, telecommunica- tions, personal computing, data-base management, as well as the procedures for the integrating all of these functions.

Computing power is now cheap enough that even laymen can work with it. As a result computing has penetrated the lowest as well as the highest levels of the organiz- ation. The result has been an increasing dependence on the system while at the same time increased pressure for distributed DP. The increasing complexity of the infor~~ation- processing function has, therefore, made it even more important for the organization to understand vulnerability. why it is a problem, the sources, risks and alternate responses.

The information-processing center is not the only segment of the organization that is vulnerable. Manual systems are just as vulnerable and may have no backup. To arrive at a.ppropriate, practical and cost-effective responses to potential risks, vulnerability needs to be broken into its elements, Otherwise, there may be a tendency to overreact to elements that are improbable or too expensive. Overreaction may result in loss of pro- ductivity, affect service delivery, and generally have disasterous economic consequences for the organization.

The folIowing elements of vulnerability were identified:

e Physical destruction l Dependence on the system. e Dependence on the vendor. o Reliability and availability of the data. a Transborder data flows. * Computer crime. 0 Personnel. 10 Political conditions and pressures. e Economic factors.

The following summarizes the workshop participants’ discussion of tke elements of vulnerability and potential sources of risks.

(u) Physical destruction

Time and analysis have shown that in most cases the risk of physical destruction is less than the risk of accidental staff and/or system error. Contingency plans should address emergency procedures and backup strategies, offsite backup facilities and per- ipheral weaknesses such as storage locations of vital documents required for printing out information from the system.

Building security into existing structures and equjpment is more costly and less effective than designing security into new buildings and equipment. It was suggested that collective demand be put on equipment manufacturers to design security checks into the hardware, much fike duplicating machines include usage measures.

Sabotage was an area considered very difficuIt to address effectively. In some coun- tries terrorism is still a major concern. In others, however, this concern has been mini- mized by the maturing of peoples’ attitudes toward the computer. The perception of the computer as a symbol of the organization has reduced the risk that the data center will be a target of hostilities. In general, while the group felt that the risk of physical destruc- tion was real, in many cases it may be too costly to have effective backup readily available.

Perhaps the most critical area of concern was not the batch processing but locat network control and how to support the information system if there is system down-time.

Local-government dependence on information technology 35

While no simple solution was proposed a number of alternatives were considered. There were generally two schools of thought. To minimize the risk of destruction or lengthy down-time, some felt that two systems should be ordered. Others felt this option was too costly for most organizations and recommended contract backup support.

Increased online access to information has also increased the risk to data integrity and the timeliness of response to support administrative services. Once the system is in place, dependence tends to increase. All agreed that while the DP director could not eliminate all risks, he must deal with those in the environment he controls and alert users and managers to other potential risks and consequences. Users or a risk-management committee should be assigned responsibility to decide among alternative responses.

Some attention was given to the increased concern with potential VDTt effects on health and the contingent possibility of staff rejection of the hardware. The potential for increased regulation with attendant costs such as furniture and equipment replacement, staff reassignment or turnover and legal suits were discussed but no conclusions reached.

(c) Vendor depetzdence

While this issue was of less concern than it was a few years ago, vendor dependence is still an element of vulnerability. Competition as well as user maturity have combined, however, to make vendors more responsive and concerned with user needs. While there is now less reluctance to work with a variety of vendors, the customer must be sure the vendor is responsible, economically viable, technically capable, reliable and able to pro- vide adequate support for his systems.

In the applications software area some software is aging and maintenance contracts are expiring. This raises the questions of how to maintain backup releases of various data runs. The maturing of the “information center” concept may minimize the problems of aging software by forcing an early response to the problem. While solutions are depen- dent on individual organizations and resources, here again well-defined procedures should be in place to deal with various contingencies. Accountability should also be clearly defined and staff informed of the chain of responsibility.

Since the DP manager is involved with more and more packages, there is less time with the source code than there was several years ago. This results in a loss of control which must be measured in terms of how critical it is to the operation and how long the organization can tolerate down-time. DP must also assess the implications if the vendor goes out of business. Determining in advance how the system will be supported may be critical to the organizatfion. While there were no simple answers, how the organization responds to these questions will have a major impact on vendor relations.

(u’) Reliability and availability

In addressing these issues participants stressed that staff training, sound professional standards and procedures that are revised periodically and reinforced are the best ways of assuring the reliability of the data from the system. Availability was dependent on both internal and external factors. In some cases the information-processing function was caught between conflicting privacy and con~dentiality and freedom of information laws. In other political pressures were significant factors.

(e) Transborder data ,f7ows

Some countries were more concerned than others about this issue. Those for whom it is an important problem were concerned with the consequences of data moving from one political jurisdiction to another. In the process data can be combined and information about people that was confidential in one jurisdiction may become accessible in another.

This raised questions of data ownership, responsibility for its use and the ensuing consequences. Some felt these issues also could be addressed by corporate policies, good professional standards and staff education and reeducation.

t Used interchangeably with CRT.

36

(,f‘) Computer crimes

DOROTHY L.BOMBERGEK

Some felt that intent to commit a crime is a relatively minor portion of so-called “computer crime”. A higher proportion of it is error, unintentional omissions and inad- equate security. Most felt the best response to this type of crime was to build security into the system but also to reinforce this security through high professional standards, training and maintenance of good procedures.

Since people are a significant source of vulnerability, considerable lime was spent considering the ways to minimize people-oriented vulnerabilities. The experience of many suggested it was prudent to approach the governing board for assistance in guarding against the loss of a critical programmer, the theft of important data or personnel error whether intentional or unintentional. This approach is not consistent, however, with current budget-cutting schemes which tend to reduce backup rather than increase it. This applies in particular to staff training where it might be wise to send up backup staff for training.

Regardless of the approaches considered, it is important to have a formal designation of the chain of command in the event of a disaster. A document should exist, and staff should participate in its preparation. The document should be distributed among all staff and tests should be conducted to determine the effectiveness of the plan.

(h) Economic ,fffctors

While all kinds of risks may cause damage to the organization, not all risks must have a solution. The cost of taking precautions against some risks may be so high that they are impossible. The cost of providing solutions to all potential risks raises the issue of responsibility for the decisions. No consensus was reached but in general participants felt the organization must face the issue of vulnerability in a responsible way. If no other element of the organization takes the initiative, the DP director should.

In any case the DP director should be involved in the decision-slaking process. The best alternative, however, was generally considered to be spreading the responsibility perhaps through a risk-management committee. DP should be responsible for developing alternatives to identified risks, but users should decide how much it is worth to provide solutions. Some suggested that a cost-benefit analysis be completed and be based on the initial system justification.

(i) Political considerations and pressures

The MIST director needs to be particularly sensitive to the political environment and quantify potential risks for himself. In some cases top management and the government itself may cause more problems than they eliminate. For example, the freedom of infor- mation act is often in direct conflict with the right to privacy and confidentiality of the citizen. MIS is in the middle and must be responsive to both.

Risk-management committees may be one solution to spreading the risk and re- sponsibility throughout the organization. If the committee mechanism is not available, it is still important for responsibility to be spread throughout the organization among those who are involved as users or providers. If there is no other initiative MIS should probably take it to see that the organization addresses the risks and deals with them appropriately and responsibly.

In the European environment organizations seem to be better structured to respond to these kinds of issues. In Sweden for example, they are well structured through legisla- tion and government mandate. A national group was appointed to study the problem of vulnerability and the committee has an ongoing mandate to address the problem con- tinuously. There is also a data-inspection board with authority to issue licenses to

t MIS and DP may be used interchangeably.

Local-government dependence on information technology 37

anyone holding a file. The file holder must state the intent for which the file is being maintained and secure a license to hold it. Government regulations are very specific regarding privacy, security and particularly national security issues.

CHANGING ROLE OF MIS

While MIS should be concerned with vulnerability the DP director may not always be the best person to assess or even identify the vulnerability which his system introduces into the organization. One alternative is for MIS and the user to form a partnership where MIS is responsible for defining the risks, presenting the risks and explaining the consequences. The users would be responsible for deciding on a course of action. In any case, responsibility for risk management must be assigned or assumed in the responsible organization.

In the days when users had to be sold on the benefits of computerization, DP often avoided discussing the potential risks with the users. The issues have become so complex, however, that MIS alone may not be able to assess the overall impact of the system on the organization. The users must be involved so they accept some share of the risk. Management should also share in the responsibility, as must government.

CHANGING ROLE OF THE AUDITOR

In some cases auditors and/or consultants may lend credibility and/or support to MIS’s approaches to addressing vulnerability issues. They have an independent set of eyes not conditioned by preconceptions but by their analysis of the problem. There are some positive and negative aspects, however. On the positive side they could be part of a strategy for dealing with vulnerability by providing external support for implementing solutions to the problem. On the negative side, they may provide text book solutions which sound good to management. The MIS director, however, may have to respond in relation to more practical solutions.

For this reason it is important for the MIS director to be involved in selecting any outside consultant or auditor. If used correctly, the outside auditor or consultant could provide some objectivity in terms of budget support.

Some felt, however. that it was not up to MIS to accept or reject suggestions made by external auditors or consultants. They felt it was a user function since it is the user’s system and he is the only one who can assess the impact, other than to impact.

STRATEGIES FOR MINIMIZING VULNERABILITY

In the first place the organization must understand vulnerability, its sources and risks. To accomplish this, vulnerability must be separated into its elements and decisions must be made about responses to each.

An attempt was made to categorize the kinds of precautions that should be taken to protect the DP center:

o ~~~e~~~~ c~~~~r~~~ policies. This should include a policies regarding everything relat- ing to the security of the corporation, such as keywords, passwords, chain of com- mand etc. The policies should address what can be done, who is authorized to do it, and what the chain of command would be in a crisis. The policies should be well organized and authority and responsibility carefully assigned, and the information disseminated to all staff.

o Laws. Federal or state laws might be needed to protect the government DP function from risks that can occur from collection and integration or use of the data.

l Insurance. Since all kinds of events can cause damage, not everything can have a solution, or at least a cost-effective solution. In some cases the cost of taking the precaution against a risk may be too expensive. Sometimes it may be necessary to take a chance. Increasingly insurance policies are becoming available which protect DP against some of the potential risks which can occur. These should be investi- gated as one of the possible alternatives.

38 DOROTHY L. BOMBERGER

A plan should be developed which incorporates an identification of the elements of risk, the potential sources of risk, the precautions that should be taken to eliminate or reduce vulnerability and a clear description of the chain of command in case of crisis.

Staff must be properly trained and oriented to response options. Backup staff should be assigned and trained to operate systems, correct software and in other ways respond to crisis.

Professional standards for systems design, hardware, software and performance should be established, disseminated and enforced.

More responsibility should be placed on the vendor to reduce risks through hardware and software and backup systems.

USER RESPONSE TO MIS

Users often project a feeling of vulnerability onto the systems when they perceive a loss of control over their data. They tend to see the automated system as being more vulnerable than it may in fact be. The sense of insecurity may result in their feeling threatened by MIS and their greater interest in obtaining control over their own data.

MIS may find very helpful supporters among user groups as the sense of risk as well as responsibility is shared within the organization.

SUMMARY

The problem of vulnerability is an organizational problem that varies with the politi- cal, economic, social and legal environment. MIS should be a key element in the process of identifying areas of vulnerability and developing appropriate responses. Where no other source of initiative exists, MIS should take the responsibility to see that the organization deals with all the aspects fully and responsibly. With a trend toward more formalized information management the responsibility for risk management may and perhaps should be spread throughout the organization.