COLUMBIA, S.C. (AP) — South Carolina's inspector general recommends centralizing the cyber security functions of state agencies to help prevent another loss of personal data, according to a report released Tuesday.
"Without question, the current highly decentralized model needs to be eliminated," Inspector General Patrick Maley wrote. "South Carolina needs a traditional federated model with central responsibility."
While oversight and standard-setting should be centralized, agencies should be allowed to tailor their policies according to their needs, he wrote.
Maley said leaving the responsibility of data security to each agency leads to uneven data protection and prevents officials from managing or even understanding risks that could affect all state government.
He notes the Division of State Information Technology can only suggest policies and lacks any authority to mandate statewide standards. The division offers federally funded security-monitoring services free to state agencies, local governments and school districts.
Maley recommends creating a new statewide chief security officer independent of the division, largely because of agencies' historical distrust of the division, which is part of the Budget and Control Board.
He also believes the state should hire consultants to help transition to the centralized model.
"Consultants will be costly, but the state can't develop this government-wide initiative without their assistance," he wrote.
The argument to centralize represents an about-face from five years ago, when a nine-member committee created by former Gov. Mark Sanford found that information technology services were too concentrated. At the time, the computer division was criticized for charging agencies for services with no explanation. The committee found it had amassed too much authority with no direct responsibility or accountability.