VERMONT TO REVIEW COMPUTER SECURITY POLICIES State review finds no new Internet breaches:

State review finds no new Internet breaches

MONTPELIER, Vt. -- A preliminary review of the state's computer system has found no new security breaches of sensitive personal information stored on state computers, state officials said,

Gov. Jim Douglas ordered the review after disclosures in January that a state computer containing names, Social Security numbers and bank account numbers for nearly 70,000 people was broken into in a remote attack.

The state Department of Information and Innovation, working with a consultant, used tests to hack into the state's web applications and reviewed the security measures in place in all state departments and agencies.

"The penetration testing of the State's web applications have not exposed any vulnerability in the web-based systems," according to the report, issued Thursday. "Agency reviews of their security measures and applications have not uncovered any serious issues."

Department Commissioner Thomas Murray said the review uncovered a number of minor administrative concerns about which the state needs to be more diligent.

"There weren't any glaring concerns," he said.

Among the recommendations, the report advises the state:

_implement a more thorough process for system support, documentation and managing the impacts of changes in the system;

_implement a system of data access procedures that ensures the appropriate level of access to confidential data;

_strengthen its security policies and standards;

_set up new "demilitarized zones" the state's main computer network, Govnet, to allow key partners like the federal government access to some state systems while barring them from wide-open access to the network.

Murray said the many of these steps were under way.

Other changes include a new encryption policy, stepped-up employee training on security issues and annual audits with funding for new equipment hinging on problems being fixed.

Over the next few months all state departments and agencies will be asked to complete an inventory and risk assessment of their computer systems, he said. "All systems with confidential data will be required to submit a security plan and each system will be audited based on need and risk," the report said.

Douglas also has asked the department to create long-term protocols to strengthen the state's computer security.

Completing those steps could take up to a year, Murray said.