IN.gov - Skip Navigation

Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.


Subscribe for e-mail updates
Print This Page Rate This Page Suggest a Link E-mail This Page HELP Find a Person Find an Agency

IOT > Security > CISO Blog CISO Blog

Subscribe for e-mail updates

Tad Stahl, the Chief Information Security Officer (CISO), will share thoughts on a regular basis on information security issues facing the State of Indiana workforce. The web software does not permit you to comment in typical blog fashion. Please send your questions and comments to
IOTCISO@iot.in.gov. Your comments and questions, along with the CISO’s response, will be manually appended to the blog. Only questions and comments from state government email addresses will be addressed.

Password Changes

Over the coming months the state will be strengthening its password management scheme to enhance our overall security position.  All state users will be required to use complex passwords (many are already there).  A complex password, by our definition, is comprised of at least eight (8) characters and contains three of the following four categories:
• Upper case letters
• Lower case letters
• Numbers
• Special characters (&, ^, %)

I know there will be a slight learning curve, but you can handle it (and don’t even think about writing it down on a sticky note and putting it on your monitor).  We’ve set up a web page to help you prepare -http://www.in.gov/iot/2328.htm#Password. Here you will find tips and tricks as well as the importance of complex passwords for state security.   I also recommend you extend this practice to the passwords you use away from work. 

CISO Thoughts

My thoughts and best wishes go out to those suffering from the flooding in southern and central Indiana. Words cannot begin to describe the range of emotions inspired by the video footage and photos. It was just unbelievable.

In the midst of the tragedy there were things that make you proud to be a Hoosier. First and foremost was the character demonstrated by those affected. I didn’t see many playing victims. Fear and shock quickly gave way to a determined attitude to clean-up and rebuild in spite of the long, grueling effort it will entail. And then there were the countless heroic stories of emergency personnel and good neighbors. When most of the news is dominated by stories of bad deeds it was nice to see the good deeds of people recognized.

We’ll talk about information security next time. Maybe disaster recovery would be an appropriate and timely topic.

Threatening SPAM

The state has begun receiving SPAM containing threats of physical harm. Though it is a little shocking to receive the first one, in the end it is just another mass mailing playing on fear. In this case physical danger is the target rather than a bad credit rating, closed bank account, etc. Unfortunately, I expect SPAMMERs to continue with this theme, escalate the threats, and make them seem more personal and realistic. IOT will work to block them with their filters but you can expect some to get through. When they do, give them no more attention than you would any other SPAM. Please report SPAM using the instructions found here.

Is Big Brother Watching Your Computer Activities?

The answer to the question above is “no.” IOT does not have a special force hunting for inappropriate user behavior. However, you should always keep in mind that State Ethic Rules prohibit the use of state assets for personal use except where allowed under agency De Minimis use policies. You should also know that anything you store or create on state time or with state provided technology is not considered private. Agencies can and do request access to employee information for a variety of reasons including extended absences and suspected inappropriate use. When agencies make such requests, IOT is usually able to assist.

I don’t believe the state has any more of a problem with improper behavior than do other organizations of similar size. But I would like to see the time IOT spends assisting agencies in this regard applied to more productive tasks. My guidance is to value your job and the respect of your co-workers by avoiding the temptation to misuse state resources. Re-read and abide by the Information Resources Use Agreement (IRUA). And if you question the appropriateness of an activity, talk it over with your manager rather than risking a wrong decision.

Handling Phishing Scams

I’m often asked why I don’t put out statewide warning emails on every “Phishing” scam making its way to the state government email system. Trust me, you really don’t want to hear from me that much. 99% of all email coming to the State is SPAM and a chunk of those are phishing messages. You would hear from me so often that you would soon treat my messages as SPAM.

It wouldn’t work anyway. My warnings would almost always come too late. The only effective defense is for you to recognize these messages as you receive them. Fortunately, you’ve become good at it. Sometimes it can be tough to recognize a phishing message. They seem to get more creative and authentic in appearance with each new scam. And we can expect scam artists to continue honing their craft. Regrettably they continue to work (information on phishing message characteristics).

I do look to get information to you when there is a new or a severe risk you might encounter. But our best defense is having you aware of threats and closely examining every message for validity.