From: Welling, Craig [mailto:Craig.Welling@state.co.us]
Sent: Friday, October 12, 2007 5:01 PM
To: Al Kolwicz
Cc: Conley, John
Subject: Responses to Your Inquiries
Dear Al,
You recently submitted three questions to me by e-mail. Although our office is not required to provide responses to these inquiries pursuant to CORA or any other statute, below are responses to your three questions:
Question 1: Is it correct to assume that the October 1 letter refers to the 19 security policies at http://www.colorado.gov/cs/Satellite?c=Page&childpagename=Cyber%2FCISOLayout&cid=1167928186414&p=1167928186414&pagename=CISOWrapper?
Response: Yes.
Question 2: Will you please forward a copy of the SOS Plan of Action and Milestones referred to in the conditional approval letter?
Response: For the same reasons stated in my September 19, 2007, letter to you, we cannot provide you with the SOS Plan of Action and Milestones (“POA&M”) referred to in the conditional approval letter. Contrary to you contention, the POA&M is a component of the Information Security Plan, and C.R.S. § 24-72-202(6)(b)(X) provides that such documents are not public records. Moreover, POA&M identifies and addresses specific vulnerabilities and risks of the organization. Making such information publicly available would be against the public interest as it would provide detailed insight into the security vulnerabilities in state agencies.
Question 3: Is it the opinion of the CISO that compliance with the 19 policies is sufficient to detect, report, defend, and recover from all security threats to the Colorado Election System including manufacturer embedded defects/malware and human error?
Response: No. According to the State CISO, it would be irresponsible to say that compliance with 19 security policies is sufficient to detect, report, defend, and recover from ALL security threats in any organization. He adds, to include manufacturer embedded defects/malware and human error is unreasonable. Moreover he states that the cyber threat to IT infrastructure, applications, and people changes on a daily basis and the purpose of the Information Security Plan and Policies is to establish a baseline of best practices that allow the organization to operate securely. Finally, even if compliance with the 19 policies were to be sufficient, C.R.S. § 24-37.5-401 allows for a three year phase-in period, during which time SOS is working on projects intended to achieve that optimal end-state.”
Although the Governor’s Office of Legal Counsel is involved in responding to Open Records Act requests you may direct to an office within the Governor’s Office, further inquiries regarding the Secretary of State’s compliance with his office’s security plan should be directed to the Secretary of State’s office as that office is responsible for compliance with its own plan.
Sincerely,
Craig Welling
Deputy Legal Counsel
Governor Bill Ritter, Jr.
121 Colorado State Capitol
Denver, Colorado 80203
Direct: (303) 866-6375
Fax: (303) 866-6399
e-mail: craig.welling@state.co.us
The information contained in this electronic communication and any document attached hereto or transmitted herewith may be attorney-client privileged, work product, or otherwise confidential and is intended for the exclusive use of the individual or entity named above. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution, or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please immediately notify the sender by telephone or reply e-mail and destroy this communication. Thank you.