State of Montana Information Technology Managers Advisory Council

Transcription

1 State of Montana Information Technology Managers Advisory Council Welcome and Introductions (1:00-1:05) Joe Frohlich, Past Chair Council Business Meeting August 7, :00 3:30 Room 152 State Capitol Information Sharing (1:05 1:10) Order Continuing the Managers Advisory Council Members Past Chair Announcement of new/elected Council Members Past Chair Business (1:10 2:00) Operating Procedures Discussion Past Chair o Action Item Adopt August 2013 Procedures LGIT Update Joe Frohlich Strategic Planning Kyle Hilmer/Gartner Representative Break (2:00 2:20) Business (2:20-3:20) Electronic Records Management Status Update Anita Bangert Information Technology Conference Penne Cross Data Protection Initiative/HB10 Lynne Pizzini June/July Incident Reports Lynne Pizzini Mobile Device Management Lynne Pizzini Policy Update Lynne Pizzini Standing Agenda Items (3:20 3:25) Posted Reports Adjournment (3:25-3:30) Next Meeting September 4 Member Forum Public Comment Adjourn Parking Lot Communication Plan Notice: The Department of Administration will make reasonable accommodations for persons with disabilities who wish to participate in the ITMC's public meetings or need an alternative accessible format of this notice. If you require an accommodation, contact the Department of Administration no later than six business days prior to the meeting of interest, to advise us of the nature of the accommodation that you need. Please contact Julie Kriedeman at (406) , or [email protected]

2 Information Technology Managers Advisory Council (ITMC) Operating Procedures August 2013 OVERVIEW: The State of Montana Information Technology Managers Advisory Council (ITMC) herein referred to as Council was established in 1997 at the direction of the Director of the Department of Administration. The Council serves at the pleasure of the Governor and the Director of the Department of Administration. The Council is advisory in nature as per MCA Advisory capacity means furnishing advice, gathering information, making recommendations, and performing other activities that may be necessary to comply with federal funding requirements and does not mean administering a program or function or setting policy. Until 2007, the Council was an open ended body with a representative from each state agency. Now the council consists of up to nine IT professionals including a chair, past chair, vice chair, up to five at large members, and the State CIO. These members are to be appointed in the June of each year for the ensuing fiscal year. The ITMC will suggest to the Director of the Department of Administration a slate of individuals as the members of the ITMC for the coming fiscal year. The Director of the Department of Administration will make the final appointment with the concurrence of the Governor. Responsibilities of the Council: The Council exists to provide advice to the Department of Administration, State Information Technology Services Division herein referred to as SITSD concerning the technology needs of state agencies on a wide range of technological issues within state government. In striving to provide suitable advice to the Department, the Council may undertake the following activities: gather information, review opportunities, review issues and provide advice to the State CIO; actively support planning and governance efforts of the Information Technology Board; actively participate in enterprise information technology policy and standards review processes; actively participate in state and agency IT strategic plan development, implementation, measurement and continual improvement; meet regularly to provide an opportunity for free exchange among information technology professionals on subjects of common interest and concern; and provide a forum for maintenance of the state's technical staff resources through continuing education, career development, and sharing ideas and resources. ITMC Procedures August

3 MEMBERSHIP & PARTICIPATION: The Council requests an extension each biennium per , MCA. Annually, the Council recommends a change in membership. IT professionals from state agencies and representative(s) of local government gather each June and nominate a slate of members to include the outgoing chair, a new chair (typically the previous vice-chair), and up to six at large members. The vicechair is elected by the official council members after their formal appointment to the Council for the upcoming year. Selection as Vice Chair is made with the understanding that the individual so selected will transition to Council Chair for the following year, and will remain on the Council for the next year as well, making this a three-year commitment. This slate of members will be forwarded to the Director of the Department of Administration for review and approval for the coming fiscal year. The CIO or their designee is automatically a member of the council. VOTING: It should be noted that given the advisory nature of the Council, votes indicate the degree of consensus, not an approval or denial of any item. MEMBER PARTICIPATION: Active participation is necessary for the Council to function effectively. Continuity is essential regarding issues under discussion, and especially for those needing affirmative action. Therefore, if a member has 3 absences during a fiscal year, the Council can, in consultation with the agency or institution s director, recommend replacement of the member in question. SITSD PARTICIPATION: It is anticipated that, upon request, portions of the general meetings will include presentations by members of the SITSD technical and policy staffs. SITSD will ensure that staff with technical knowledge of the issue(s) is available at council meetings to share expertise. COMMUNICATIONS: The Council shall communicate with SITSD, the Information Technology Board and other entities through the Chair, or as delegated by the Chair. Members are encouraged to contact the Chair with suggested agenda items. Items requiring Council action will be noted on the agenda. Official correspondence will be distributed at the discretion of the Chair, or the Acting Chair, with the assistance of SITSD Council support staff. Action items or issues for future discussion will be noted by support staff, and coordinated with the Chair for future agendas. Minutes of the Council meetings will be provided to all Council members and interested IT professionals. They will be published on the SITSD web site. MEETINGS: ITMC Procedures August

4 The Council regular meetings are held on the first Wednesday of every month and are open to all. IT professionals from federal, state, local, and tribal governments, and private entities are invited and encouraged to join in discussing topics of interest to the IT community. STAFFING: The SITSD provides staffing support to the Council. Such staffing consists of a Business/Technology Analyst and one individual providing administrative support. Council staffing support includes participating in building meeting agendas for monthly Council meetings, coordinating meeting times and rooms, taking minutes, distributing correspondence, and responding to the ad hoc needs of the Council. SITSD will also provide technical resources for assigned subcommittees as requested by the Council Chair. EFFECTIVE: These procedures will become effective upon approval at the August 2013 meeting. They will remain in effect commensurate with the Executive Order that establishes the Council. ITMC Procedures August

5 Reporting to ITMC Information Owner Name: Irv Vavruska Organization & Work Unit: DOA/SITSD/Enterprise Support Bureau/Desktop Services Phone: Website (if applicable): Information Informational Issue Action Needed Other: Name of Service, Program, Project or Issue: New Service -- Microsoft SCCM Endpoint Protection Description: As you know, the State of Montana is moving from the Nod32 Anti-virus application to Microsoft s Endpoint Protection. In an effort to provide efficiencies and ease of migration, SITSD is offering a service to assist agencies in this move. As some agencies have discovered, SCCM can be a complicated product and requires some knowledge and training before it can be implemented. We have also discovered that an SCCM server can support up to 100,000 devices. With this in mind, SITSD is offering the following to an agency that would like SITSD to rollout Endpoint Protection: Rollout the SCCM agent to agency devices Configure Endpoint Protection with the agency defined options Remove ESET Nod32 from agency devices Provide annual updates to the devices For an agency with less than 100 devices, the cost would be $ This charge would show up on the SITSD invoice as SCCM Support. For an agency with more than 100 devices, there would be additional charges depending upon the time needed for implementation. SITSD would be willing to provide an estimate for an agency with more than 100 devices that is interested in this service. Along with this service, access to the SCCM console would be provided to the agency technical staff to monitor desktops, run reports, etc. If your agency is interested in this service, please call our Service Desk at Impact: Key Dates:

6 Other information and list any attachments:

7 Data Protection Initiative Information Technology Managers Council August 7, 2013 Presented by: Lynne Pizzini, CISSP, CISM, CIPP Chief Information Security Officer State Information Technology Services Division Overview 1. User Access Control and Verification 2. Statewide Risk Assessment and Penetration Testing 3. Statewide Training and Awareness Program 4. Chief Information Security Officer 5. Network Compartmentalization 1

8 USER ACCESS CONTROL AND VERIFICATION User Access Control and Verification A system that ties various login and authorization systems together into a unified whole. Establishes an enterprise data protection system that helps to address cyber threats and reduce the ability of cyber attackers to gain access by providing multifactor authentication. Ability to integrate various agency systems together to exchange and manage data. 2

9 User Access Control and Verification Phase 1 Initial installation and configuration of identity synchronization software and connecting to enterprise identity stores and services. This ties to the decision made by ITMC in January, 2012 that leverages Active Directory as the authentication and authorization directory of choice. Based on this position, our best option is to use our Microsoft enterprise agreement and move forward with the implementation of FIM. Includes self-service password reset. Governance of structure and gold source of data. User Access Control and Verification Phase 2 Installation and configuration of verification of users by use of multi-factor authentication and improved identity life cycle processes. Processes established Phase 3 Bridging other agency identity stores with the enterprise identity synchronization software. Framework with be established. Processes will be integrated. 3

10 User Access Control and Verification Timeline Phase months beginning in October. Preliminary work is currently being completed with kickoff in October. Phase months agency participation for purchase of Multi-factor authentication. Phase months agency participation for different integration pieces. User Access Control and Verification Governance Team consisting of 9 members 4 appointed by ITMC to represent all agencies 2 from DOA HR Division Administrator and Chief Legal Counsel 3 from SITSD CIO, CTO, CISO Responsible for review and recommendations concerning policy statements, program stewardship, strategic planning, reviewing agency business requirements/requests. 4

11 STATEWIDE RISK ASSESSMENT AND PENETRATION TESTING Risk Assessment and Penetration Testing Conducted by a third party. Use of state contract. Highlight vulnerabilities and generate requirements for improving security. Generate proposal for next legislative session to improve security for the State of Montana. 5

12 Risk Assessment and Penetration Testing Timeline Currently collecting requirements. Will do a bid process and do SOW Anticipate having agreement with vendor to begin assessment in March, STATEWIDE TRAINING AND AWARENESS 6

13 Statewide Training and Awareness Was not included in recent HB10 Legislation New web site being made available Multiple levels of training: New employee Annual regular employee Technical Training Managerial Training Made available September 1 st Annual training is Governor mandated for all executive branch employees. CHIEF INFORMATION SECURITY OFFICER 7

14 Chief Information Security Officer Was not included in recent HB10 Legislation Position created in April, 2013 Provide leadership, standards, policies, and oversight for a state information security program. Management of statewide security risks that impact all of state government. NETWORK COMPARTMENTALIZATION 8

15 Compartmentalization of the Network Was not included in recent HB10 legislation Limit access to individual agency systems to provide security where needed. Only allow authorized users access to the network layer of systems ANY QUESTIONS? 9