Agency for State Technology

Transcription

1 Agency for State Technology Statewide Information Technology Security Plan The Way Forward Rick Scott, Governor Jason M. Allison, State CIO

2 Table of Contents From the Desk of the State Chief Information Officer (CIO)...3 Executive Summary...4 Strategy 1: Enhance security and privacy capabilities...5 Objective 1: Implement a cybersecurity framework policy...6 Objective 2: Improve situational awareness...7 Objective 3: Develop a robust enterprise security incident response program...8 Strategy 2: Enhance the Enterprise IT environment, including application rationalization...9 Objective 1: Invest in core enterprise enhancement...10 Objective 2: Develop application rationalization approach and begin implementation...11 Strategy 3: Define the roadmap for maturing IT Processes and Strategic Business Alignment...12 Objective 1: Strengthen project assurance and ensure project oversight...13 Objective 2: Coordinate multi-agency enterprise initiatives...14 Timeline...15 Close...16

3 From the Desk of the State CIO, Jason M. Allison As security becomes the focal point for all IT related initiatives, Florida is now in the best place to affect statewide change for a more secure, efficient, and effective future. Security embedded in the foundation of systems, processes, and projects will position the state for great economic and technological success. With the creation of the Agency for State Technology, the state can focus on securing state IT assets, while moving toward consolidated and standardized platforms. This three-year statewide strategic security plan lays out the roadmap to position the state to enter new markets, support hardened infrastructure, and better align Florida s strategic initiatives. This plan lays out three one year high-level strategies, followed by specific objectives. Years two and three are included in a high-level timeline, this supports growth and flexibility within the strategic plan. As AST progresses through the years while maintaining our vision, new goals will be added and new strategies formulated. Horizon-driven strategies are included in a year four brief to show how the strategies position the AST to take on more aggressive, innovative solutions over time. As IT is an ever-changing and evolving industry, our strategy must also be flexible, innovative, and adaptive. The partnerships AST is developing with Agencies will help drive the IT future for the state. This will make Florida a hub for innovation and drive economic success for the state, its citizens, and businesses. I hope you share my excitement, as Florida embarks on this journey and emerges as a competitive industry leader.

4 Executive Summary Safeguarding and protecting Florida s IT resources is a top priority. AST is committed to maintaining the highest level of data security, while embracing new capabilities and ensuring information protection for citizens and businesses in the state. As AST progresses toward a more hardened IT climate, this strategic IT security plan will focus on three long-term strategies spanning 2015 through Emphasis for this plan is on year one objectives which are designed to build security into the very fabric of state IT operations and processes. These are foundational strategies that will position AST to take on horizon-driven initiatives in an organized and secure manner. Each year as objectives are implemented, the strategy will remain with added objectives to show progress year-after-year. Upon full implementation of the foundational strategies, subsequent strategies will be identified, planned, and included in future strategic plans. This phased approach supports continual progress, while moving toward convergence for enterprise strategic alignment. Strategy one establishes objectives for adopting a strong cybersecurity framework, cultivating collaborative partnerships for critical response efforts, and focusing on situational awareness to empower the state workforce. Strategy two establishes objectives for assessing and enhancing the state s data center infrastructure, to include application rationalization. Strategy three establishes objectives for project assurance and oversight and promotes strategic business alignment by partnering with state agencies to understand and support their mission- specific strategies.

5 Strategy 1: Enhance Security and privacy capabilities Objective 1: Implement a Cybersecurity Framework Policy Objective 2: Improve Situational Awareness Objective 3: Develop a Robust Enterprise Security Incident Response Program

6 Objective 1: Implement a cybersecurity framework policy In support of the Governor s job and economic growth initiatives, a top priority is protecting critical IT assets. Systems and information drive delivery of services to citizens and promote effective government. The foundation to building secure IT capabilities is a sound cybersecurity framework with robust underlying processes. AST will develop a cybersecurity framework policy that guides the state s information security workforce and promotes efficient IT operations. Security rules will be mapped to the framework and promote secure and consistent practices for state computing platforms. Security considerations will be developed for all IT functions and promote risk mitigation initiatives. Framework implementation will be a rigorous multi-year effort. Each new initiative will enhance and secure the state s IT resources while consistently moving toward framework compliance. On any given day, Florida has 1.7 million visitors

7 Objective 2: Improve situational awareness Reliance on shared information is critical. How Florida protects and shares information has a significant impact on citizens, visitors, and businesses in the state. To ensure that we are diligent in our efforts, we are reliant on information sharing partnerships and continual education of state workers. As threats emerge and transform, AST will position itself to effectively mitigate attempts to compromise the state s information assets. AST will build partnerships with state and federal entities to support improved situational awareness and harden security practices. AST will support training and outreach campaigns that engage all workers and promote a security-centric culture, involving individuals in data protection initiatives. Florida has surpassed New York as the 3rd most populous state.

8 Objective 3: Develop a robust enterprise security incident response program Escalation of threat-related activities has driven a change in how the state must approach incident response. AST will cultivate collaborative partnerships to support predictive and preventative cybersecurity efforts. Layered defense must support these techniques; however, when defenses are compromised AST must have a refined, robust response program and assist state agencies with execution. The program will standardize response efforts to support rapid, consistent countermeasures. Miami is among the world s Top 5 most interconnected cities.

9 Strategy 2: enhance the Enterprise IT environment, Including application rationalization Objective 1: Invest in Core Enterprise Enhancement Objective 2: Develop Application Rationalization Approach and Begin Implementation

10 Objective 1: Invest in core enterprise enhancement Information technology has quickly become an enabler, from automation to innovation, it supports trade and investment growth in the state. As technology platforms age, obsolescence introduces risk and duplication, and limits our ability to effetively transform business processes. AST will provide seamless and consistent service delivery to state agencies, so that agencies can in turn provide timely services to Florida s citizens and businesses. AST will undertake enhancements to the enterprise IT environment, supporting the move toward deploying secure, interconnected systems. Primary focus will be on replacing end-of-life equipment, standardizing computing platforms, merging operations for core services, and enhancing disaster recovery service capabilities to align with the application rationalization vision. More than 26,000 IT companies, employing close to a quarter of a mllion workers, call Florida home.

11 Objective 2: Develop application rationalization approach and begin implementation We can only secure what we can see. In order to properly manage the security of the enterprise environment, it is necessary to understand it. Application rationalization includes identifying application dependencies and components that have the potential to introduce security risk. Empowered with this awareness, security initiatives can be prioritized and efficiently applied where they can produce the greatest benefit. The information will also guide future initiatives to offer secure shared services that will reduce the risk, complexity and cost of new applications.

12 Strategy 3: define the roadmap for maturing IT Processes and Strategic Business Alignment Objective 1: Strengthen Project Assurance and Ensure Project Oversight Objective 2: Coordinate Multi-agency Enterprise Initiatives

13 Objective 1: Strengthen project assurance and ensure project oversight Introducing security considerations into the early stages of project initiatives is highly effective in identifying shared security services and tools, which promotes system hardening and supports cost-effective outcomes. Through collaborative efforts with state agencies, we will assist in the development and use of consistent project management standards and methodologies, facilitate project oversight and assessment, project risk, and strive for high performing IT projects across the state. These efforts will improve cost-efficiency through repeatable project success.

14 Objective 2: Coordinate multi-agency Enterprise initiatives Interagency collaboration promotes strategic business alignment. AST will establish enterprise relationships to identify multi-agency integration and consolidation opportunities. Solutions will focus on efficiencies, cost savings, utilizing existing information in new ways, cross-boundary solutions for shared business processes, and ways to measure success. AST will host workshops to promote the conversion of ideas into meaningful and innovative solutions. Workshops will identify data management opportunities to promote interoperability and openness. 40% of all US exports to Latin America pass through Florida.

15 The Way Forward FY Strategy 1: Enhance security and privacy capabilities FY Strategy 2: Enhance the Enterprise IT environment, including application rationalization FY Strategy 3: Define the roadmap for maturing IT Processes & Strategic Business Alignment FY Strategy: Complete migration to enterprise architecture; Implement enterprise hardware and software asset management and service delivery FY Strategy: Implement statewide IT investment and portfolio management; Strengthen these throughout the State The Way Forward: Federated Identity & Access Management Enterprise Data Exchanges Rapid, Streamlined Delivery of Systems and Services Uniform End-User Experience egovernment - anywhere, anytime, any device Digital Automation (digital forms, signatures, etc) Enterprise Application Portfolio Management

16 Statewide Strategic IT Security Plan Agency for state Technology For more information visit