Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

2002 NASCIO Recognition Awards by 8289566Y

VIEWS: 0 PAGES: 5

									        2002 NASCIO Recognition Awards
                                      Nomination Form
Please complete entire form.
All nominations must be postmarked no later than Monday, July 15, 2002.


Title of Nomination:         Missouri IT Advisory Board State Security Committee

Project/System Manager:           Rex Peterson / Gail Morris

Job Title:        Chief / Security Officer

Agency:           Office of Information Systems

Department:       Missouri Department of Health and Senior Services

Address:          920 Wildwood Drive

City:             Jefferson City

State:            Missouri                                     Zip:   65102

Phone:            573-751-6450

Fax:              573-526-7645

Email:            PeterR@dhss.state.mo.us / MorriG@dhss.state.mo.us

Category for judging
(please list only one):        Security and Business Continuity

Person Nominating
(if different than above):

Job Title:

Address:

City:

State:                                                         Zip:

Phone:

Fax:

Email:

Please return nominations to:
2002 NASCIO Awards
167 West Main Street, Suite 600
Lexington, KY 40507
broszman@amrinc.net
                                Executive Summary
During February 2000, the Missouri Information Technology Advisory Board (ITAB),
established the Missouri State Security Committee (SSC) to provide guidance on the
confidentiality, integrity, availability and authenticity of Missouri state government information
and dependent resources. Ironically the very information and dependent resources that Missouri
state government depends on to make it’s services more accessible, and easier to use; increases
it’s exposure and risk from attacks and information related problems. It is further realized that
information is a valuable state asset that consequently needed to be protected, understood and
managed in a manner commensurate to its value. ITAB recognized this and felt it vital that
Missouri state government takes steps to mitigate the state’s current and future information
security risks. Thus establishing the SSC.

The SSC is comprised of primary and alternate voting representatives designated annually by an
ITAB member. To be effective, the SSC requests ITAB members to designate representatives
with a background in security and the technical aspects of IT systems and/or representatives from
providers and users of the state’s IT systems. The SSC meets at least monthly. Other state,
public and private entities interested in information security are invited to attend, participate in
discussions, and make presentations to the SSC during the open portion of any meeting. The
meetings are closed during discussions of computer security-related information exempted from
disclosure under Missouri’s Sunshine Law and only the ITAB member representatives may be
present.

The SSC provides the state and it’s citizens intrinsic benefits through continued and improved
and information security, confidence and trust but primarily serves to advise ITAB and state
entities on issues applicable to information security in some of the following ways:

     Support the Information Technology (IT) Architecture Security Domain; an evolving
      comprehensive framework of principles, standards, conventions and mechanisms
      designed to preserve the confidentiality, integrity, availability and authenticity of
      Missouri state government information assets.
     Act as an authoritative source for opinions, practices, and principles for information
      owners, custodians, users, security practitioners, technology products, and systems.
     Define, establish and maintain coordination with other information security practitioners
      (i.e. ISSA, ISC2, NIST, CERT, NPIC, Infragard, etc.) and security stakeholders.
     Promote information security and awareness.
     Provide a network to improve intra-governmental information security in the State of
      Missouri.

Probably the most important contribution of the SSC has been to raise awareness of information
security among the state agencies and to emphasize the need for trained information security
professionals in each agency. During the initial meetings of the SSC, most representatives
expressed concern that information security was not a priority in their agencies. Although they
were appointed to the SSC as their agency’s representative, information security was only a
minor part of their job duties. During the two years that the SSC has been meeting, this has
changed and information security is now a high priority for all information technology units in
state government. Additionally, the SSC fosters cooperation and information sharing among state
entities and other stakeholders to enhance statewide security efforts.
                               Written Justification
Description of State Security Committee (length of time):
Until the late 1990’s, Missouri state government agencies maintained private networks, most
prohibited any dialup access to their network or any linking of their network to outside agencies.
However, this all changed during the mid- to late-1990’s as electronic data exchanges and
Internet access to services became necessary to provide timely services to the citizens of the state.
In January 2000, only a few agencies had a designated information security officer and while
some agencies had significant security policies and procedures in place, others had almost none.
Since all agencies were linked via a fiber optics network, even the agencies that emphasized
security were at risk from outsiders who could gain access through agencies with little protection.

Thus in February 2000, the Missouri Information Technology Advisory Board (ITAB)
established the Missouri State Security Committee (SSC) to provide guidance on the
confidentiality, integrity, availability and authenticity of Missouri state government information
and dependent resources. ITAB was created to set state direction on standards and methods for
technology. The ITAB membership consists of the IT Directors from the various state agencies,
commissions, offices, colleges and universities. Each ITAB member is allowed a primary and
alternate voting representative in the SSC’s monthly meetings. Other state, public and private
entities interested in information security are invited to attend, participate in discussions, and
make presentations to the SSC during the open portion of the meeting. The meetings are closed
to only the voting representatives and their delegates during discussions of computer security-
related information exempted from disclosure under Missouri’s Sunshine Law.

Significance to improvement of operation of State Government:

Probably the most important contribution of the SSC has been to raise awareness of information
security among the state agencies and to emphasize the need for trained information security
professionals in each agency. In the initial meetings of the SSC, most representatives expressed
concern that information security was not a priority of their agencies and, although they were
appointed to the SSC as their agency’s representative, information security was only a minor part
of their job duties. During the two years that the SSC has been meeting, this has changed and
information security is now a high priority for all information technology units in state
government. As a result of needs identified by the SSC, the State Office of Administration (OA)
has created a four-person Information Security Management Office (ISMO) to support statewide
security activities.
Other achievements of the SSC include:

     Proposed language and lobbied for legislation to clarify the exemption of computer
      security-related information from disclosure under Missouri’s Sunshine Law. Legislation
      was passed this year and signed into law by the Governor.
     Championed Computer Incident Reporting policy and procedures that all executive
      branch agencies have agreed to follow.
     Significantly reduced downtime that was created by viruses by improving
      communications between agencies about new viruses and ways to prevent their spread.
     Drafted information security principles to guide agencies when developing policies and
      standards.
     Working with the statewide Information Architecture committee to establish guidelines
      and standards within a security domain.
     Created INFOCON (INFormation Operations CONdition) for Missouri State entities, a
      plan that quantifies cyberthreats to the critical information infrastructure and recommends
      actions to uniformly heighten or reduce network defensive posture, to defend against
      computer network attacks, and to mitigate sustained damage to the State of Missouri
      information infrastructure. The INFOCON system will support all personnel who use
      State of Missouri information systems, coordinating the overall defensive effort through
      adherence to standards.
                                                                                                    Formatted
     In collaboration with the State CIO, created an information security advisory council to
      assist the state’s Homeland Security Officer on cyberthreats.
     Cosponsor of an annual Network Security Symposium, which provides two days of
      seminars and demonstrations for security professionals from state and local government,
      military, higher education, and K-12 schools.
     Collaborated with other affected state agencies to ensure consistent compliance with
      federal security rules & standards, such as HIPAA, GLBA, Criminal Justice
      Information System, etc.
     Improved relationship between state agencies and the National Guard (e.g.
      INFOCON) INFOCON for State of Missouri is a cooperative exchange of security
      warnings between the Missouri National Guard’s military information security system
      and the State’s information security system. It actually parallels the military INFOCON
      system and domesticates it for State use.

Benefits realized by taxpayers, agency, state:
The SSC advises ITAB and state entities on issues applicable to information security. They foster
cooperation and information sharing among state entities and other stakeholders to enhance
statewide security efforts. Specific benefits of the committee include:
     Support the Information Technology (IT) Architecture Security Domain; a
      comprehensive framework of principles, standards, conventions and mechanisms
      designed to preserve the confidentiality, integrity, availability and authenticity of
      Missouri state government information assets.
     Act as an authoritative source for opinions, practices, and principles for information
      owners, custodians, users, security practitioners, technology products, and systems.
     Define, establish and maintain coordination with other information security practitioners
      (i.e. ISSA, ISC2, NIST, CERT, NPIC, Infragard, etc.) and security stakeholders.
     Promote information security and awareness.
     Provide a network to improve intra-governmental information security in the State of
      Missouri.

Return on Investments, Short-term, Long-Term Payback

So far, the State’s investment in the SSC has been minimal. Approximately 20 employees invest
90 minutes a month in meetings plus working outside the meetings writing the committee charter
and drafting statewide security policies and procedures (approximately 2,000 person hours of
effort). Many of the benefits of the SSC have been related to an increased awareness of the need
for greater security of information and are not measurable. However, some of the SSC’s
measurable returns and immediate paybacks include:

 In January 2000, only three agencies had designated security officers. Today, all agencies
  have someone designated as their security officer, (although for the smaller agencies it is not
  a full-time job).
 In January 2000, there was no one responsible for coordinating statewide efforts. Today, the
  Office of Administration’s Information Security Management Office performs those duties.

 Between January 2000 and July 2001, Missouri state agencies experienced numerous virus
  attacks that resulted in agencies having to close down their networks, and in one case an
  agency sent all workers home because of their inability to work as a result of a virus attack.
  Since July 2001, no agency has had to take its network down because of a virus attack.

 In January 2000, Missouri had no statewide security policies or guidelines.

 In January 2000, the state had one certified Computer Information Systems Security
  Professional (CISSP) and very few with information security training. Today, the State has 2
  CISSPs and 12 more in the final stages of preparing to take the CISSP certification exam.

 The policies and guidelines the SSC are developing are critical to the State’s ability to
  maintain the security of its data as the State implements e-Government and Business to
  Government projects.

And some of the SSC’s long-term returns and paybacks are:

 Preserves confidentiality and privacy for enabling citizen trust and confidence.

 Mitigates risks of the occurrences of undesirable events (i.e. malicious activity, vandalism,
  theft and unauthorized access.

 Enhances the efficient and effective processing of information via increased system integrity,
  performance and availability.

 Supports a consistent and comprehensive approach for information security.

 Proactively approaches information security as part of life cycle planning.

 Provides for the reuse of knowledge gained and lessons learned.

 Supports the cost effective use of state resources.

								
To top