Password:
NASCIO: In an environment of increasing external threats as well as vulnerabilities created by more mobile workers and new technologies, what has been your major challenge with respect to IT security?
Bakolia: The combination of mobile workers and new technologies is volatile and substantially increases risk. There is no such thing as 100% guaranteed security. The best you can hope for is reducing risk to acceptable levels with a sound, multifaceted program of controls. You have to anticipate and plan for ever changing threats resulting from new technologies, as well as the increasing opportunities for potential misuse and abuse by a mobile workforce. That's a challenge in itself.
It is very important to set policy and educate the workforce on information security. Organizations must control who has access to specific resources very closely and constantly monitor their use.
In North Carolina we have an extensive training and awareness program that includes newsletters, online training and scheduled events. We vet our employees and contractors and require annual security training with renewal of signed agreements.
On the technology side, it is important to know who is connecting to your network and to validate and monitor the resource. Standard device configurations, limiting user privileges, and sound vulnerability management programs with automated updates are essential to manage remote access. We use some file encryption and are actively looking at full disk encryption of mobile devices to further protect citizen data.
NASCIO: What advice would you give to other State CIOs as being the most important elements of securing state IT infrastructure and protecting the privacy of citizens' personal information?
Bakolia: Take a holistic approach. Security needs to be woven into the fabric of IT operations and state business. It is about assessing and managing risks associated with people, process and technology.
North Carolina's enterprise security program has a security manual that follows the ISO 17799 standard. We have a training and awareness program that includes newsletters, online training and security events. We partner with the Office of State Personnel to teach a section on IT Security in their Administrative Assistants Program. We have a layered approach to security including an enterprise approach to vulnerability management.
My office manages cost-effective state contracts and enterprise licenses to security tools such as anti-virus, patch management, firewalls and IPS. User identification and access is managed consistently statewide through NCID. Our North Carolina Security Analysis Center, NCISAC, operates statewide to issue cyber alerts and warnings. When something does go wrong we have a statewide cyber incident management plan, a memorandum of understanding with law enforcement and a forensics lab.
On the process side, security has benefited from the Information Technology Infrastructure Library ( ITIL) initiative that has improved our IT operations. Consolidation of agency infrastructure and an enterprise approach to risk management improves agency security posture.
NASCIO: As CIO, how have you optimized your state's IT assets and delivery of services using a shared enterprise infrastructure model, especially as they relate to Consolidation and Shared Services, and Data Center consolidation strategies and business justification?
Bakolia: For the State of North Carolina, consolidation of IT infrastructure and shared services picked up speed with the passage of Senate Bill 991 in 1994. That legislation directed the Office of State Budget and Management, in conjunction with others, to develop a plan to consolidate IT infrastructure, staffing, and expenditures in executive branch departments where a statewide approach would be more economical.
We decided to take a measured and phased approach. The technology focus is on Local Area Networks, desktops, data centers, security and the service desk. The first group of agencies was completed last fall. The agencies in the initial consolidation effort were the Office of Information Technology Services, the Department of Administration, the Office of State Budget and Management, the Office of State Personnel, and the Governor's and the Lt. Governor's Offices.
After completion of lessons learned and identification of efficiencies from Phase I, the second phase of consolidation has begun and will be completed at the end of this year. Participating agencies are: Office of State Controller, Department of Cultural Resources, Department of Commerce, and Department of Juvenile Justice and Delinquency Prevention.
As part of IT consolidation, the Business Relationship Management function became key to communication between ITS and the consolidated agencies as well as performance of service level reviews. Another key function, Asset Management, is being established to support the strategic management of IT assets through their life cycles, to control the costs of assets and to provide responsive, reliable and secure IT services. These two processes are important to the expansion of the IT consolidation effort.
On another level, North Carolina has begun a multi-year effort to replace its core business systems. BEACON is the largest single consolidation effort right now. It's going to touch every state employee in some way.
As a result of these efforts, we're building a second data center. This 24/7 hot site will enable us to develop a comprehensive backup strategy for critical applications used by state agencies and provide some additional flexibility and capacity. It will also allow us to fully balance our production environment.
NASCIO: As CIO, what initiatives have you undertaken to promote cross-boundary collaboration and coordination with local governments in your state?
Bakolia: : I haven't undertaken any specific initiatives, but local governments are active users of our shared services. By statute, local government entities and school administrative units may use any programs or services offered by ITS. They provided almost 10 percent of our revenue in the 2005-2006 fiscal year.
NASCIO: Please describe some of the major IT projects and initiatives that your state plans to undertake over the next 1-3 years.
Bakolia: The state IT plan, which I updated this year, spells out our initiatives for the next two years. In general, it recommends:
