Password:
NASCIO: In an environment of increasing external threats as well as vulnerabilities created by more mobile workers and new technologies, what has been your major challenge with respect to IT security?
Stewart: Our current most pressing challenge arises from centralization of a major portion of Commonwealth-wide IT systems. Traditionally, Executive Branch agencies have functioned on a segregated, siloed basis. As we pursue transformation to a centralized infrastructure, we're faced with dual problems. We are designing a secure infrastructure that can meet the entire customer base's needs and at the same time we're re-engineering older infrastructure that would introduce risk into that new environment. We are very proactively bringing security expertise into the project development lifecycle at the earliest point possible. We're placing security checks into our strategic polices and tactical project development procedures.
Telework is a major focus for Governor Tim Kaine as one response to Virginia's transportation needs. We're actively implementing telework at VITA and we're working diligently to provide technology support for all of our customers statewide. Our major projects currently involve implementing an encryption solution for laptops and other mobile media to ensure security for sensitive data, and supporting the mobile workforce with secure remote access capability statewide. This includes the need for policy enforcement of security standards on remote users and personal computers. Part of this challenge is promoting security awareness among users so policies and risks are understood and taken seriously, while the other part is designing a secure remote infrastructure with the proper technological controls to enforce that policy.
NASCIO: What advice would you give to other State CIOs as being the most important elements of securing state IT infrastructure and protecting the privacy of citizens' personal information?
Stewart: In our experience, the most crucial strategic element of any enterprise information security program is the integration of the security program into all segments of the enterprise. Security should be involved at all stages of the IT decision-making process. It has to start with strategic planning and continue through product selection, the development lifecycle and finally into daily operational activities.
It is also strategically critical that security management have a clear and direct line of communication with high level management. Typically, security's place on the organizational tree impacts the effectiveness of the security program. Security findings are often at odds with other developmental and organizational forces. Unless your security team has an open line of access to higher management their concerns can easily be sacrificed to the expedient operational needs.
On a tactical level, there are three general important elements for securing the IT infrastructure. The first is the design of the infrastructure itself, including the technical security controls necessary to enforce policy. Second is in the capability, knowledge level and background of the technical persons you employ to run the infrastructure and to establish your information security program. Third is the soundness of the processes for authorized use of the infrastructure.
Relative to protecting citizens' personal information, in my opinion, there are five primary elements:
NASCIO: As CIO, how have you optimized your state's IT assets and delivery of services using a shared enterprise infrastructure model, especially as they relate to consolidation and shared services, and data center consolidation strategies and business justification?
Stewart: As I think many people now know, the Commonwealth of Virginia and Northrop Grumman have launched a groundbreaking 10-year, $2 billion public-private partnership to transform Virginia's IT infrastructure. It's a huge project. We're now consolidating and standardizing everything - mainframes, servers, desktops and laptops, voice and data networks, operating systems, e-mail, security, help desk and data center facilities.
Virginia has aggressively pursued consolidation and shared services since July 2003, when VITA stood up as the state's centralized IT utility. But the reality of the state's IT inventory was a hodgepodge of equipment and services, many seriously outdated and limited. Real transformation requires capital. Because the Governor and the General Assembly already had put the governance structure into place, we were able to pursue a public-private partnership. We took the metrics we had gathered and worked with industry to develop a completely new operating standard based on a wholly shared infrastructure. Now, we must wisely manage and invest Northrop Grumman's $272 million capital investment. The end goals, of course, are unparalleled improvement in service delivery and measurable results for citizens.
I can truly say that this transformation initiative is not just a contractual arrangement but an innovative partnership, with each partner bringing assets and capabilities that are essential to its success. Northrop Grumman's contributions include a commitment to grow the business. Its private sector perspective allows us to validate the business justification of our partnership. Together, VITA and Northrop Grumman are able to leverage the partnership's collective economies of scale and buying power far beyond what we could do individually.
We're approaching the one-year mark as partners and I know many eyes are on us. There've been bumps in the road and wonderful success stories and important lessons learned. Through this process I can tell you that the most important IT asset in the state is the staff. The agency IT staff serving on our many pilot projects deliver the real-world business knowledge we must have. Every consolidation project has had important adjustments made thanks to their input. Leveraging and optimizing this asset is our best path to successful transformation.
NASCIO: As CIO, what initiatives have you undertaken to promote cross-boundary collaboration and coordination with local governments in your state?
Stewart: : VITA has more than 900 customers. While state agencies comprise most of our business, we also serve educational institutions and local government. We have aggressively leveraged VITA's position as the central procurement source for telecommunication and IT goods and services to come up with increasingly favorable state contracts. This program typically results in significant utilization by localities, now about 60%. Translated, localities use the contracts we negotiate more than we do. It not only saves them on the prices for goods and services, but also helps avoid the administrative cost associated with the procurement process. Adding this spend into our volume frequently results in lower costs for our state customers.
VITA has long-standing service relationships with local governments in two important service areas: E-911 and geographic information systems (GIS). We operate the statewide wireless E-911 program, and I'm proud to say we've just about achieved complete "Phase II" coverage as required by the Federal Communications Commission across the entire state, putting us among the leaders in that area nationwide. To assist local governments in addressing E-911 issues, we have four regional coordinators in the field full-time.
A key aspect of our statewide GIS program is a true partnership with localities. We rely on local governments as the originators of essential data such as roads and street addresses. In return for providing data that meets statewide standards, we provide them with digital orthophotography - detailed map-accurate aerial photos - that are widely used for many local purposes, including, not coincidentally, improved E-911 emergency responses. In fact, it's that kind of synergy that inspired us to put our E-911 and GIS efforts under a single manager in our new Integrated Services Program so we can take a more holistic view of how we provide value-added services to localities. This synergy is proving helpful to our award-winning statewide interoperability initiatives, which are driven by local first responders. I sit on the E-911, VGIN and interoperability boards, and I've assigned key VITA employees to support initiatives as needed.
Our partnership with Northrop Grumman deliberately included measurable economic development and employment opportunity benefits for localities. It already has had a large impact on the counties housing the new data centers and it has the potential to positively impact surrounding localities. Telework opportunities are extending our reach to talent outside our physical footprint. The Return to Roots campaign, which promotes employment in Southwestern Virginia (http:www.returntoroots.org/), parallels this initiative and has sponsorship from our IT partner.
We believe localities will be interested in secure hosting and other service offerings that will become available through the partnership. Expanded broadband access, enhanced emergency communications, backup, security and other services previously unaffordable for many localities will be widely available at lower costs.
Our public-private partnership with Virginia Interactive (VI) offers Web site and online services development to localities through a self-funded model, which helps localities move past financial roadblocks to quickly launch needed citizen services. VITA and VI also use the state portal to promote local services and information. Many state agencies have multiple locations, and we want citizens to have quick, intuitive access to the services they need - even and especially if they don't know which government entity actually delivers that service. Expect continued emphasis from Virginia on simplifying citizen service by leveraging the portal to link related state and local services.
Communication is another priority. Two years ago, we launched the VITA Service Bulletin specifically for localities. It's a monthly e-newsletter and it spotlights specific services of benefit to localities, from information security to products for first responders. We also publicize events and other information of interest to localities; we recently promoted the first Virginia Digital Government Summit this way and were very pleased to have a high participation rate from local government IT strategists. The bulletin is available on our Web site and through permission-based e-mail subscription. We publish two more monthly e-newsletters on our Web site. Network News is targeted to agency customers but is available to anyone interested in VITA's activities. Cyber Security Tips is produced in a partnership with federal authorities. We cross promote all of our publications and have come to rely on them as effective vehicles for sharing important information.
NASCIO: Please describe some of the major IT projects and initiatives that your state plans to undertake over the next 1-3 years.
Stewart: Complete transformation of the state's IT infrastructure is our mission and it is underway. The launch of the partnership included three major projects: desktop replacements, a new enterprise help desk incident management system and server consolidation. These projects are essential to transforming state government's IT infrastructure into a more cohesive, efficient and up-to-date platform.
Our Enterprise Business Architecture continues to mature and is now included as part of Governor Kaine's statewide annual planning and budgeting process. On April 1, we launched a new Commonwealth portfolio management tool for all major IT project reporting. It provides agencies with improved ability to aggregate, manage and demonstrate the value of IT investments. It also eliminates many duplicative data entry processes.
Transformation absolutely requires that we identify every piece of hardware - both to refresh and to support. We recently launched a massive, comprehensive inventory of desktops, printers and other computer equipment at nearly 2,000 state agency sites across Virginia. By the end of June we'll have a very accurate picture of the current IT infrastructure and validate our existing inventory data.
The most visible transformation project is replacement, or refresh, of desktops at state agencies that are in scope to this project. New models have replaced outdated desktops, laptops and tablets at four pilot agencies. Our refresh teams have streamlined and improved the experience for agency computer users by surveying pilot participants, and we're now moving to refresh desktops at more complex agencies.
This refresh provides IT support for devices that previously had none, regularly scheduled hardware maintenance and replacement, up-to-date virus software and security features and common support and repair procedures. This project covers approximately 67,000 computers. We've scheduled approximately 8,000 desktop PCs and laptops for replacement each quarter, and it will take us the better part of three years to complete the initial refresh.
Partnership and agency application teams have worked together, sharing information about applications, servers, schedules and capabilities as we move to consolidate more than 300 servers. Participating agencies now have newer and more powerful servers, decreased provisioning timeframes, increased manageability, and an enhanced application development environment. This initial server consolidation is helping us prepare for the move to our new data center - the Commonwealth Enterprise Solution Center - scheduled to open in Chesterfield County just south of Richmond this summer.
Our new help desk system is being used at VITA and five customer sites. When we complete this project, a centralized help desk will be the single source of contact for employees of in-scope state agencies to report, log, track and resolve problems and service requests.
We're using the Information Technology Infrastructure Library (ITIL) to manage IT services effectively and efficiently, as a framework to guide how infrastructure and applications staff work together, and to communicate and manage IT services. In March, four pilot agencies participated in the first phase of ITIL. After additional testing, ITIL is expected to be deployed to other state agencies this summer. We're training customer IT staff as we're testing, allowing us to incorporate user feedback.
Outside of our transformation activities, VITA is supporting business initiatives across state government, many at the Governor's direction. Telework, electronic health records, disaster recovery, continuity of operations planning, information security, interoperability, veterans' and business services are just a few of many high-profile projects where technology is supporting the business of government.
Almost every agency is involved in some project uniting around citizen need and eliminating traditional service delivery "boxes." Many of the projects in our investment portfolio fall into this category, with multiple business owners participating under a common name and service orientation. We have major initiatives underway to improve state Web sites and the portal that further simplify citizen access to government service. We're incorporating our rich GIS datasets into exciting new applications, from forest management to environmental studies of the Chesapeake Bay.
NASCIO: Please provide any additional information that you would like to include.
Stewart: A customer-centric focus drives our service delivery mission. To best do our jobs, we need to know what our customers need and want from us. The Information Technology Investment Board (ITIB) and I have asked VITA to establish customer councils for each VITA service delivery directorate. We've invited subject matter experts from agencies to join in reviewing how VITA does business, with specific focus on improving processes to better serve the needs of agencies. So far, we've formed customer councils for Customer Account Management, Communications, Finance, Information Security, IT Investment Management, IT Partnership, Procurement and Small Agencies.
The ITIB formed its own ITIB Customer Council. Numerous meetings with cabinet members, agency heads and their direct reports, and other face-to-face sessions are being held to provide additional agency input into VITA's ongoing process reengineering. We've just launched a concurrent survey of both VITA and IT Infrastructure Partnership employees to make sure that we support their needs. It's vital that we get this partnership right, and the best way to guarantee our success is to constantly make sure that we are meeting the needs of our all of our stakeholders.
