Password:
NASCIO: In an environment of increasing external threats as well as vulnerabilities created by more mobile workers and new technologies, what has been your major challenge with respect to IT security?
Thompson: In the past year, security of the State's electronic assets has seen wide ranging and significant improvement in the State's buildings, physical plant, network, and data, in general. In support of our security effort, we have developed a number of policies and procedures; however, with the widespread use of computers, and particularly the internet, our greatest challenge continues to be an agile organization, responsive to the ever increasing and changing security threats. The biggest challenges we have identified are: 1) dealing with the use of -- either securing or banning -- personal computing devices accessing the state's network; 2) encrypting mobile devices and preventing download of unencrypted data; and 3) managing VPN access to state resources in such a manner that the mobile workers have access to their data in both a convenient and secure manner.
NASCIO: Please describe some of the major IT projects and initiatives that your state plans to undertake over the next 1-3 years.
Thompson: Historically, Information Technology in Maine State Government had developed over many years through grass roots efforts in individual agencies. As of 2005, IT consisted of the Bureau of Information Systems and as many as twenty-two (22) different entities operating with the authority to make most technology decision without restriction. Notable exceptions were telephone and wide area network/internet services which were operated centrally. By the end of 2005, IT was unified as the Office of Information Technology with major shifts occurring throughout every aspect of IT. It is precisely because of the consolidation that the state has been able to initiate some ambitious projects. The State of Maine IT Management Plan gives strategic direction for future IT projects (see http://www.maine.gov/oit/ITMgmtPlan/index.htm). Decisions on which IT projects to pursue are based on State of Maine Information Technology Guiding Principles.
The State of Maine recognizes that sound project management has a great impact on the success and cost-effectiveness of IT systems and infrastructure. Collaboratively, agencies and the Office of the CIO are beginning to improve in these areas by following professional standards and best practices for project management. The Project Management Office continues to expand its influence over management of high-dollar, high-visibility IT systems. The State has procured a license to use TenStep methodology for project management "in 10 easy steps." A comprehensive Project Management Process is available for more complex, high-dollar projects.
A few key IT projects to highlight and which are in line with these guiding principles include: Certificate Services and Identity Management: Establish the infrastructure for public key infrastructure (PKI), to enable multiple uses of "strong authentication" (which will enhance computer security as well as encourage electronic commerce).
Electronic Records and Information Management (ERIM): An enterprise-wide initiative for archiving and managing electronic documents, beginning with e-mail and expanding to other electronic records.
Maine Revenue Integrated Tax System (MERITS): Migrate from an IBM mainframe to a new web-based user interface. MERITS will provide additional functionality that will improve employee productivity, taxpayer service, revenue collection, and equitable tax compliance.
Radio communications: Achieve interoperability for radio communications for all agencies (State Police, Transportation, Conservation, and others.). The communication system will be based on a very high frequency (VHF), high band, digital network with a backhaul consisting of a microwave and landline. See: http://www.maine.gov/oit/radio/mscommnet/about.htm.
Medicaid Management Information System (MMIS): Contract out to a "fiscal agent" service, replacing our custom-developed legacy system.
The Department of Public Safety: Implement a Commercial Vehicle Information Exchange Window (CVIEW) application supporting commercial vehicle screening, inspection, and enforcement activities. This system is a collaborative effort involving several agencies.
Continuing support and enhancement of many enterprise-wide or agency-specific IT systems and initiatives, as described in our 2006 Annual Report: "Information Technology in Maine State Government." See: http://www.maine.gov/oit/reports/2006AnnualReport.doc.
NASCIO: As CIO, what initiatives have you undertaken to promote cross-boundary collaboration and coordination with local governments in your state?
Thompson: Our electronic age increasingly presents opportunities for state and local collaboration that is not merely advantageous but essential. It is vital that the Chief Information Officer for the State of Maine take a leadership role in initiatives that use the improved economies of cross-boundary collaboration with local government for our mutual benefits as well as for our shared constituent bases. Specifically, we promote collaboration directly through online services for citizens, as well as telecommunications infrastructure development projects.
The geographically distributed nature of telecommunications infrastructures makes them naturals for collaboration with local government. We have fostered ongoing sharing arrangements of telecommunications facilities with both K-12 and post secondary educational institutions. The Maine State Communications Network (MSCommNet) is a public safety radio network that leverages common infrastructure and collocation with compatible local initiatives. And, we actively promote and participate in the collaborative development of facilities, like the Central Maine Regional Communications Center, that provide local along with state-wide dispatch services.
InforME is Maine's electronic gateway to the public for public information and online services. The CIO chairs the board, which also includes State, local, and business representatives and has created a cross domain service delivery portal for public entities. Some of the services such as auto registrations have evolved from traditional bricks and mortar outlets to web-based. "Ready, Set, Gov," which is a portal for the services of local and regional governments, represent new opportunities to work with local and regional government to deliver valuable services to the public.
NASCIO: As CIO, how have you optimized your state's IT assets and delivery of services using a shared enterprise infrastructure model, especially as they relate to consolidation and shared services, and data center consolidation strategies and business justification?
Thompson: Central to the Office of Information Technology consolidation and approach to shared services is a deliberate and informed effort to support the business needs of Maine State Government in providing services to citizens. To that end, two major stakeholder groups were created to facilitate communication between the agencies and the new centralized Office of Information Technology. The Information Technology Executive Committee, comprised of senior managers from agencies throughout Maine State Government, provides guidance to agencies and government as a whole on business requirements and setting business-driven priorities that will guide the development of all collaborative efforts. The CIO Council provides direct communication and guidance from departmental Agency Information Technology Directors (AITD) to the CIO. This group also includes IT directors from other branches of State government (legislative and judicial) which were not included in the IT centralization effort. Including these branches of government provides even greater opportunity to realize common goals and efficiencies.
The Office of Information Technology delivers its services through three centers; an Administrative Center, the Core Technology Services Center and the Agency Services Center.
The central Administrative Center implemented a new governance model for approval of IT projects. This model uses an agency IT portfolio as a significant tool in the decision making process, as well as incorporating a statewide perspective in each decision. This process has led to opportunities for collaboration and prioritization of funding. A new funding model supports required infrastructure maintenance upgrades and development.
The Core Technology Services Center is the umbrella for Security, Client Technologies, Application Services, Operations and Network Services. Addressing the needs of the State in a more unified manner has enabled statewide delivery of such services as an enterprise email system, a centralized enterprise-class security management and reporting system, and an integrated DHCP environment. Evaluation on a macro level of current software licensing practices and investigation of alternatives has led to furthering a "best practices" atmosphere. Statewide IT solutions such as the Radio Network and Cell Network are fostering economic development in Maine.
Within the Agency Services Center, eight Agency Information Technology Directors (AITDs) manage the day to day challenges of IT across the State of Maine. In addition to reporting to the CIO, the AITDs co-report to the Commissioners of their respective agencies, thus developing relationships that will eliminate barriers to the collaboration process. AITDs leverage the shared enterprise infrastructure model to assist 29 agencies, residing in 140 office locations, in meeting their business needs. Working in conjunction with the Core Technologies Services Center and the Administrative Center, the AITDs are able to optimize the state IT assets to assure quality in the delivery of services.
NASCIO: What advice would you give to other State CIOs as being the most important elements of securing state IT infrastructure and protecting the privacy of citizens' personal information?
Thompson: Continuous vulnerability assessment and patch management go a long way to protect the state's IT infrastructure. If hardware vulnerabilities can be kept to a minimum, there are fewer opportunities for malicious attacks.
Application vulnerability assessment and penetration testing for all new applications (and working through the backlog of older ones) is another way to reduce exposures. Secure coding practices will eliminate the most serious application vulnerabilities like cross-site scripting, buffer overruns, and SQL injections. If system developers write solid code and include security testing in their pre-deployment routine, application data will be much safer than if security relies only on perimeter defenses. Infrastructure and application vulnerability assessments need to be part of the system development methodology and must be an integral part of the final sign-off on all new application deployment.
Protecting the privacy of citizens' personal information is paramount.
Many serious data breaches are caused by a lack of awareness and a lack of sensitivity to security issues on the part of those who handle sensitive data. A security awareness training program that helps information workers understand the sensitivity of personal information - taxpayer information, protected health information, credit card numbers, financial data, social security numbers, etc. - is very important. In state government, many employees have long assumed that everything they do is open to public scrutiny. State employees' salaries are public information and their use of the state's Internet resources may be monitored. Names and addresses are public information; the state makes its Global Address List available under FOAA requests. Educating workers on privacy and confidentiality issues, helping them understand that personally identifiable information is sensitive and can be used for identity theft, showing them how they use or access sensitive data on their jobs --all these steps can help to create an environment where a concern for data security is second nature and becomes a key part of a "defense in depth" security strategy.
