Altered State: Transitioning Toward Risk ManagementCollaboration Among State, County, City, University
The state joined forces with the city of Des Moines, Cerro Gordo County and Iowa State University to apply for a $300,000 Department of Homeland Security grant, which they received, to establish a pilot system to continuously monitor networks, servers and web applications for vulnerabilities.
Using the new technology and routinely monitoring IT systems, the partners get more real time and consistent data. "It also crates a common language that now all agencies are running all the same vulnerability management system, and now we can see, not just how agency A compares with agency B, but also what challenges did agency A find and how did they fix that problem that maybe agency B has as well," Jeff Franklin, Iowa state chief information security officer, says in an interview with GovInfoSecurity.com (transcript below).
The pilot, which should last for two years, may be expanded to include another city and state, he says.
Segueing its focus from technology to risk management exemplifies the transition occurring in Iowa's information security office.
"We really need to speak the language of business and focus less on the language of IT, and that involves risk management" Franklin says. "When you're strapped with resources and strapped in your budget, you really need to target those resources to your most critical systems."
It's not that Iowa's information security office has ignored risk assessments; it hasn't. It's been performing ad hoc risk assessments for the past four years, using the ISO 27000 series of IT security standards published by the International Organization for Standardization. But that approach had limits. Agencies did show improvements in their risk assessments, but the progress stalled. "We're beginning to notice that agencies have started to level out," Franklin says, "and it seems that in those risk assessments, the low-hanging fruit has been taken care of."
Franklin, in the interview with GovInfoSecurity.com's Eric Chabrow, also discusses the:
- Approach Iowa takes in governing IT security.
- Changing role of the state Information Security Office.
- The state offering IT and IT security services to other governments in Iowa.
Franklin serves on several state technology councils and is a member of the Iowa Infragard and Multi-State Information Sharing and Analysis Center. Before becoming the state CISO, Franklin worked for the Iowa Department of Natural Resources, Des Moines Fire Department and private industry.
Iowa State University granted Franklin a master of science in management information systems with honors and a graduate certificate in information assurance. He also holds a bachelor of arts degree from the University of Northern Iowa and a certified public manager designation from Drake University.
Governing IT SecurityERIC CHABROW: Take a few moments and tell us about how IT security is governed in Iowa.
JEFF FRANKLIN: The state of Iowa, like many states, is moving from a federated environment to the consolidated environment. In the last legislative session, the legislature mandated that we consolidate our infrastructure services and our security services. That was done primarily in response to the national budget pressures and financial pressures that states are facing and in addition to the security challenges I think states are facing.
CHABROW: Explain a little bit the process of going to a federated model.
FRANKLIN: We have an IT redesign committee that was formed, and the areas we wanted to target and the consolidation effort were jointly decided on by interpreting the language from the legislature, but also with all the agency CIOs. Our primary consolidation target that we're working on most actively is our e-mail consolidation. The state of Iowa had 23 some e-mail systems and we've reduced it now down to I think roughly half of that now, and we have some specific timelines to do that. Other areas we're looking at consolidating are target server consolidation and desktop virtualization. Each of the core functions of infrastructure, and security included in that.
CHABROW: At the moment, in your structure, who does the CISO oversee? What authority does the CISO have? What agencies have their own information security officers, and how would that change the way people do their jobs under the move to a federated model?
FRANKLIN: The key change for us is that the CIO would be appointed by the governor. That's a change that's in the legislature, and so the CIO would be the key driving force for security initiatives, infrastructure initiatives and anything dealing with those consolidation efforts. From the security standpoint, we have about half a dozen dedicated information security officers. They're typically in our larger agencies like Human Services, DOT, the revenue department. And then we have a central information security office as well, and we provide a various number of functions.
Our primary role right now is more of a governance role. My responsibilities typically rely around policy setting, setting base plan standards, setting policy at a higher level. Those are minimum standards that we set. A specific agency may have specific federal guidelines that they have to follow and requirements that they have to follow, and so they certainly can set more stringent restrictions that are specific to their agency.
Changes as a result of that consolidation, we will still needs specialists in those areas. I don't know what the reporting structure will look like. That will be up to our new CIO. We'll still push for new initiatives on an enterprise level. We have several initiatives underway already, and so I would anticipate that they would gather more steam under a consolidated environment.
From Policy Setting to Hands-on
CHABROW: Would you expect that your post would be more hands on, at least within some agencies, maybe some of the smaller agencies?
FRANKLIN: I do. Right now, we're primarily a policy setting agency and overseeing risk assessments, but I see that the ISO would be more operational in its nature. I see that we'll be providing more technical services, such as forensics and web application scanning.
CHABROW: I know one of your concerns is risk management, and I understand Iowa just received a grant from the Department of Homeland Security to explore ways to improve risk management. First off, let's talk a little about why risk management is such an important element of IT security to Iowa, as well as we hear from other states. And, then, let's talk a little about this grant and how is it being approached and what does this mean for Iowa.
FRANKLIN: You know, I think that's the biggest change in the information security field that we're seeing. Typically, the staff that you get in an information security officer are technical in their IT, and they need to have that understanding and those abilities. But we're moving our focus from a technology focus more to a risk-management framework and risk-management approach. We really need to speak the language of business and focus more on the language of business and less on the language of IT, and that involves risk management. When you're strapped with resources and strapped in your budget, you really need to target those resources to your most critical systems. Blanket systems can be difficult to implement. They're time consuming, and they may not meet the needs of the business.
Specific to our Homeland Security grant, what we were looking at, we've been performing risk assessments for the last four years. It's been an interesting trend. We use the ISO 27000 series process, and we have noticed that each year, agencies do improve, but we're kind of starting to level out. And so it seems like in those risk assessments, the low-hanging fruit has been taken care of. The high risk items are taken care of and those are addressed. And so really we're in an organizational maturity phase, I believe, where we go from that ISO series and we complement that with more technical components.
What we're looking at is continuous monitoring or continuous vulnerability management system. We approached Homeland Security for a grant to pilot a system, and this was in partnership with Iowa State University, the city of Des Moines, Cerro Gordo County, and the state of Iowa in order to put in a system that will continually monitor our networks, continually monitor our web apps and our servers. The problem that we run into right now is that we have preventive and vulnerability tests are done on more of an ad hoc basis and an as requested basis. When we get that information back, that's excellent information to have. It helps us target where we want to resolve it, target our resources to resolve those problems, but it's only as good as that point in time.
The goal of that system and the goal of the grant is to put a solution in place that can continually monitor or routinely monitor whatever we want to monitor. If we want to scan a web application and do that on a regular basis, once a month or twice a month, we can do that. We can set the parameters to do that. If we want to scan a subnet of computers and PCs on a certain time interval, we can do that as well. What we get out of that is more real-time reporting and more consistent reporting, and that's beneficial across not just a few agencies, but that would benefit the enterprise as a whole. It also creates a common language that now all agencies are running all the same vulnerability management system, and so now we can see not just how this agency A compared to agency B, but also what challenges did agency A find and how did they fix that problem that maybe agency B has as well.
CHABROW: With this grant, how is the structure of this collaboration with these other organizations working? What are you actually looking at? Are you looking to develop specific processes? Are you looking into specific kinds of technologies? How do you work with one another?
FRANKLIN: I have the benefit of coming from the city of Des Moines, and so I had a relationship built already with the city of Des Moines and knowledge of their IT department. I reached out to the CIO there. I knew that was a need that they had as well. We will be looking at how to best implement this, what's best for the city of Des Moines, and what's best for the state of Iowa. We have a common problem, and the common problem is that we have inconsistent monitoring of our networks when it comes to a solution in place that is continually looking for vulnerabilities. They need to be able to manage it somewhat granularly as we need to manage it in a granular fashion.
When we're looking for solutions - and I know there are solutions out there on the market - I think what we'll be able to do is similar to what Minnesota has done and been successful at, and that's partner with universities or city or county orgs and be able to provide them a solution and a tool that will reduce their risk.
CHABROW: With this grant, how much was it and how long until you hope to have some results from that?
FRANKLIN: The grant was roughly $300,000. That'll probably be enough to pilot, between the state, a couple cities, a couple counties and the university to see if this partnership and collaboration will work.
CHABROW: How long do you think that would take before you find that out?
FRANKLIN: I tend to be an optimist, and so my optimistic side says a year, but my realist side says probably a year and a half to two by the time we get it in place, get it tested and get the processes in place and try them out. I know Minnesota has been through this process and we've built a previous relationship with them and looking at how they went about implementing it. We're going to draw as much as we can from them.
CHABROW: Could there be any kind of consolidation of systems beyond the state into the cities and counties and universities, or at least some elements of that, because everybody is facing some budgetary problems?
FRANKLIN: There's always that possibility. Our administrative services department is as a service provider of our infrastructure, and so if a city or county no longer wanted to provide their e-mail service, they could reach out to state government, and we could offer them that service. We've done that in the past, and this would be another great example of that partnership.