March-20179GOVERNMENT CIO OUTLOOKdevelopment of an enterprise approach to security. Incorporating the results of independent audits and feedback from multijurisdictional partners, DET completed an enterprise security roadmap in mid-2013. The roadmap breaks down the state's security strategy into 12 security service categories and approximately 100 sub-projects and tasks, along with timelines, based on business needs, risks, and opportunities. The roadmap gets updated annually based on the input and approval of interagency governance groups, to make sure the policies, controls, projects, and technologies are meeting business customers' needs.Our progress has been encouraging. DET implemented an advanced firewall platform and a Network Access Control (NAC) solution at the state data center. Depending on the security profile of a user's device, NAC can restrict the data and systems available to the user, as well as employ anti-threat applications such as firewalls, antivirus software and spyware-detection programs. We're using the NAC effort to develop an enterprise-level implementation strategy for network protection, which will identify and control who and what connects to state networks. We're also engaging in a multifactor authentication strategy that combines two or more credentials to create a layered defense, which prevents unauthorized persons from accessing State Of Wisconsin IT systems.On top of those initiatives, we're implementing a Vulnerability Management Program that utilizes consistent assessment and reporting tools for the enterprise. This effort involves using the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, especially in software and firmware, to diminish the risk of compromise associated with known vulnerabilities. The program also includes deploying specifically designed software tools that collect system configuration data and assess the information collected to identify and remediate vulnerabilities.It would be a relief if we could limit our cybersecurity scope to what state agencies and DET have on their plates. But that's not the world we live in. State agencies are just one important component in the network that protects our networks. Beginning in mid-2014, representatives from 16 critical infrastructure sector owners in the state (e.g., banking, energy, transportation, food and agriculture, water systems, to name a few) began meeting with the goal of producing a Cyber Disruption Response Strategy ­ a framework to help critical infrastructure owners and operators function in a collaborative, public and private partnership to respond to cyber disruption events. The strategy was published in October 2015.The teams that guided the strategy development then evolved into the Wisconsin Cyber Strategic and Planning Working Group (WCSPWG), which has an ongoing mission of providing strategic and planning direction for cyber resources in efforts to identify, protect, detect, respond and recover assets in collaboration with public and private partnerships. The Working Group establishes cyber strategies and plans with accountability to the Wisconsin Homeland Security Council. In 2016 the WCSPWG, among its many activities, conducted a joint tabletop exercise (with both public- and private-sector participation), completed a public/private joint training exercise, and continued development of cyber disruption plans for its sub-teams. The WCSPWG, DET and the state Department of Military Affairs also worked together to organize the 2015 and 2016 Governor's Cyber Summits at UW-Madison, which brought together statewide and national cybersecurity experts to share their expertise and discuss how the public and private sectors can partner to combat cyber attacks.DET has had to take a major role in organizing meetings, planning cybersecurity summits, and producing deliverables, but that's as it should be, and is a justifiable use of our resources. When the State CIO and CISO demonstrate that collaborative, multijurisdictional cybersecurity planning is a priority, it energizes all the players and leads to tangible results.As we look back on the growth of our multi-partner cybersecurity efforts since 2013, we recognize that putting advanced technologies to work is an essential piece. But so are the more mundane activities of going to a lot of meetings, making the extra phone calls, tapping on many shoulders, and slogging through considerable documentation. All of that is also a big part of the cybersecurity solution. We wish we could make it sound more glamorous, but the outreach and the collaboration really do pay dividends. And knowing we are helping to protect the critical systems, our residents rely on every day provides--the ultimate motivation.
< Page 8 | Page 10 >