Assessment of Progress – MCA 2-17-521(4) (c)

This section fulfills MCA 2-17-521 (4) (c) regarding an assessment of progress made toward implementing the state strategic information technology plan.

2018 State Strategic Information Technology Plan

2018 STATE STRATEGIC INFORMATION TECHNOLOGY PLAN
Goal Objective Update

1 -SECURE


ENHANCE INFORMATION SECURITY BY IMPLEMENTING STANDARDIZED BEST PRACTICES TO PROTECT SYSTEMS, ASSETS, AND DATA IN A COST-EFFECTIVE MANNER.
Objective 1.1 Develop and implement security standards, common controls, and best practices for information systems. The state established and implemented security standards, common controls, and best practices for information systems in state government based on NIST 800-37, NIST 800-53, and other industry best practices and frameworks. We utilized the MT-ISAC Best Practices workgroup to ensure public/private input and we updated the information security policy, consolidating 144 separate policy documents into one overall, easy to read/understand, policy document.
Objective 1.2 Enhance the enterprise information security training and awareness program. The state migrated to a new security awareness training product and learning management system, this has improved performance, reporting, and most importantly user experience. We also integrated simulated phishing into that product and can now identify risk scores for every employee.
Objective 1.3 Protect information systems across the state by leveraging the public-private partnerships established by MT-ISAC to enhance information sharing, outreach, and risk awareness. The state developed multiple strategic partnerships to raise security awareness across Montana, to share cybersecurity information and threat intelligence, to secure the state's elections, to develop a cybersecurity workforce talent pipeline in Montana, to extend state cybersecurity resources to local and tribal governments, to inspire interest in young women to pursue careers in cybersecurity, and to help the Girl Scouts of Montana and Wyoming complete cybersecurity merit badges. MT-ISAC has seated a new council that leverages representatives from multiple industries to forge strategic partnerships that will raise security awareness across Montana and enhance protection of citizen's data in state, local, and tribal governments.
Objective 1.4 Develop the internal review and compliance program to provide data that proves efficient security controls or identifies security gaps to remediate. The state enhanced and streamlined the security assessment process and conducted multiple information system security assessments to identify risks, ensure application of risk-appropriate controls, and document policy of action and milestones where compliance is not achieved. The state is also implementing an enterprise Governance, Risk Management, and Compliance (GRC) solution which will provide real-time holistic risk profiles for all state information systems.
Objective 1.5 Develop automated processes in continuous monitoring and risk management to identify threats, gain efficiencies, and overcome resource limitations. The state implemented multiple products to detect compliance issues and security risks. We implemented weekly credentialed vulnerability scans on all state information systems to gain holistic visibility of the real-time threat environment. We are standing up an enterprise Governance, Risk Management, and Compliance (GRC) solution which will provide real-time holistic risk profiles for all state information systems.
Objective 1.6 Perform a cybersecurity cost analysis for the State of Montana, including investment recommendations. The state created a cybersecurity strategic plan and various business cases for cybersecurity investments. We are currently developing a metrics program to include KPIs and other calculations to capture ROI data.

2 -SHARED


DESIGN AND OPERATE A SHARED AND MANAGED SERVICES ENVIRONMENT.
Objective 2.1 Expand agency abilities to manage users and devices within enterprise shared platforms, including Multi-Factor Authentication and Mobile Device Management (MDM). The state has fully deployed MDM and MFA in a multi-tenant environment that has also enabled self service portals for end users to interact with both products to decrease ongoing end user support costs.
Objective 2.2 Implement Unified Desktop Workspace (UDW) to decrease environmental impact and improve security. Deployed Unified Desktop Workspace to nearly 2,000 state employees, providing support for over 50 core applications delved in 100 unique application configurations. UDW securely delivers the users applications and desktop using chrome books, thin clients and on the horizon windows and mac application. UDW is available both on and off the state network for secure access
to a mobile workforce.
Objective 2.3 Leverage and expand public-private partnerships to decrease the cost of state data center operations. The state has continued to partner with other government entities to provide data center services
that help provide cost stabilization for state of Montana entities.

3 - STATE-OF-THE-ART


DELIVER STATE-OF-THE-ART ENTERPRISE IT SERVICES TO STATE AND LOCAL GOVERNMENT AND THE UNIVERSITY SYSTEM.
Objective 3.1 Leverage and deploy technologies that provide a modern experience for citizens and employees that access government data and services. Transitioned the state to a more scalable and widely used web content management system that will deliver a modern experience for citizens on state websites. Deployed a new ADA compliant policy system available to employees and the public.
Objective 3.2 Implement Unified Desktop Workspace (UDW) to decrease environmental impact and improve security Deployed Unified Desktop Workspace to nearly 2,000 state employees, providing support for over 50 core applications delved in 100 unique application configurations. UDW securely delivers the users applications and desktop using chrome books, thin clients and on the horizon windows and mac application. UDW is available both on and off the state network for secure access to a mobile workforce.
Objective 3.3 Implement unified communication technologies to increase flexibility, mobility, and productivity. Deployed over 10,000 VoIP phones that enable state employees to route calls from a desk phones to a cell phone the has enabled a remote workforce. VoIP has also help control state long distance costs and
provided a more scalable solution during peak times.

4 - CAPACITY


IMPLEMENT SCALABLE TECHNOLOGIES THAT MEET CUSTOMER DEMAND FLEXIBLY AND RAPIDLY, WITH MINIMAL CAPITAL EXPENDITURES.
Objective 4.1 Enhance our incident response and disaster recovery skills by increasing the use of load balancing, Web Application Firewall (WAF), and our storage platform for redundancy, automatic failover, and failback. The state has added additional load balancing and WAF capacity to support additional fault tolerance
and multi-agency control of web application protection. Additional DNS capacity and enterprise IPAM solution will help drive the state vision for a more automated DR and highly available state IT environment.
Objective 4.2 Create a workplace environment that promotes recruitment and retention. Work cross agency the deliver IT training through shared classes and deploying Microsoft training statewide for IT staff.
Objective 4.3 Protect the systems the state hosts against the ever-increasing volume and sophistication of threats. Do this with state-of-the-art security tools and continued training of state employees on security measures. Added additional DNS and email security technology to protect state IT infrastructure. Also deployed behavior-based AV on workstations and servers, and implemented Security Orchestration, Automation, and Response (SOAR) technology. Invested in cybersecurity training for NOSC, National Guard, and state security employees to improve cyber and risk knowledge and skills.
Objective 4.4 Use advanced tools that are accessible to the end-user to promote our business intelligence and data analytics. Continued to promote and expand data.mt.gov as the state’s publicly available business intelligence and data analytics site for state datasets.
Objective 4.5 Leverage the DevOps concept that emphasizes collaboration and communication to standardize application development, operation tools, and code development. Continue to drive the states adoption of DevOps by enabling the hosting of containers
on prem for delivery of egov services and rapid deployment of applications.
Objective 4.6 Promote enterprise content management and workflow solutions to reduce the dependency on paper documents and manual processes. The state has transitioned to a two-pronged approach to enterprise content management,
this approach is delivered with a on-prem and an off-prem hosted environment giving agencies
a product and location options for their ECM business needs.
Objective 4.7 Design and operate enterprise-class, on-demand storage, and computing. The state has continued to add additional storage options and capacity including S3 storage
Located at each datacenter, all storage and backup systems support cloud tiering that has enable
Long term cost controls for data that does not require on prem storage performance.
Objective 4.8 Implement scalable network circuit solutions that increase bandwidth while reducing costs, and continue to increase network access and capacity into the state’s data centers. Worked with telco providers on the new state network contract to deliver improved cost and performance to agency building throughout the state. Capacity and resiliency was added to both state data centers and the interconnections between them.

5 - CAPABILITY


DEPLOY CAPABLE TECHNOLOGIES THAT PROVIDE ESSENTIAL FUNCTIONALITY FOR A DIVERSE AND ENGAGED CUSTOMER BASE.
Objective 5.1 Implement phase one of Data Center Infrastructure Management (DCIM) to improve service provided capabilities and show available capacity for future growth by mapping rack environments to show equipment locations, network and power sources, and temperatures across the data floor. Completed phase one of Data Center Infrastructure Management (DCIM) and transitioned
to a more cost effective DCIM product to control costs.
Objective 5.2 Facilitate and automate the IT Service Management (ITSM) tool throughout our enterprise operations. Licensed ServiceNow enterprise wide for ITSM that can be leveraged by all agencies for asset management, request fulfillment, change management and help ticket management.
Objective 5.3 Design and deploy IT-based telephony to promote unified communications that allow users to communicate real-time across multiple platforms. Added support VoIP calling from state and personal cell phones using iPhone and Android Cell phones apps for mobile workforce.
Objective 5.4 Continue to advance firewall technology that provides greater network security and flexibility. Added additional layer 7 firewall redundancy, availability and performance to guest wireless and
state entities hosted on summitnet.
Objective 5.5 Exceed business and capability requirements for enterprise services and implement dashboards that provide real-time views into operations and performances. Implemented enhanced change management process with customer specific visibility to better manage business impact for IT changes and upgrades. Improved performance management dashboards and enabled live operations center reporting and change visibility on mobile devices for IT management.
Objective 5.6 Expand digital forensics capabilities to include multiple Open Source (OS) platforms, mobile, and network capabilities. Have already upgraded and isolated internet connection and some hardware and software in the Digital Forensics Lab, and invested in training and certifications for forensic investigators. In the process of updating other hardware and software, and are currently hiring additional FTE for offensive security.

6 - COST-EFFECTIVENESS


LEVERAGE PUBLIC-PRIVATE PARTNERSHIPS TO DECREASE THE COST OF STATE DATA CENTER OPERATIONS.
Objective 6.1 Enhance existing resources and identify new opportunities to provide additional shared services. The state has expanded the use of ServiceNow for enterprise-wide service desk usage with agency specific portals and multi-tenant task and resource assignment, management and reporting.
Objective 6.2 Deploy Software as a Service (SaaS) and Platform as a Service (PaaS), and existing systems over customized, ground-up solutions. The state has continued to deploy internal and external applications and services using SaaS and PaaS products from the state’s Microsoft O365 environment and the enterprise
ServiceNow platform.
Objective 6.3 Continue to increase the energy, efficiency, and utilization of the state’s data centers. At the state data center in Miles City the cooling system was modified which resulted in an average energy savings, via cost-avoidance, of $32,000 annually. Also, added cold aisle containment that enabled the state to place half of the cooling units to standby, improving power efficiency at the Miles City Datacenter.