Real World Application of US Technical Advisory Group IT ...
Upcoming SlideShare
Loading in...5

Real World Application of US Technical Advisory Group IT ...






Total Views
Views on SlideShare
Embed Views



1 Embed 2 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Thank you very much Erik Johnson and Jim Simpson. It is my pleasure to be here today and especially presenting to the United States Technical Advisory Group. I am the CIO for the Oregon Department of Transportation serving some 5,200 ODOT employees with a team of nearly 300 IS staff, managers and consultants. We serve the Highway Transportation customer and their $3.2B highway and bridge construction and maintenance work; I have some 66 DMV field office and the associated computer applications; additionally, I serve the Motor Carrier line of business as they serve the Trucking Industry that uses Oregon’s ports of entry, weigh stations and highways. So today, I am here to talk about “REAL WORLD APPLICATION OF IT STANDARDS”. And of course the standards that all of you have helped develop for organizations such as ODOT and the State of Oregon to use. I will cover work we have done to create the State’s Data Center by converging some 11 state agencies, some 18 data centers into one. We will also cover ODOT’s Security Fabric program. Both will detail where IT Standards have played a part.
  • But first, let’s examine the trends in Oregon’s EXPECTATIONS. From 2009 through 2011, we expect LESS of some things and MORE of other things. On the DECREASING side, We see disparate systems decreasing We see disparate technologies decreasing We are under orders to decrease our costs through leveraging what we have and negotiating lower costs with vendors; and simply working smarter through collaboration with our sister agencies. And we must ensure our systems are bulletproof so we can have less downtime. On the INCREASING side, IS expects more functionality in the systems we produce. Those systems have to be reliable Our users and customers have a growing expectation of what they can get from government systems We do expect more complexity, especially with the overlay of security and protecting PII. Internal and external partner coordination is increasing Oregon is undergoing consolidation efforts such as its State Data Center, which is starting conversations about additional software consolidation, mainframe software consolidation is a good example of that. And of course use of IT Standards. Of course, we look to standards so we don’t have to reinvent things. We want recognized best practices, so we can do it right the first time. But not only that, our Oregon Secretary of State Auditors are auditing agencies based on IT standards. So that is the IT ENVIRONMENT in which to tell this story of Oregon’s Trend Expectations.
  • Enter our efforts to create our State Data Center and how Oregon has used the ITIL version 2 framework reference standard. Computing and Networking Infrastructure Consolidation, code name – CNIC, was the State’s program to consolidate to one State Data Center.
  • The reason we wanted this consolidation was because of the PROMISE of a Utility Value Proposition. Looking at AGENCY BUSINESS VALUE as compared to a SINGLE INFRASTRUCTURE MANAGEMENT, we wanted to manage those things that had the LOWEST CUSTOMER VISIBILITY, place those in the State Data Center. For those things that had the HIGHEST CUSTOMER VISIBILITY, allow the agencies to continue to manage. So the Data Center owns Hardware and Maintenance Services The physical Data Center itself Network Services IT Monitoring It has its own Help Desk But then the roles are shared with the Agencies, such as Security, Systems Integration Finally, the Agencies own the Applications and Business Strategic Planning.
  • Graphically, you can show the CNIC Roles and Responsibilities Agency-specific are in the navy blue Shared roles are in the orange State Data Center infrastructure utility is in the turquoise.
  • Enter the use of the IT Infrastructure Library (ITIL). We are using ITIL because it is a proven standard and methodology. It usually takes 5 plus years to reach maturity of a data center, and what better way to have a conversation with the business and technology that gives us a methodical approach to managing expectations for Service Management including Service Support and Service Delivery. Infrastructure Management Security Management and Application Management
  • We have been able to further sub-divide ITIL into its sub-levels of Change Management Problem Management Configuration Management Service Desk and Incident Management So we have a fully connected set of Strategic Processes in which to measure our work and success over time.
  • And we have been busy. We worked on the planning of the Data Center consolidation for nearly 2 years. When we opened the doors in 2006, we were at Level 0 – the Chaotic stage. This was our lift and drop phase of transporting all the distributed servers, mainframes, storage area networks and networks into the center. In 2007, we hit the REACTIVE Level. In 2008, we began the PROACTIVE Level. And now, in 2009, we are at Level 3 Service where we are defining services, classes; getting a better handle of service pricing as we conduct the SDC Finance Committee meeting and refining rate schedules. Along the way we have Leveraged tools Undergone operational process engineering Created Service and Account Management And begun to have Service Delivery Process Engineering We will not see an overall return on the investment for a total of 5 to 6 years into Level 6, known as VALUE.
  • Through all of this the US TAG has been our partner because you have created the IT standards such as ISO / IEC 20000 that we have used for Service Management and ISO/ IEC 38500 for IT Governance. Oregon congratulates the US TAG on developing these standards because they give us a template set to relevant industry standards to improve our data center’s capabilities and maturity.
  • And so our Data Center continues to march toward this UTILY COMPUTING MATURITY MODEL. Incorporating … Business interfaces The IT Organization IT Processes Software Capability and Hardware Capability All between 2006 through 2012.
  • So we thank you for the ISO-IEC 27000 family of security standards which we use. Both ODOT and Oregon’s State Data Center are using these industry standards and of course being audited by them from Oregon’s Secretary of State. The ISO-IEC 27000 standards have been valuable to us which set the stage for our asset accomplishments todate.
  • Those accomplishments center around three areas that you can treat like a Balanced Score Card for reporting purposes. We have Operations accomplishments, Increased Capacity accomplishments, and standardization and consolidation of phsycia equipment. To date, Oregon has a Balanced Score Card of State Data Center Accomplishments. All expanded by critical success factors that have added operations support, increasing capacity, while standardizing and consolidating. This slide shows those accomplishments balanced between the three driving forces of day-to-day operations, the demand for increased capacity and service, and standardization and consolidation.
  • Remember that a key goal of the Security Fabric Project is to get us all thinking about how to reduce the risk linked to how we manage our sensitive and confidential information assets. Whether the situation is several employees handling a few sensitive documents or one computer application handing personally identifiable information on every employee, we must look at ways we can reduce the risk of sensitive information getting into the wrong hands.

Real World Application of US Technical Advisory Group IT ... Presentation Transcript

  • 1. An Oregon State Government Case Study Real World Application of IT Standards Presented by Ben Berry , CIO Oregon Department of Transportation March 10, 2009 The United States JTC1-SC7 Technical Advisory Group (US-TAG) and MSI Systems Integrators Sponsor to the Spring 2009 Meeting Two World Trade Center in the “Mezzanine 5” room, Portland, Oregon
  • 2.  
  • 3. IT Environment Oregon’s Trend Expectations
  • 4. Technology Standard: Information Technology Infrastructure Library (ITIL) US TAG members are co-authors (contributing authors) to ITIL v2 (a framework reference). Shared Vision State Data Center
  • 5.  
  • 6. Program & Customer Relationship Management Development & Testing Environment E-Gov and Line-of-Business Applications Agency-Specific State Data Center Infrastructure Utility Shared CNIC Roles & Responsibilities WAN Switches LAN Switches Routers Internetworking Software Management Software Distribution SLA Mgt. Change Mgmt. Process Reporting Security Charge Back Performance Management Data Gathering Surveillance Capacity Planning Data Cable Infrastructure End User Help Desk
  • 7. ITIL Foundation IT Infrastructure Library Overview Business Technology ITIL – Planning to Implement Service Management The Business Perspective Application Management ICT Infrastructure Management Service Management Service Delivery Service Support Security Management
    • The State is currently focused on implementing an ITIL v2 service management framework, that is very closely linked with the standard, ISO/IEC 20000 IT Service Management, for which the US TAG has taken a leadership role in development. 
    • ISO/IEC 20000 is now the fifth most referenced IT standard in ISO's catalog.
  • 8. ITIL Foundation Process Chart Reference User
  • 9. IT Service and Process Maturity Model
    • The model illustrated below describes an evolutionary improvement path from an ad hoc, immature process to a mature, disciplined process for improving service for all the State Data Center focus areas.
    2010-11 Position 2009 Position 2008 Position 2007 Position 2006 Position Chaotic Reactive Proactive Service Value 2011-12 Position 2010-11 Position 2006 Position 2007 Position 2008 Position 2009 Position 2010 - 11 Position Reactive Proactive  Analyze trends  Set thresholds  Predict problems  Automate  Mature problem, configuration, change, asset and performance mgt processes  Best effort  Fight fires  Inventory  Initiate problem mgt process  Alert and event mgt  Monitor availability Service  Define services, classes, pricing  Understand costs  Set quality goals  Guarantee SLAs  Monitor and report on services  Capacity planning Value  IT and business metric linkage  IT/business collaboration improves business process  Real - time infrastructure  Business planning Level 1 Level 2 Level 3 Level 4 Chaotic  Ad hoc  Undocumented  Unpredictable  Multiple help desks  Minimal IT operations  User call notification Level 0 Tool Leverage Service and Account Management Business Management Service Delivery Process Engineering Operational Process Engineering ROI Mgmt.
  • 10.
    • The higher the rated maturity of an organization (i.e. CMMI Levels), the more likely the organization will seek guidance against existing standards, such as ISO/IEC 20000 IT Service Management or ISO/IEC 38500 IT Governance.
    • W ell-defined processes and assessment mechanisms (as outlined in these standards) are hallmarks of CMMI Levels 3 and 4. 
    • Oregon congratulates the US TAG on developing these standards. The State of Oregon has elected to apply these very relevant industry standards to improving capability and maturity in support of its State Data Center. 
    Capability Maturity Model Integration (CMMI) .
  • 11. Utility Computing Maturity Model
    • The model illustrated below describes an evolutionary improvement path from a dedicated, non-standard, inefficient technical environment to a mature, efficient, on-demand utility computing service.
  • 12.
    • The ISO/IEC 27000 family of security standards originate within US TAG, JTC1-SC27 (IT Security), where this crew is IT Systems Engineering and Lifecycle.
    • As such, ODOT and Oregon’s State Data Center is a customer of these industry standards and the standards bodies that created the standards. 
    • ODOT is working against ISO/IEC 27000 which has been very valuable as a standard, and to the industry standards development process as a whole. 
    • Here are the asset accomplishments to date.
    ISO/IEC 27000 Security Standards
  • 13. Balanced Score Card of State Data Center Accomplishments Standardization Consolidation Increasing Capacity Operations 10 pSeries Utility Servers 5,391 FY07 Agency Requests Virtual & Blade Center Technology Installed High speed Redundant NW (area specific) 233 Server Consolidations Enterprise Event Monitoring 2 Mainframe Upgrades 9,706 FY08 Agency Requests 50% of NW & Security Equipment Standardized 3 to 1 MF Consolidation On-Net Phone Systems Upgrades iSeries Standard OS 40% Storage Capacity Increases Virtual Tape System Automated Tape Library Rate Methodology and Rates Power & Consumption Management Service Catalog New Disaster Recovery Requirements NW Intrusion Detection Security, Tools, & Adm. Standardization iSeries Upgrades 2 p590 Unix Servers NW Bandwidth Email hub Upgrades 73 Servers 172 FY07 Contracts & Maintenance Renewals 340 FY08 Contracts & Maintenance Renewals 435 TB of Tiered Storage Security Encryption Standardization Consolidation Increasing Capacity Operations Operations = IT Standards Implications
  • 14. Technology Standard: ISO-based Information Security ISO 27001:2005 and 27002:2005 Shared Vision ODOT’sSecurity Fabric
  • 15. As ODOT’s Security Fabric Strategy Matures we will transition from Opportunistic and Project Level to Enterprise Level Security Policy Practices High Low High Low Scope Time/Maturity Enterprise Opportunistic Info Asset Classification Pilot 1 - OIT Identity Theft SB 583 Digital Signatures Integration Active Directory Group Policies Employee Security Policy (Q1 2009) ISBRA Security TIM/TAM Identity Management Transporting Info Assets Information Security Policy Controlling Removable Storage Devices (Nov 2008) Acceptable Use Policy ID Theft Training Encrypt DMV Field Office Network Encrypt Laptops Cancelled Q1 2009 In Work Cancelled Not Planned Info Asset Classification Pilot 2 - SSB Info Asset Classification Pilot 3 – Region 2 Legend: Incident Management Plan Info Asset Classification Levels 4,3,2,and1 Information Security Business Risk Assessment
  • 16.
    • Enable the Agency transformational business plans and IT Strategic Plan by leveraging multiple use or dual use strategies for complying with the Security Policies.
    • Proactively blur the legacy and new information business requirements boundaries through an early adoption of the enterprise security policies. (Reduce time to market by early adoption.)
    Enable Transformation
    • Create a secure business and technology business processes and architecture that can support changing regulatory, business and customer needs.
    • Unlock the power of secure data transfer for transformation of the business, including mobile data where applicable.
    • Create a flexible security architecture that is aligned with the State’s Enterprise Security Office and the State Data Center.
    • Leverage common processes, applications and infrastructure services to achieve operational security, efficiencies, and cost savings
    • Enable an ongoing low cost approach to maintain a secure presence for the Agency’s complex business processes to free capital for other value added capabilities.
    • Enable Information-based services to use IT security fabric based on existing middleware applications such as Active Directory, Identity and Access Management security applications.
    Service Reuse
    • Improve the security of existing secure processes and systems by adopting a holistic integrated approach to common secure practices
    • Reduce the number of one off custom approaches to securing information assets.
    • Establish Common Security Services across multiple agency and enterprise policies
    • Reduce Complexity of Security Solutions
    Simplification ODOT Security Fabric Context Agency Business Requirements
  • 17. Security Vision and Strategy: Holistic and Comprehensive Approach organized around Lines of Business The Goal: Not a Silo Approach Enterprise Security Domains Define the statewide security policies, bills and initiatives that are within the scope of the change. ODOT Acceptable Use Pol. ODOT Information Security Pol. ODOT Info. Security Guideline Admin Criminal Background Rail and Others Enterprise Content Management Identity & Access Management DMV Motor Carrier Highway Transportation Agency Service Domains Define the ODOT Lines of Business services necessary to support execution of the Security Fabric (cuts across multiple domains). Agency Policies & Practices Define the ODOT internal policies and practices impacted by the Security Fabric effort. Payment Card Industry - PCI Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Submission Processing Customer Service Manage Taxpayer Accounts Reporting Compliance Filing & Payment Compliance Criminal Investigation Internal Management Other Functional Domains Information Asset Classification Controlling Portable and Removable Storage Devices Information Security Employee Security Transporting Confidential Information Acceptable Use of Information Related Tech. Senate Bill 583 Other Functional Domains
  • 18. Security Fabric Strategy Map In the Future Implementation State, gaps exist that will need to be filled GAP Analysis Future State Requirements Agency Policy Current State DAS Policy Current State Policy / Procedure / Practice / Initiative
    • DAS 107-004-050 Information Asset Classification  
    • DAS 107-004-051 Controlling Portable and Removable Storage Devices 
    • DAS 107-004-052 Information Security 
    • DAS 107-004-053 Employee Security
    • DAS 107-004-100 Transporting Information Assets
    • SB 583 Enrolled, 2007 Legislative Session, Oregon Consumer Theft Protection Act
    • .
    Agency Lines of Business Senate Bill 583 Gap Analysis (Identify Theft) Security Fabric X X X X X X X X X X
  • 19. Security Fabric Framework Based Upon 3 Core Areas: Holistic Security Practices ; Platform, Templates and Toolsets ; and Security Governance Agency Business Functional Services Agency Application Services Agency Infrastructure Services Application integration / shared services (FileNet, others) Business unit from broad based Practices and Procedures Agency-wide utility functions and solutions (Active Directory, Identity & Access Mgt., Encryption) Security Governance Platforms, Templates & Toolset
    • Both Agency and Enterprise line of business services need protection and focus
    • .
    • All require agency governance for an initial & ongoing sustainable security presence.
    • ODOT is engaged in a multi-variant approach to focus on those areas that provide the highest level of security from easy to hard to implement.
    • Given each policy’s target timeline, high value security responses are addressed first!
    Enabling Security Technology (Middleware, physical tools and devices) Information Current Activities Holistic Security Practices Security Services
  • 20. Sustainable Security Practice of Identification & Deployment:
    • Impacts to People, Process & Technology
    • Security Services are Delivered Through Agency Initiatives or Projects
    • Security Life Cycle Processes are supported by both Business and Information Services
    • Development of Security Policy Response is Guided by multi-unit team (Resource Work Collaboration Team)
    • Communication & Training are required for people supporting each of the Sustainable Security Fabric lifecycle processes
    Starts with Dept of Administrative Services Security Policies & Senate Bill 583 (Identity Theft) for Personal Identifiable Information requirements Design Security Service Response Test Security Service Use/Reuse Policy Driven Service Deploy Security Service Operate / Monitor Security Service Construct Security Service Conduct Process Architectural Review Measure Effectiveness Service Repository Iterative Sustainable Security Fabric Services Life Cycle Define Policy Requirements GOVERNANCE
    • Governance Organization – Manage & monitor ongoing security agreements
    Requires a Broad Based Security Policy Governance Process
    • Chart speaks to several aspects of US TAG standards development (e.g. systems engineering and lifecycle, IT governance, et al).  Again, ISO/IEC 38500 falls under the aegis of the US TAG!
  • 21. State of Oregon “ Real World Application of IT Standards "