The document discusses Alberta's approach to developing an information technology management (ITM) control framework. It notes challenges with the previous policy approach and outlines plans to implement a new strategic framework aligned across government. This will include centralizing security oversight, defining policies, controls and standards, and addressing issues raised by new technologies like web 2.0 such as decentralized information sharing and changing user expectations.

1. ALBERTA’S APPROACH TO AN INFORMATION AND TECHNOLOGY POLICY AND CONTROL FRAMEWORK

2. AGENDA OAG, Privacy Commissioner and Quality Alberta’s Approach to ITM Policies, Controls and Frameworks The Web 2.0 Impact What We Have Learned

3. OAG, PRIVACY COMMISSIONER RECENT MEDIA

4. OAG and Media Alberta Gov't records at risk of hacking: A-G EDMONTON - The auditor's general office found electronic "footprints" showing that confidential government records had been accessed by outside sources, Fred Dunn said this morning as he outlined his annual report. Alexandra Zabjek and Archie McLean, edmontonjournal.com Published: Thursday, October 02 Trust betrayed by multiple lapses in Gov't computer security. Actual breaches minor, but why were databases left unprotected? Invaders from Eastern Europe and Asia could have already infiltrated Alberta - and the government's most top-secret information -- says Alberta's auditor general. Paula Simons, The Edmonton Journal Published: Friday, October 03 We are lucky indeed to have an active auditor general's office with the mandate and chutzpah to keep tabs on those who spend our money. Edmonton Journal Published: Saturday, October 04

5. Privacy Commissioner Information and Privacy Commissioner in support of Auditor General Recommendations: Information and Privacy Commissioner Frank Work fully supports recommendations made by the Auditor General with respect to security and protection of information assets of the Government of Alberta. The Auditor General, among other things, is recommending establishment of a central security office to oversee all aspects of information security across all Government of Alberta ministries and departments.

6. Not just AB, Canada but all Governments GovernmentExec.COM If Alberta is like almost every other government in the world, skilled hackers got in and out with little notice. ….. And they're probably still hiding in a closet ready to pounce. In all fairness, Alberta is not alone . Attacks on Web applications are now considered one of the most worrisome for government information security folks. Targeted attacks on computers and vulnerabilities in Web applications topped the list of threats to government and industry information systems in 2007, according to a new report from the SANS Institute. While proper security measures can help lock down agency systems, employees are easily duped by the increasingly sophisticated methods of hackers . This is an arms race ; each time we set up a defense, the people who are attacking raise the sophistication of the attack," said Alan Paller, Director of Research at the SANS Institute. "For a lot of years, the sophistication was in how well they could find vulnerabilities in the system. What's different is that as they have been blocked in most simple vulnerabilities, they've come up with two completely new ones that most federal agencies aren't even thinking about." One emerging threat lies with Web applications, which accounted for half the total vulnerabilities reported in 2007, according to TippingPoint, an intrusion prevention systems vendor in Austin, Texas. And that figure doesn't include custom-developed Web applications, which are particularly prevalent in government.

7. ALBERTA OAG WE NEED THE AUDITOR TO SAVE OURSELVES FROM SELF DESTRUCTION, SELF MUTILATION AND WE NEED TO PROTECT OUR INVESTMENTS, OUR INFORMATION BUT ALSO CONTINUE TO DELIVER SERVICE WHICH MEANS UNDERSTANDING AND BALANCING RISK

8. ALBERTA’S APPROACH IMT CONTROL FRAMEWORK

9. Alberta’s Challenges ITM policies were developed in reaction to ‘new technology’ and OAG could not keep up with continuous change did not withstand the test of time increased management burden no alignment Increased complexity of reorganizations and restructuring Gaps and overlaps caused exposure to unnecessary business, project execution and operational risks (134 ‘policies’ – 4 Ministries) Limited flexibility as policies were prescriptive

10. ALBERTA ITM Control Framework Overall Strategic Direction & Vision Strategic & Tactical Policies Supporting Controls (Processes, Standards, Guidelines)

11. Forrester Research IT Compliance Life Cycle Phase I Phase II Phase III - Ongoing Management

12. Drivers Enterprise governance IT governance Best practices Controls and Legislation Performance Business goals Conformance Basel II, Sarbanes-Oxley Act etc. COSO COBIT ITIL Security Quality Management IT Service Management ISO/IEC 2700x ISO/IEC 9001:2000 Balanced scorecard CoBIT, Legislation & Other Frameworks

13. CoBIT Maturity Model Understand where IT and business are for each control Maturity Level Status Establishment 0 – Non-existent No recognition of need to control No intent to assess the need for control 1 – Initial / ad hoc Some ad hoc recognition of need to control No awareness of need to assess what controls are needed 2 – Repeatable but intuitive Controls in place but not documented Assessment of control need occurs only when necessary 3 – Defined Controls are in place and adequately documented Critical controls and processes are identified based on value and risk drivers 4 – Managed and Measurable Effective control and risk management environment Control criticality regularly defined with full support of business owners 5 – Optimized Enterprise wide risk and control programme provides continuous and effective control and risk resolution Business changes consider the criticality of controls and cover any need to reassess control capability

14. Layers of ITM Control Framework

15. Layers in ITM Alignment Map ITM Control Framework Overview

16. Decide Who Owns (leads) What Control Security/Privacy Incident Reporting

17. UNDERSTAND WHOSE CONTROLS Trigger OTHERS’ CONTROLS ITM Control Framework Overview

18. WEB 2.0 What do we need to know about and consider while we are developing policies, frameworks, standards and controls?

19. Web 2.0 at Advanced Education and Technology Internal P.S.I. Institutes Other Stakeholders Internal P.S.I. Institutes Other Stakeholders Identity Management A & A Real-Time Communications Dashboard Identity Management A & A Real-Time Communications Dashboard Business Apps (SFS, ATOMS, PAPRS, SHR) Information Strategy (Information & Knowledge) Web Strategy (Content, Information, Applications) Desktop Apps (Calendar, Word, PowerPoint) Unified Msg Web Conference Video Conference Instant Msg Collaboration Tools Presence (People, Place, Time) Presence (People, Place, Time) Collaboration Integration IP Enabling Contact Centers Public | Wireless Network | LAN/GOA Domain Presence (People, Place, Time) Supernet Room to Room Video over IP Centrix | PSTN VPNs Collaboration Integration

20. WEB 2.0 Impact Mid 1990-2000s WEB 2.0 Value Proposition Knowledge/Info Centralization Decentralization Training Waterfall/RUP meant training was at the end Training is at the beginning through Self Training and each other Cultural Change Business performed and information in silos Collaboration, openness, joint problem solving Business Work Style Feature and information and overload Simple, easy to use, business has become technology savvy through self training

21. WEB 2.0 Impact Mid 1990-2000s WEB 2.0 Value Proposition Home / Work Tools Work, more tools Home/Work tools the same Labour Shortages Attract Gen X, Y and Millenials Governments cutting Everyone recruiting Generation X Expectations Grassroots Managers understand how technology can help productivity IT Organization's Gate Keepers Privacy/security force IT to protect castles Business will go around any blocking we put in because they CAN and they WANT IT

22. Centralized Control Versus Decentralized Information Sharing (Balancing Opportunities/Risks) Mid 1990-2000s WEB 2.0 Value Proposition Privacy/Security IT and SMEs guardians End user behaviors guided by principles Managing Information and Records IT and SMEs guardians and overwhelmed by increased volume End users accountable for information supported by tools provided by IT and SME Information Silos Caused by not working together and sharing Caused by collaborating and working together but outside of centralized, controlled tools Policy, Authorized, Authoritative Sources Policy and authority decentralized - IT just starting to centralize IT now Policies and accountability principle based on understanding and trust

23. Centralized Control Versus Decentralized Information Sharing (Balancing Opportunities/Risks) Mid 1990-2000s WEB 2.0 Value Proposition Technology Delivery and Expectations IT plans aligned after business plans IT specific visions, plans and strategies plus business alignment Service Responsiveness IT and SMEs required to implement policies and controls Policies and controls need to demonstrate value Enterprise Tool Investments Created to share investment and reduce information silos Still required but only for information sources where information needs to be protected

24. ALBERTA’S PLANS, VISIONS AND STRATEGIES WHAT WE LEARNED ABOUT HOW WE NEED TO PLAN BECAUSE OF CONTROLS, EXPECTATIONS, AND WEB 2.0

25. Vision: All Plans – Relationships Web 2.0 Advanced Education & Technology Business Plan & Policy Cross- Government Initiatives GoA Information & Services Strategy GoA Enterprise Architecture GoA Business Plan STAKEHOLDER INPUT Post Secondary Institution Learners/Parents/ Public/other Stakeholders Research Institutes 3 Year ITM Plan Maintenance Operations Initiatives Standards ITM Policy Framework Operational Controls PSI Plans & Architecture 7 Year ITM Vision 5 Year ITM Strategies 1 Year Operational Plan

26. Advanced Education and Technology in 2014 Test & Demo Pilots 2014 “ Right Info” and “ Right Services” at the “ Right Time” at the “ Right Place” to Answer the “ Right Question” for the “ Right Person” Testing & Training Identity Management Strategy Information Management Strategy Web Strategy GOA Information & Services Strategy Unified Communications Strategy