Wednesday, November 18, 2015 -
12:00pm to 2:00pm

Location Details: 

Information Technology Dept.
Room 438
4201 Normandy Street North
Bismarck, ND 58503

Meeting Agenda:

 

Time Topic Presenter
1:00

Update on EA Activity

Jeff Quast

1:20

Update on ITD Activity

  • Brown Bag Lunches - pre ITCC
  • Password Manager Service  
  • Remote Control tool status
  • AD Challenge Questions - Dec. 1
  • Application Inventory
Gary Vetter
1:40 NASCIO 2015 State CIO Survey Dan Sipes
2:00 LPO Directional Statement Justin Data
2:20 Security Position Update Dan Sipes
2:30 Encryption of Data at Rest Jeff Quast
2:40 DLP on Outbound Email Jeff Quast
2:50 Future Agenda Items  

 

Meeting Recap:

 
Update on EA Activity
 
Update on ITD Activity
  • Gary Vetter reviewed the recent activity and news from ITD
  • ITD will be hosting Brown Bag Lunches before each ITCC meeting for the next year, featuring a video presentation from the 2015 Gartner event
  • The new Password Manager Service will be available December 1. Agencies are asked to be patient with requests for the service since resources are taxed at the moment.
  • ITD is testing Remote Control products/technologies but resources are limited so progress has been slow.
  • A reminder email will be sent out regarding the increased enforcement of policy for the Challenge Questions when an account reset is requested.
  • All agencies are being contacted with a request for an application inventory to be submitted to ITD, which will become the foundation for a Configuration Management Database

 

NASCIO 2015 State CIO Survey and ITD Direction
  • Dan Sipes reviewed some of the survey results some of the high priority strategic initiatives from ITD.
  • The top two NASCIO Priority Strategies, which are Security and Risk Management and Managed Services (Cloud Services), and top two Priority Technologies, which are Security Enhancement Tools and Managed Services Solutions (Cloud Solutions), are same as the top two for ND state government.
  • Current issues and trends that other states and ND share include the CIO as a Broker of Managed Services, and Cybersecurity Barriers          .
  • Many early adopters of Office 365 are seeing 30% cost increase at contract renewal time.
  • NDGOV has the E3 license for Office 365 and the G3 version of OneDrive. There is a possibility that OneDrive will take the place of a personal file share for ITD users.
  • ITD’s Azure Proof of Concept is complete and an Amazon Proof of Concept is beginning
  • ITD is testing solutions for self-service unlocking of Active Directory accounts.
 
Large Project Oversight Directional Statement
  • Justin Data presented the LPO Directional Statement
  • When LPO was first mandated in 2005, it was a very auditory process, but adopted a philosophy in 2010 to be more collaborative and be more of a partnership. In 2015, the effort is to enhance that collaboration and partnering.
  • Security Position Update
  • Dan Sipes discussed the how ITD would address the vacated positions in the Security division, with Uriah Burchinal taking all of the auditory responsibilities and Travis Rossow covering the remaining unassigned initiatives. As the open positions are posted, ITD will also be reviewing types of positions and overall structure of ITD’s security staff.

 

Encryption of Data at rest
  • Jeff Quast reviewed some initial discussions that taken place at the Data Architecture meeting regarding encryption of data at rest. The team has drafted changes to the Encryption standard to cover sensitive data at rest and sensitive data on removable media.
 
Digital Loss Prevention on Outbound Email
  • Jeff Quast reviewed discussions at the Security Architecture level regarding DLP on outgoing email, either blocking or encrypting certain emails if they contain sensitive data.
  • Some agencies currently or in the past have used a one-off rule at our gateway appliance level to stop email containing SSN.
  • No agencies indicated that they have been required to have a control in place, but many are interested since it addresses human error.
  • One agency is considering a communications portal for the exchange of sensitive data instead of using email.
  • Microsoft Exchange 2013 will have some DLP functionality, configurable by agency OU, but will require per user Enterprise licensing.
  • There will be further discussion about whether this would become part of an EA standard, and where in the security list of priorities it would be placed.
Attachments: 
PDF icon ITCC-20151118-Presentation