The Mi-GMIS Best IT Security Project Award is given to a government agency that develops creative solutions for Information Technology Security, recognizing the ever present threat to our infrastructure while demonstrating technology’s role as a vital player in improving organizational security.
This year’s winner is the Oakland County Information Technology Department for re-architecting the County’s System Development Life Cycle (SDLC) by building risk management and security into the SDLC. Knowing that identifying and mitigating vulnerabilities discovered in production are 23 times costlier than mitigating the vulnerabilities as applications are being developed, the IT Department instituted risk management processes and security checkpoints into the SDLC to reduce unnecessary spend and vulnerabilities.
A process was developed to perform a security scan on the system before production release for internally developed applications and COTS packages. Penetration tests were conducted by both an external penetration test service provider and the County’s Information Security team. More than 50 systems were tested and 365 vulnerabilities were identified.
A Risk Assessment framework and processes were introduced to establish a common framework for the implementation and management of security controls, assist system owners to identify threats and assess threat value , assess the values of the vulnerabilities identified in the Security Assessments and determine a cost effective treatment plan, and establish ownership for mitigation activities with an agreed upon timeline for plan execution. Training sessions were conducted for the system owners and reference documents created to support the initiative.
The Risk Assessment process is widely used across IT teams for implementation and management security controls and to help management determine the status of the risk mitigation activities.
Application build guidelines were developed in collaboration with the Application Development team and is used to reduce the security vulnerabilities introduced in the system during the development phase. A System Design process was modified to include the Information Security Team’s technical review before a project moves into development to detect any security weaknesses in a proposed solution's initial development stages. And, recently, the Information Security team implemented a Web Application Firewall solution which mitigates attacks and further improves application security.
Comprehensive advantages from implementing security into the SDLC include increased awareness of potential engineering challenges caused by mandatory security controls, reduction of development costs and improved system security through identification and reuse of shared security services, strategies and tools, documentation of security decisions made throughout the development process, improved confidence in the continued investment in and use of government systems, improved management decision making and systems interoperability and integration.