2017 Awards
IT Professional of the Year
Andy Brush, CIO Washtenaw County - Awarded IT Professional of the Year
This year’s awardee is Andy Brush, IT Manager at Washtenaw County. Self described as a teacher and social scientist who found his way into technology by bridging the gap between people who know how to create technology and those who need to get something done, Mr. Brush is an experienced IT leader. He is a member of teams that have created scientific information sharing systems, online knowledge resources, online parts exchanges, government websites and eCommerce systems. He has worked tirelessly to bring affordable cyber security services to the local governments of Michigan with the Chief Information Security Officer (CISO) as a Service Project. He has spearheaded the initiative and spent countless hours working with experts, pulling together partners, conducting feasibility studies and developing budgets to make the CISO as a Service Project a reality.
Mr. Brush continuously seeks to include local governments of every size in the CISO as a Service Project. He gathers peer feedback to use in the development of a comprehensive plan that provides a cyber security resource to help guide Michigan local governments in reaching their cyber security goals. His efforts brought the attention of the State of Michigan which has provided the initial resources needed to pilot his project concept. Mr. Brush’s partnership with the State of Michigan highlights the successes that can be achieved through the shared collaboration of large and small governments.
IT Project of the Year
City of Wyoming Awarded IT Project of the Year
This year’s winner is the City of Wyoming for their City of Wyoming Water Plant SCADA network upgrade project. The City’s Water Plant services approximately 230,000 people across 13 communities requiring network communications on a large SCADA network. When the major SCADA platform was installed over 10 years ago, ISDN lines were chosen as the communications medium for the core network connectivity. Throughout the years, the Water Treatment IT personnel were eliminated through attrition requiring that the City’s Enterprise/Centralized IT department to take on support of the Water Plant network. Each customer site did not have a backup and had to rely solely on ISDN communications. ISDN’s speed limitation of 64KB per channel stood in the way of technology expansion at each site for security and phone system upgrades After fielding 95 ISDN related IT trouble tickets within two years and realizing telecommunications companies were discontinuing ISDN technology, the IT Department moved to replace the ISDN infrastructure. Knowing that aging copper infrastructure was not being replaced as telecommunications companies were installing fiber based, the City’s solution was to choose a VPN Value Bundle product which provided a 12X bandwidth increase, a cellular backup utilizing VRRP as a failover mechanism with the hardware fully managed by AT&T.
With the City of Wyoming’s IT Department acting as the project manager, the 30 month project involved comprehensive communication with the 13 wholesale water customers to ensure their support and understanding of cost increases, pulling together resources from multiple departments in maintenance, operations and administration, and supporting smaller communities with no IT staff and minimal maintenance staff in the migration to the new product.
Since implementation, calls for service for City of Wyoming employees’ support for SCADA communications dropped from 95 calls in 2015-16 to just 2 calls in 2016-17. Both calls were related to storm/power related issues. The City of Wyoming Water Plant’s SCADA network is now a current, high speed, resilient network with backup paths for physical outages, as well as being proactively managed and monitored. The network technology is flexible for future growth and will provide West Michigan Water Plant customers service for many years.
IT Security Project of the Year
Oakland County - Awarded IT Security Project of the Year Award
The Mi-GMIS Best IT Security Project Award is given to a government agency that develops creative solutions for Information Technology Security, recognizing the ever present threat to our infrastructure while demonstrating technology’s role as a vital player in improving organizational security.
This year’s winner is the Oakland County Information Technology Department for re-architecting the County’s System Development Life Cycle (SDLC) by building risk management and security into the SDLC. Knowing that identifying and mitigating vulnerabilities discovered in production are 23 times costlier than mitigating the vulnerabilities as applications are being developed, the IT Department instituted risk management processes and security checkpoints into the SDLC to reduce unnecessary spend and vulnerabilities.
A process was developed to perform a security scan on the system before production release for internally developed applications and COTS packages. Penetration tests were conducted by both an external penetration test service provider and the County’s Information Security team. More than 50 systems were tested and 365 vulnerabilities were identified.
A Risk Assessment framework and processes were introduced to establish a common framework for the implementation and management of security controls, assist system owners to identify threats and assess threat value , assess the values of the vulnerabilities identified in the Security Assessments and determine a cost effective treatment plan, and establish ownership for mitigation activities with an agreed upon timeline for plan execution. Training sessions were conducted for the system owners and reference documents created to support the initiative.
The Risk Assessment process is widely used across IT teams for implementation and management security controls and to help management determine the status of the risk mitigation activities.
Application build guidelines were developed in collaboration with the Application Development team and is used to reduce the security vulnerabilities introduced in the system during the development phase. A System Design process was modified to include the Information Security Team’s technical review before a project moves into development to detect any security weaknesses in a proposed solution's initial development stages. And, recently, the Information Security team implemented a Web Application Firewall solution which mitigates attacks and further improves application security.
Comprehensive advantages from implementing security into the SDLC include increased awareness of potential engineering challenges caused by mandatory security controls, reduction of development costs and improved system security through identification and reuse of shared security services, strategies and tools, documentation of security decisions made throughout the development process, improved confidence in the continued investment in and use of government systems, improved management decision making and systems interoperability and integration.
f risks. The City of Lansing since implementing this program has received top rankings from the BitSight Security Rate Platform.