This year’s awardee is Andy Brush, IT Manager at Washtenaw County. Self described as a teacher and social scientist who found his way into technology by bridging the gap between people who know how to create technology and those who need to get something done, Mr. Brush is an experienced IT leader. He is a member of teams that have created scientific information sharing systems, online knowledge resources, online parts exchanges, government websites and eCommerce systems. He has worked tirelessly to bring affordable cyber security services to the local governments of Michigan with the Chief Information Security Officer (CISO) as a Service Project. He has spearheaded the initiative and spent countless hours working with experts, pulling together partners, conducting feasibility studies and developing budgets to make the CISO as a Service Project a reality.
Mr. Brush continuously seeks to include local governments of every size in the CISO as a Service Project. He gathers peer feedback to use in the development of a comprehensive plan that provides a cyber security resource to help guide Michigan local governments in reaching their cyber security goals. His efforts brought the attention of the State of Michigan which has provided the initial resources needed to pilot his project concept. Mr. Brush’s partnership with the State of Michigan highlights the successes that can be achieved through the shared collaboration of large and small governments.
Since implementation, calls for service for City of Wyoming employees’ support for SCADA communications dropped from 95 calls in 2015-16 to just 2 calls in 2016-17. Both calls were related to storm/power related issues. The City of Wyoming Water Plant’s SCADA network is now a current, high speed, resilient network with backup paths for physical outages, as well as being proactively managed and monitored. The network technology is flexible for future growth and will provide West Michigan Water Plant customers service for many years.
The Mi-GMIS Best IT Security Project Award is given to a government agency that develops creative solutions for Information Technology Security, recognizing the ever present threat to our infrastructure while demonstrating technology’s role as a vital player in improving organizational security.
This year’s winner is the Oakland County Information Technology Department for re-architecting the County’s System Development Life Cycle (SDLC) by building risk management and security into the SDLC. Knowing that identifying and mitigating vulnerabilities discovered in production are 23 times costlier than mitigating the vulnerabilities as applications are being developed, the IT Department instituted risk management processes and security checkpoints into the SDLC to reduce unnecessary spend and vulnerabilities.
A process was developed to perform a security scan on the system before production release for internally developed applications and COTS packages. Penetration tests were conducted by both an external penetration test service provider and the County’s Information Security team. More than 50 systems were tested and 365 vulnerabilities were identified.
A Risk Assessment framework and processes were introduced to establish a common framework for the implementation and management of security controls, assist system owners to identify threats and assess threat value , assess the values of the vulnerabilities identified in the Security Assessments and determine a cost effective treatment plan, and establish ownership for mitigation activities with an agreed upon timeline for plan execution. Training sessions were conducted for the system owners and reference documents created to support the initiative.
The Risk Assessment process is widely used across IT teams for implementation and management security controls and to help management determine the status of the risk mitigation activities.
Application build guidelines were developed in collaboration with the Application Development team and is used to reduce the security vulnerabilities introduced in the system during the development phase. A System Design process was modified to include the Information Security Team’s technical review before a project moves into development to detect any security weaknesses in a proposed solution's initial development stages. And, recently, the Information Security team implemented a Web Application Firewall solution which mitigates attacks and further improves application security.
Comprehensive advantages from implementing security into the SDLC include increased awareness of potential engineering challenges caused by mandatory security controls, reduction of development costs and improved system security through identification and reuse of shared security services, strategies and tools, documentation of security decisions made throughout the development process, improved confidence in the continued investment in and use of government systems, improved management decision making and systems interoperability and integration.f risks. The City of Lansing since implementing this program has received top rankings from the BitSight Security Rate Platform.