Open Forum May/June/July 2005

Vol. 18 No. 8/9/10

Innovations in information resource management to support government

FROM THE EDITOR

Dear Colleague:

The lead article of this issue is devoted to the work of The Forum's Security and Business Continuity Committee. That committee has been instrumental in developing and offering what is now an internationally distributed cyber security web cast series. The committee has also conducted numerous other education and training programs for state and local IT leadership and staff since its inception post-September 11.

This issue highlights the importance of this committee work and promotes the Eighth Annual NYS Cyber Security Conference (being held on June 15 and 16) first, because they represent unique opportunities for New York state and local IT professionals to shape and take advantage of regularly scheduled, high quality educational opportunities uniquely produced by, and available in, New York State. Moreover, they are emphasized because cyber security and business continuity must remain at the pinnacle of the IT priority list for all government organizations. As evidence of this, New York Times authors John Markoff and Lowell Bergman wrote on May 10, 2005: Government investigators and other computer experts sometimes watched helplessly while monitoring the activity, unable to secure some systems as quickly as others were found compromised. The authors were referring to the extensive cyber security breaches of a Cisco Systems network almost a year ago that is still not fully understood. Since that time, there have been numerous, well publicized violations of government and corporate systems, many of which have compromised personal financial and health records.

That New York State is providing leadership in this important arena is no accident. To our knowledge, no other state has an eight year history of offering a state level cyber security conference. Though some states have organizations focused on cyber security, our NYS Office of Cyber Security and Critical Infrastructure Coordination, directed by William F. Pelgrin, is providing national leadership in conjunction with the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center.

The unimaginable personal and fiscal liabilities inherent to breaches of our major state systems are incalculable. Hopefully, it is sufficient to underscore those liabilities and make widely known the vast opportunities that all NYS IT professionals have for learning how to protect those systems and quickly remedy them if violated. We are fortunate to have these opportunities in our state and we urge you to take full advantage of them.

Sincerely,

Gregory Benson

Executive Director

BCP/Security Committee Update: An Interview With Co-Chair Chris Labatt-Simon

The NYS Forum has long had an interest in and worked to provide training and education opportunities related to cyber security. The Annual New York State Security Conference series began eight years ago and this year will be held on June 15-16 in Albany. Following 911 The Forum's membership felt that the issues of cyber security and business continuity needed to be addressed in a more continuous and deliberate fashion. That conclusion led to The Forum's Executive Committee to create the Business Continuity Planning/Security Committee which is co-chaired by JoAnn Bomeisl, Insurance Department, Chris Labatt-Simon of D&D Consulting and Chris Lloyd of Keane.

Since its creation, this committee has undertaken a number of education and training events, been very much involved in the research work leading up to The Forum's publication of Supporting the Public's Business: Continuity Planning & NYS Government in 2002 and, most recently, has been involved in the production of a series of virtual events drawing international participation.

With the upcoming 2005 NYS Cyber Security Conference being held on June 15 and 16 we felt it appropriate that we interview one of the cochairs of the committee to better understand what lies behind their work and where he sees it going in the near future. We are pleased that Chris Labatt-Simon, CEO of D&D Consulting agreed to our interview.

The Forum: The Security and Business Continuity Committee has been extremely active for the last year or so, can you point to any particular circumstances that you feel led to heightened interest by government?

Chris: The creation of the New York State Office of Cyber Security and Critical Infrastructure Coordination (OCSCIC), the rapid growth of security threats against public sector organizations, the "opening" of the borders protecting individual agencies in order to share information and applications with other agencies and local government and the continued reliance on technology have all contributed to a growing need for continuing education on information security.

Public sector technology groups - and I say public sector due to the fact that this encompasses not just New York State agencies, but also includes county, city, town and other local entities - are recognizing the need to use maturing resources, such as the Business Continuity Planning/Security Committee and the IT Corporate Roundtable, to gain access to education on best practices and "lessons learned."

The Forum: The Cyber Security Web Cast Series that your committee has developed in conjunction with the NYS Office of Cyber Security and Critical Infrastructure Coordination has grown from what was to be a NY state audience to an international one. Can you give a quick history of that series and can you identify why it has grown so dramatically?

Chris: In February of 2004 the NYS Forum held its first "Webinar," or web-based seminar, focused on Disaster Planning for Local Governments. At the same time, the NYS Office of Cyber Security and Critical Infrastructure Coordination (OCSCIC) was exploring the concept of providing security education to New York state and local government using similar methods. In June of 2004 the first in a series of webcasts was held, entitled Cyber Security: The Three Things You Should Have Done Yesterday and The Three Things You Should Do Today. The webcast was organized by the NYS Forum, NYS CSCIC and the US Department of Homeland Security.

Since that time the webcasts have evolved into a multinational quarterly event viewed by well over a thousand individuals representing public sector organizations around the world. The partnership between the NYS Forum Security Committee, the NYS Forum Corporate Roundtable and NYS CSCIC continues to grow. Through the NYS Forum's IT Corporate Roundtable, private sector companies donate time and intellectual capital to provide experts for the presentations.

The webcast series has now been adopted by the Multi-State Information Sharing Analysis Center, a group with security representatives from 49 states and the District of Columbia, as a primary source of education on Cybersecurity.

Today, the webcasts provide vendor-neutral Cybersecurity to everyone from home users to information security professionals. Each webcast is tailored to a specific audience and a primary goal is to ensure that participants leave with enough information and additional resources to be successful in implementing the goals of the topic.

The Forum: Are there upcoming webcast dates and topics selected?

Chris: An excellent webcast was held on May 18th which was a presentation on Botnets - the ability for hackers or other groups to gain control of hundreds, if not thousands, of systems to launch coordinated attacks against public and private sector entities.

The next webcast will be focused on Wireless Security and will take place on July 20th, 2005. October is National Cybersecurity Awareness Month so there will be a special presentation, to be determined, for that month. Lastly, on December 7th there will be a holiday themed year in review webcast.

NOTE: Information on the webcast initiative can be found at http://www.cscic.state.ny.us/msisac/webcasts/index.htm.

The Forum: Are there other initiatives on the horizon for your committee that we can make our membership aware of?

Chris: With the NYS Forum's primary mission of education in mind, the NYS Forum Business Continuity Planning/Security Committee is continuously working to educate the public sector on various topics.

• In June, we will be sponsoring a track at the NYS Cybersecurity show focusing on business continuity.
• We've spoken with CSCIC to help encourage participation in our committee by ISOs throughout the state.
• Most recently, we've successfully aligned ourselves with the NYS CIO Council's Enterprise Architecture Committee and Security Committee to provide corporate knowledge and experience to further educate these groups on best practices regarding identity and access management.

The Forum: What's your overall sense of how New York state is addressing specific cyber security threats and, in a broader context, preparing state/local governments to be adequately aware and competent to address threats at those levels?

Chris: New York State has made significant progress in creating architectures and policies to protect information assets. The formation of the NYS Office of Cyber Security and Critical Infrastructure Coordination and the appointment of a highly effective director - William F. Pelgrin - to focus on risk assessment and management across New York State public sector organizations, demonstrates New York State's recognition of the importance of information security.

The gap analysis initiated by this group, and the follow up to ensure protection of vulnerable assets has really set a standard across the country. The development of a staffed managed security operations center in conjunction with intrusion detection systems has allowed New York State to gain insight into how attacks, worms, trojans and other threats spread across and between agencies, and has allowed New York State to better secure its information.

The Cyber Security webcasts have also been a tremendous resource to help educate organizations that may not have highly trained internal resources - especially many smaller local government entities.

The Forum: Going forward, and particularly in light of increasingly mobile governments, are there specific cyber security threats you see emerging that the public sector needs to prepare for now?

Chris: Look at the topics of the Webcasts sponsored by the New York State Forum and CSCIC to gain insight on many of the more specific threats to New York State government. Social engineering, home PCs, Spyware, vulnerability management, botnets and wireless security are all significant threats to information systems throughout New York State.

On a more personal note, my firm regularly tracks security trends throughout the private and public sector. The most recent identified trend is the blurring of the border between public networks, such as the Internet, and internal networks. Organizations are increasingly providing access to internal applications and information. While many feel this is secure, closer examination of the methods of access often reveal inadequate protection against attack.

Let's take an example of an organization requiring strict security. That organization may decide that allowing access to their applications over the Internet is insecure, and may create dedicated connections to each of their partners so their partners can access certain information or specific applications. What the organization may not consider is that their partner is connected to the Internet, and their partner may allow access to their internal network via the Internet. In effect, without meaning to, and while attempting to adhere to more rigorous security, the organization has now allowed access to their information via the Internet through their partner.

More and more our focus today is on protecting the endpoint - the application itself, or the server, or the client PCs within an organization, as opposed to worrying about where one network ends and a new one starts. The walls protecting information are lowering and it's our responsibility to educate and assist our customers in the correct placement of their guards.

The Forum: I know that immediately following 911 there was significant interest in business continuance and developing business continuity plans for state and local governments, what is the level of interest you're seeing today and is the committee responding to that interest?

Chris: As a committee, we've recognized that while Business Continuity Planning ( BCP) is of major importance to information technology staffs within the public sector, it has yet to get the focus and the funding at most agencies. We continue to develop educational avenues to promote awareness of the need for BCP and methods of initiating business continuity plans. For example, at the upcoming Cyber Security show we will be sponsoring several seminars on business continuity.

The Forum: As a member of the IT corporate sector here in New York state's "Tech Valley," and a member of The Forum's IT Corporate Roundtable, what's your view of how this public/private partnership has been of value for your particular committee?

Chris: I don't think that I can stress enough how excited I am to see these partnerships being created between public sector and private sector groups. Without the participation of the IT Corporate Roundtable, it would have been tremendously difficult to continue to provide the Cyber Security webcasts.

Our relationship with the CIO Council exists primarily to provide private sector experts to present on identity and access management topics. With the charter of the IT Corporate Roundtable specifically requiring vendor neutrality and adherence to strict guidelines of engagement, groups such as the CIO Council Committees gain access to resources that would have been impossible to organize in the past. This knowledge transfer has become critical, particularly when government travel and education/training budgets are inadequate or nonexistent.

The Forum: In closing, is there any one observation you would make about the issues surrounding cyber security and business continuity and how New York state is working to address them?

Chris: As a committee, we feel that information security is being addressed very well and in a complete manner within New York State. As a committee, however, we feel that New York State should designate overarching responsibility for Business Continuity Planning to an agency or individual, and place resources and funding in the hands of the agencies to support the development of statewide business continuity plans. It often seems as if time and money can be better invested in other areas, but the import of Business Continuity cannot be underestimated - and we've been unfortunate enough to have that demonstrated to us on September 11th, 2001.

The Forum published a research paper on that topic in 2002 and it would be beneficial for all if we revisited the recommendations made in that report available at http://www.nysfirm.org/documents/pdf/whitepapers/bcp_white_paper.pdf.

The Forum: Thank you Chris. This has been extremely informative and we thank your co-chairs and committee members for the wonderful work you're pursuing in support of New York's state and local IT community.

Chris Labatt-Simon

As CEO of twelve year old Albany based D&D Consulting, Christopher Labatt-Simon has worked extensively with both the public and private sector in the areas of information security and elements of enterprise architecture. Christopher has been the recipient of several awards, including the NYS Forum's IT Corporate Roundtable Award for Excellence and the Capital Region Business Review's 40 under 40 award recognizing individuals contributing to the betterment of the region. Recognizing that individuals must give back to the communities that support them, Christopher donates his time to help support NYS government through his efforts as a co-chair of the NYS Forum's Security and Business Continuity Committee. As a committee, we've recognized that while Business Continuity Planning (BCP) is of major importance to information technology staffs within the public sector, it has yet to get the focus and the funding at most agencies.

Call for Nominations

2005 New York State Best of the Web Award

The Forum would like to recognize the outstanding work done with the innovative use of web technology by state and local government in two categories: 1) those developed by state agencies, and 2) those developed by local government entities. To be eligible, sites must be up and functioning at the time of nomination. Agency Intranet and other internal sites are eligible for this award but judges must be able to access and review the sites. Sites nominated must be in compliance with current NYS OFT Technology Standards and Guidelines. A panel of judges will review each site, select a winner and list of honorable mentions. The award will be announced at The Forum's Annual Meeting in September. Best of the Web nomination forms will be available at www.nysfirm.org or call (518) 443-5001 to request a form.

Evaluation Criteria:

Innovative Use of Technology - Web Sites in general are an innovative use of technology. This criteria refers to how the web site makes use of the technologies available to its developers to achieve its purpose. This does not necessarily mean the most technically proficient web site but rather refers to the site that uses technology in unique and creative ways to achieve its purpose.

Value to the Client - Public Sector Web Sites must provide identifiable value to their users. The content must be relevant and timely. This criteria will evaluate the content delivered to the users, how relevant that content is and how the web site ensures the timeliness of that content.

Cost Efficiency to the Agency - Delivering Services over the web should be efficient both to the developer and to the users targeted. This criteria will evaluate that efficiency for both groups. This is not a strict "cost justification" exercise but rather an evaluation of how the site improves the service or services being delivered.

Recipient of last year's award was: Council on Children and Families within the Office of Children and Family Services for Kid's Well-being Indicators Clearinghouse (KWIC) http://www.nyskwic.org.

2005 Award for Excellence in Government Information Services

A sustained spirit of collaboration and volunteerism underlies the success of the New York State Forum for Information Resource Management. Each year, the Forum Executive Committee recognizes the essential value of volunteer effort with an Award for Excellence in Government Information Services given at the Annual Meeting. Last year's recipients were William F. Pelgrin, Executive Director of the NYS Office of Cyber Security and Critical Infrastructure Coordination, Debi Orton, Governor's Office of Employee Relations and Mike Short, Department of Civil Service. Any Forum member may be nominated. Letters of nomination should describe the nature of the nominee's contribution and how his or her activities have benefited another agency, The Forum membership, or government generally.

Evaluation Criteria:

• degree to which the contribution reaches beyond the boundaries of the nominee's own organization,
• actual benefit produced, and
• potential for future benefits to be built on the basis of the nominee's achievement.

Nominations for Best of the Web and Award for Excellence must be received no later than July 29, 2005 and should be sent to:

NYSFIRM

Call for Nominations

Rockefeller Institute of Government

411 State Street, Albany, NY 12203

Fax: (518) 443-5006 or E-mail: info@nysfirm.org

Coming soon....you may submit your nomination onlne at: www.nysfirm.org

10th Annual 2004 - 2005

Best Practices Award

The Forum would like to recognize the outstanding work done during the past year in the area of Information Resource Management by New York state and local government organizations. The categories are as follows.

POLICY (for legislative initiatives or internal agency policy initiatives which improve information management and/or lower the barriers to effective information management). This might include the sponsorship of new laws which support electronic commerce, rewriting of regulations to lower barriers for the use of electronic documents, or development of effective organization-wide document management or security policies which improve document handling.

MANAGEMENT (for innovative activities which improve the management of information resources and technologies). Innovations in this area might include creation of a formal project management approach to the restructuring of an IRM organization to improve customer service, development of innovative procurement and/or partnering activities which maximize use of scarce resources, development and management of assessment teams to deal with crises like the Year 2000 or development of other structures to effectively manage new technologies.

TECHNICAL IMPLEMENTATION (for effective implementation of information technology to meet business goals). Examples of innovation in this area might be the development of an agency Intranet which links internal units with external partners in a secure fashion, development of an agency Web application which improves communications with the public, or effective use of prototyping and application development tools to streamline application development.

Last year awards were presented to Division of Housing and Community Renewal for Mitchell-Lama Automated Waiting List System, Office of the State Comptroller for FOCAS Project, and Secure 4 Tier Network Infrastructure, Chauncey G. Parker, NYS Criminal Justice Agencies for NYS's Integrated Justice Program, Office for Technology for NY's Policy for Web-based Intranet and Internet Information and Applications, Thruway Authority for Ramp LOS Application.

To submit a recommendation for an award, please send a short, one or two page description of your innovation to the Forum. Recommendations will be reviewed by the Awards Committee and descriptions will be published and distributed at the Annual Meeting in September. In your response, please designate an individual or individuals who would be available to accept the award and speak about the innovation at the Forum's Annual Meeting.

Thanks for your continued interest in the Forum. We look forward to seeing you at the Annual Meeting.

Recommendations must be received no later than July 29, 2005, and should be sent to:

NYSFIRM Best Practices Award

Rockefeller Institute of Government

411 State Street

Albany, NY 12203

fax: (518) 443-5006 or e-mail: info@nysfirm.org

Coming soon....you may submit your nomination onlne at: www.nysfirm.org

2005 Candidate Canvass

The New York State Forum for Information Resource Management will begin its 19th year on October 1, 2005. Thanks to your help, we have made great strides during the past years and with your continued support, The Forum will prosper.

On October 1st, the Executive Committee will assume new leadership. Vice Chair Cecelia Hamblin, Department of Labor, will succeed Joanne Riddett, Thruway Authority, who has served as Chair for the past year. Leigh Favita, Dormitory Authority, who has served as Secretacy/Treasurer for the past year will serve as Vice Chair. The office of Secretary-Treasurer will be filled from among the members of the Executive Committee, including the newly elected members. This canvass seeks candidates for the Executive Committee for two-year terms beginning October 1, 2005 and ending September 30, 2007.

All Institutional Representatives and Individual Members employed by Institutional Members are eligible to serve on the Executive Committee. A slate of candidates will be presented to Institutional Representatives for selection prior to the 19th Annual Meeting scheduled for September, 2005.

The following excerpts are taken from The Forum Charter and describe the mission, objectives and responsibilities of the Executive Committee.

Mission

It is the mission of the New York State Forum for Information Resource Management ("The Forum") to promote policies and practices for effective, equitable and secure use and management of information resources in New York State Government at all levels.

Objectives

• Promote exchange of information, sharing of IRM experiences, and cooperation among government organizations, the nonprofit and the corporate sectors in New York State.
• Develop cooperative projects that result in shared information resources and collaborative problem solving.
• Recognize and showcase state and local exemplary information resource practices at the organizational and individual levels.
• Promote guidelines and standards that facilitate technology transfer and systems integration.
• Examine and recommend policies and guidelines that affect the development, use and procurement of information resources within the state.
• Promote research, development, evaluation and use of advance information technologies applicable to state and local government.
• Maintain active liaison with organizations, including those in the academic and corporate sectors having expertise relevant to the use and management of information resources.
• Promote education and training in information technologies and resource management as essential components of professional development of the state's information resource management workforce.
• Create a learning environment at The Forum meetings and events that allow members to obtain information on usable solutions, practices and ideas.

Responsibilities

• Develop and present an agenda for the business meetings of The Forum.
• Establish standing, special interest groups or temporary committees.
• Review and select project proposals recommended by The Forum members or committees.
• Appoint a nominating committee to present a slate of candidates for the Executive Committee.
• Review and approve formal reports reflecting final work products or recommendations of the Forum.
• Provide for staff support and advise and direct staff efforts which support the business and programs of The Forum.
• Oversee the financial affairs of The Forum.
• Communicate regularly with Legislative leadership regarding progress on key initiatives and on findings and recommendations.
• Conduct such other activities as are necessary to carry out the provisions of the Charter and the objectives of The Forum.

If you are interested in being considered for the Executive Committee or are currently a member and interested in the office of secretary/treasurer, please complete and return this form with a brief bio which includes: current position, information management interests, previous Forum involvement and other related involvement by July 29, 2005 to:

The NYS Forum

Rockefeller Institute of Government

411 State Street

Albany, NY 12203

Fax: (518) 443-5006 or E-mail: info@nysfirm.org

Coming soon....you may submit your nomination onlne at: www.nysfirm.org

2005 Candidate Canvass

Name

Title

Organization

Major Interests

Phone

E-mail

I am interested in the office of Secretary-Treasurer

To view the 2005 Cyber Security Conference Agenda, please visit our website at http://www.nysfirm.org/seminars/csc-2005/attend/agenda.asp

To register visit: www.nysfirm.org click on "2005 Cyber Security Conference" then "Attend"

Upcoming Events!

8th Annual NYS Cyber Security Conference

Come to the premier State conference in the country! Don't miss an outstanding keynote speaker, select from over 40 key security-focused sessions, a wireless attack demo, participate in Birds of a Feather, network at the Attendee Reception and see the latest technology in the Exhibition Hall.

View the two-day agenda at http://www.nysfirm.org/seminars/csc-2005/attend/agenda.asp. Complete details and registration are available at www.nysfirm.org. Click on 2005 NYS Cyber Security Conference.

Forum Strategic Planning Session

Friday, July 15

8:30 am - noon

Details coming soon.

Forum Annual Meeting

Friday, September 9

8:30 am - 2:00 pm

Details coming soon.

Executive Committee

Officers

Chair, Joanne Riddett, Thruway Authority

Vice-Chair, Cecelia Hamblin, Dept. of Labor

Sec./Treas. Leigh Favitta, Dormitory Authority

Members

James Bell, NYS Senate

Walter Bikowitz, OGS

Thomas R. Bodden, Assoc. of Towns of NYS

JoAnn P. Bomeisl, Insurance Dept.

Teri Daly, OFT

Sharon Dawes, CTG

F. Michael Donovan, CIO

Stanley France, Schoharie County

Robert Freeman, Dept. of State

Jeffrey S. Grunfeld, OSC

Christine Haile, SUNY at Albany

Roman Hedges, NYS Assembly

Karl Kelly, DMNA

Robert G. Kelly, DHCR

Kim S. McKinney, NYSLGITDA

Janice Morris, Dept. of Civil Service

Nancy Mulholland, Workers' Comp. Board

Eugene Pezdek, DEC

Franklin Slade, Dept. of Civil Service

Timothy Spencer, DOB

Victor Stucchi, HESC

David Walsh, SED

Staff

Editor

Gregory M. Benson, Executive Director

Design & Production

Rebecca J. Buchner, Executive Assistant

Milena Ivanova, Technical Coordinator

Editorial Office

NYS Forum

Rockefeller Institute of Government

411 State Street

Albany, NY 12203

Phone (518) 443-5001

Fax (518) 443-5006

Visit our Web Site www.nysfirm.org

E-mail info@nysfirm.org

Open Forum is a regular publication of the NYS Forum.

We welcome editorial proposals and submissions.