Agency for
State
Technology
2015-2018 Statewide Information
Technology Security Plan
The Way Forward
Rick Scott, Governor
Jason M. Allison, State CIO
Table of Contents
From the Desk of the State Chief Information Officer (CIO) .........................................................................3
Executive Summary ..............................................................................................................................................4
Strategy 1:
Enhance security and privacy capabilities ..................................................................5
Objective 1: Implement a cybersecurity framework policy ...............................................................6
Objective 2: Improve situational awareness ..........................................................................................7
Objective 3: Develop a robust enterprise security incident response program ...............................8
Strategy 2: Enhance the Enterprise IT environment, including application rationalization ....................9
Objective 1: Invest in core enterprise enhancement ...........................................................................10
Objective 2: Develop application rationalization approach and begin implementation ................11
Strategy 3: Define the roadmap for maturing IT Processes and Strategic Business Alignment ...12
Objective 1: Strengthen project assurance and ensure project oversight .........................................13
Objective 2: Coordinate multi-agency enterprise initiatives .............................................................14
Timeline ................................................................................................................................................................15
Close ......................................................................................................................................................................16
2
From the Desk of the State CIO, Jason M. Allison
As security becomes the focal point for all IT related initiatives, Florida is
now in the best place to affect statewide change for a more secure, efficient,
and effective future. Security embedded in the foundation of systems,
processes, and projects will position the state for great economic and
technological success. With the creation of the Agency for State
Technology, the state can focus on securing state IT assets, while moving
toward consolidated and standardized platforms.
This three-year statewide strategic security plan lays out the roadmap to position the state to enter new markets, support hardened
infrastructure, and better align Florida’s strategic initiatives. This plan lays out three one year
high-level strategies, followed by specific objectives. Years two and three are included in a
high-level timeline, this supports growth and flexibility within the strategic plan. As AST
progresses through the years while maintaining our vision, new goals will be added and new
strategies formulated. Horizon-driven strategies are included in a year four brief to show how
the strategies position the AST to take on more aggressive, innovative solutions over time.
As IT is an ever-changing and evolving industry, our strategy must also be flexible, innovative,
and adaptive. The partnerships AST is developing with Agencies will help drive the IT future for
the state. This will make Florida a hub for innovation and drive economic success for the state,
its citizens, and businesses. I hope you share my excitement, as Florida embarks on this journey
and emerges as a competitive industry leader.
3
Executive Summary
Safeguarding and protecting Florida’s IT resources is a top priority. AST is committed to
maintaining the highest level of data security, while embracing new capabilities and ensuring
information protection for citizens and businesses in the state. As AST progresses toward
a more hardened IT climate, this strategic IT security plan will focus on three long-term
strategies spanning 2015 through 2018. Emphasis for this plan is on year one objectives which
are designed to build security into the very fabric of state IT operations and processes. These
are foundational strategies that will position AST to take on horizon-driven initiatives in an
organized and secure manner.
Each year as objectives are implemented, the strategy will remain with added objectives to
show progress year-after-year. Upon full implementation of the foundational strategies, subsequent strategies will be identified, planned, and included in future strategic plans. This phased
approach supports continual progress, while moving toward convergence for enterprise strategic
alignment.
Strategy one establishes objectives for adopting a strong cybersecurity framework, cultivating
collaborative partnerships for critical response efforts, and focusing on situational awareness to
empower the state workforce.
Strategy two establishes objectives for assessing and enhancing the state’s data center
infrastructure, to include application rationalization.
Strategy three establishes objectives for project assurance and oversight and promotes strategic
business alignment by partnering with state agencies to understand and support their missionspecific strategies.
4
Strategy 2015-2016:
Strategy 1:
Enhance Security
and privacy
capabilities
Objective 1: Implement a Cybersecurity
Framework Policy
Objective 2: Improve Situational Awareness
Objective 3: Develop a Robust Enterprise
Security Incident Response Program
5
Strategy 2015-2016:
Objective 1:
Implement a
cybersecurity
framework policy
• On any given day, Florida has 1.7 million
visitors
In support of the Governor’s job and economic growth initiatives, a top priority is protecting critical IT assets. Systems and information
drive delivery of services to citizens and promote effective government. The foundation to building secure IT capabilities is a sound
cybersecurity framework with robust underlying processes. AST will develop a cybersecurity framework policy that guides the state’s
information security workforce and promotes efficient IT operations.
Security rules will be mapped to the framework and promote secure and consistent practices for state computing platforms. Security
considerations will be developed for all IT functions and promote risk mitigation initiatives. Framework implementation will be a
rigorous multi-year effort. Each new initiative will enhance and secure the state’s IT resources while consistently moving toward
framework compliance.
6
Strategy 2015-2016:
Objective 2:
Improve
situational
awareness
Reliance on shared information is critical. How Florida protects and shares information has a significant impact on citizens, visitors,
and businesses in the state. To ensure that we are diligent in our efforts, we are reliant on information sharing partnerships and
continual education of state workers. As threats emerge and transform, AST will position itsef to effectively mitigate attempts to
compromise the state’s information assets.
AST will build partnerships with state and federal entities to support improved situational awareness and harden security practices.
AST will support training and outreach campaigns that engage all workers and promote a security-centric culture, involving
individuals in data protection initiatives.
• Florida has surpassed New York as the
3rd most populous state.
7
Strategy 2015-2016:
Objective 3:
Develop a robust
enterprise security
incident response
program
Escalation of threat-related activities has driven a change in how the state must approach incident response. AST will cultivate
collaborative partnerships to support predictive and preventative cybersecurity efforts. Layered defense must support these techniques;
however, when defenses are compromised AST must have a refined, robust response program and assist state agencies with execution.
The program will standardize response efforts to support rapid, consistent countermeasures.
• Miami is among the world’s Top 5 most
interconnected cities.
8
Strategy 2015-2016:
Strategy 2:
enhance the
Enterprise IT
environment,
Including
application
rationalization
Objective 1: Invest in Core Enterprise
Enhancement
Objective 2: Develop Application
Rationalization Approach and Begin
Implementation
9
Strategy 2015-2016:
Objective 1:
Invest in core
enterprise
enhancement
Information technology has quickly become an enabler, from automation to innovation, it supports trade and investment growth in the
state. As technology platforms age, obsolescence introduces risk and duplication, and limits our ability to effetively transform business
processes. AST will provide seamless and consistent service delivery to state agencies, so that agencies can in turn provide timely
services to Florida’s citizens and businesses.
AST will undertake enhancements to the enterprise IT environment, supporting the move toward deploying secure, interconnected
systems. Primary focus will be on replacing end-of-life equipment,
standardizing computing platforms, merging operations for core services,
and enhancing disaster recovery service capabilities to align with the
• More than 26,000 IT companies,
application rationalization vision.
employing close to a quarter of a mllion
workers, call Florida home.
10
Strategy 2015-2016:
Objective 2:
Develop
application
rationalization
approach
and begin
implementation
We can only secure what we can see. In order to properly manage the security of the enterprise environment, it is necessary to
understand it. Application rationalization includes identifying application dependencies and components that have the potential to
introduce security risk. Empowered with this awareness, security initiatives can be prioritized and efficiently applied where they can
produce the greatest benefit. The information will also guide future initiatives to offer secure shared services that will reduce the risk,
complexity and cost of new applications.
11
Strategy 2015-2016:
Strategy 3:
define the roadmap
for maturing IT
Processes and
Strategic Business
Alignment
Objective 1: Strengthen Project Assurance
and Ensure Project Oversight
Objective 2: Coordinate Multi-agency
Enterprise Initiatives
12
Strategy 2015-2016:
Objective 1:
Strengthen
project assurance
and ensure
project oversight
Introducing security considerations into the early stages of project initiatives is highly effective in identifying shared security services
and tools, which promotes system hardening and supports cost-effective outcomes.
Through collaborative efforts with state agencies, we will assist in the development and use of consistent project management standards
and methodologies, facilitate project oversight and assessment, project risk, and strive for high performing IT projects across the state.
These efforts will improve cost-efficiency through repeatable project success.
13
Strategy 2015-2016:
Objective 2:
Coordinate
multi-agency
enterprise
initiatives
Interagency collaboration promotes strategic business alignment. AST will establish enterprise relationships to identify multi-agency integration and consolidation opportunities. Solutions will focus on efficiencies, cost savings, utilizing existing information in new ways,
cross-boundary solutions for shared business processes, and ways to measure success.
AST will host workshops to promote the conversion of ideas into meaningful and innovative solutions. Workshops will identify data
management opportunities to promote interoperability and openness.
• 40% of all US exports to Latin America
pass through Florida.
14
The Way Forward
FY 2015-2016
FY 2014-2015
Strategy 3:
Strategy 1:
Enhance security
and privacy
capabilities
Strategy 2:
Enhance the
Enterprise IT
environment,
including
application
rationalization
Define the
roadmap for
maturing IT
Processes &
Strategic
Business Alignment
FY 2016-2017
FY 2017-2018
FY 2016-17 Strategy:
Implement statewide IT
investment and portfolio
management; Strengthen these
throughout the State
FY 2015-16 Strategy:
Complete migration to
enterprise architecture;
Implement enterprise hardware
and software asset management
and service delivery
The Way Forward:
Federated Identity & Access Management
Enterprise Data Exchanges
Rapid, Streamlined Delivery of Systems and Services
Uniform End-User Experience
eGovernment - anywhere, anytime, any device
Digital Automation (digital forms, signatures, etc)
Enterprise Application Portfolio Management
15
2015-2018
Statewide Strategic IT Security Plan
Agency for state Technology
For more information visit
ast.myflorida.com
16