As business owners and IT executives prepare to comply with the Massachusetts data protection law come January, state IT managers are making sure the commonwealth is ready to comply with those same security and privacy standards.
More compliance management resources
IT security spending a bright spot in '09, with more growth predicted
Massachusetts is subject to the same type of standards included in 201 CMR 17.00, though state government compliance was ordered by Gov. Deval Patrick rather than mandated by the state legislature.
Massachusetts CIO Anne Margulies said she sees this confluence as a strong positive, noting that it has helped to "accelerate and mobilize all of the security professionals around the commonwealth to work together on a standards-based security plan."
Key to the effort is nurturing a "security culture" that protects the data held on behalf of citizens. That means the state must lead by example, using tools to quickly detect and respond to intrusions or data breaches.
"The same law that the state passed for businesses here in the commonwealth we passed for state government ourselves," Margulies said. "We are holding ourselves to the same security and privacy standards that businesses are expected to.
"The laws or rules that apply to us [government] were actually accomplished through an executive order that the governor released," she said. "And certainly we were very involved in the language that applies across the state. The two sets of legislation -- the executive order and the commonwealth's new law that applies to business -- are very consistent with each other."
Data protection, security and privacy are just a few of the many challenges Margulies is trying to manage. When she took on the mantle of Massachusetts CIO in 2007, she faced a challenge familiar to any CIO: Trying to do more with less. Like other states, the commonwealth of Massachusetts is facing a historic budget shortfall this year. That means making every drop of its IT budget of more than $87 million dollars for fiscal year 2009 count.
Also topping the list of the priorities were decisions that needed to be made on which technologies would meet the business needs of the many departments in the commonwealth -- and what strategies the CIOs of state bureaus would use to manage the transition to new technology.
Those choices include how to move to service-oriented architecture, transition from standard telephony to Voice over Internet Protocol or add social software capabilities to static websites. The inherent challenge for the commonwealth's IT staff is that, like many enterprises, Massachusetts has many legacy systems that need to be updated, consolidated and maintained during that process. Multiple platforms and environments within enterprise systems need to be maintained and upgraded, including mainframes running z/OS, Windows, AIX, HP-UX and Linux operating systems. The process of prototyping and testing many of these technologies has begun but will take years to complete.
As Massachusetts CIO, Margulies also was charged with implementing the commonwealth's strategy for IT. This strategy, initiated during the transition to a new administration under Patrick and Lt. Gov. Tim Murray, was developed in collaboration with IT and business leaders from around the commonwealth.
The eventual "IT Strategy for the Commonwealth, FY 2009-2011" focused on creating an infrastructure that could scale to meet the needs of government agencies in the future. The key initiative identified in that plan is IT consolidation. New York's state CIO has since released a similar statewide strategic IT plan.
These priorities are being expressed in technology initiatives around the state, as evidenced in the budget for fiscal year 2010, but much of the focus for Margulies in 2009 has been to support the American Recovery and Reinvestment Act (ARRA) and apply the federal stimulus funds coming from Washington. Specifically, the Massachusetts Information Technology Division (ITD) is reworking its Mass.gov website to allow real-time reporting of information on stimulus projects. The eventual goal is to let citizens and state employees access, manipulate and use data independently to track how ARRA funds are being spent. Tracking spending transparently is, in fact, a key aspect of ARRA compliance.
'Government 2.0': Implementing Web 2.0
Several tools in particular have proved useful in working toward that goal. The commonwealth set up "CommonWiki" using the Confluence platform, an enterprise wiki system. Each project gets a wiki, where state officials and workers can find resources, reports and other information. Margulies said she hopes to add further functionality to these wikis that will mash up more data on ARRA websites, including geographic information systems and financial data, allowing users to "look down at a map and drill down and see what kind investments are they're making, community by community."
We are holding ourselves to the same security and privacy standards that businesses are expected to meet.
The commonwealth has seen rapid growth in the use of CommonWikis. One challenge for Secretariat CIOs, in fact, has been to provide adequate support as usage grows. More users require more bandwidth, training and moderation. Margulies said she has taken an incremental approach to rolling out each project to ensure that each wiki provides reliable services, watching to see how people use them and adjusting as "each evolves and grows in a natural way." Initially, each wiki is being used internally by state workers. In the future, that will change.
Separately, the Mass.gov website has rolled out a growing selection of state government blogs, where citizens can provide feedback. Blogs focused on innovation, jobs, public health, transportation and other subjects are live and active. Comments for each blog are moderated. Margulies said the challenge she sees in adopting each of these "Enterprise 2.0" technologies is in managing the overlap between them, trying them and determining where the value is for government before making any major investments. Linking to relevant resources and providing forums for discussion, for instance, can be accomplished with a wiki, blog or through an external source, like the @MassGovernor Twitter account. None of the technologies the commonwealth is currently experimenting with exposes mission-critical or proprietary data.
Another issue of great concern to Margulies (and other CIOs) is energy consumption. The ITD has published energy standards for the commonwealth's IT infrastructure. The Massachusetts Department of Environmental Protection is also exploring renewable energy options. Marguiles said she expects adherence to these standards in purchasing, server room design and user behavior to result in significant cost savings. The commonwealth is also building a new data center in western Massachusetts that "will be a showcase for green technologies," energy management and green building practices. Margulies said she looks forward to being able to do more disaster recovery internally once the data center is complete. The function is currently supplied by a third-party provider.
The commonwealth is currently consolidating its data centers and resources with the goal of creating an "internal" or private cloud that can be provided to agencies. As is the case for many enterprises, this data center consolidation is taking place through the use of virtualization. Multiple levels of security requirements, depending on data classifications, have made the process complex but Margulies said she sees this consolidation as "critically important" for achieving the state's goals. She said she also sees a logical progression where this internal cloud may be used for backup, disaster recovery or other kinds of specialized services in the future.
When asked about the most effective step that a CIO can take when approaching a new position, Margulies cited the collaborative creation of a strategic plan that lays out the challenges, risks, stakeholders and goals for an organization.