OIT Enterprise Security

• Strategic Planning and Management

Continuously ensure the enterprise’s information security program (principles, practices and system design) is in line with all state agency mission statements.

• Information Security Management

The development and management of principles, policies, standards, and procedures necessary to ensure the confidentiality, integrity, availability, and privacy of information throughout the information life cycle.

• Information Security Training & Awareness

The development and delivery of training and activities designed to instruct workers about their security responsibilities, and the delivery of information security processes and procedures for performing duties optimally and securely within related environments.

• Policy and Regulatory Assessment and Compliance

The review, evaluation, analysis and periodic monitoring of processes against statutory requirements; information security laws; regulations; industry-wide best practices; and enterprise and agency security controls to achieve the state’s information security goals and assist agencies in their effort to comply with applicable technology requirements (Agencies have primary responsibility for compliance).

• Vulnerability Management

The identification and testing of vulnerabilities to information assets, such as: databases, applications, desktops, servers, switches, routers, etc; the issuance of recommendation(s); and the management of mitigation strategies that achieve needed security at an affordable cost.

• Risk Management

Provide a balanced approach to the identification and assessment of risks to information assets, and the management of mitigation strategies that achieve enterprise information security goals and assist agencies in complying with applicable requirements (agencies have primary responsibility for compliance) at an affordable cost.

• IT Audit Facilitation

Taking ownership of IT audit response and remediation tracking to ensure that when agencies are audited who have OIT-managed systems included in the scope of the audit, that IT audit requests receive timely and accurate responses, and that audit remediation is occurring as agreed upon.

• Critical and Essential Application Risk Assessments

The provision of application risk assessments for agency critical and essential applications.  Issues discovered during the assessment will be tracked and discussed with the agency, and prioritized for corrective action (remediation).

• Email Filtering and Security

The application of inbound email filtering and targeted attack protection, as well as outbound email encryption to minimize email threats and data exposure.

• Security Event Monitoring and Incident Management

The development and issuance of processes and procedures to prepare and prevent, detect, contain, eradicate, recover and apply lessons learned from incidents impacting the mission of the State, and its agencies, including investigation and analysis used for recovering, authenticating, and analyzing electronic information to reconstruct events related to security incidents. E-discovery and data acquisition related to an investigation request is also included.

• Security Operations and Maintenance, including Endpoint Security

The maintenance, monitoring, control, hardening, and protection of the infrastructure, including servers and desktops, and the information residing on them to applicable State and agency requirements, during the operational phase of information systems and/or applications in production. This also ensures that tools are in place, on each OIT-managed endpoint to detect and prevent malicious activity, scan downloaded files for threats, validate compliance with state configuration and hardening requirements, and ensure patches and security updates are applied timely.

• System and Application Security

Ensures that the operation of IT systems and software does not present undue risk to the enterprise, and its information assets, through the integration of information security into an IT system or application during the System Development Life Cycle (SDLC).

• Vendor Risk Management 

The development and establishment of standards and contract language that promote the procurement of information products or services that meet the security requirements of the agencies. Vendor security assessments, as part of major purchases, ongoing vendor risk management for critical and essential services provided to the agencies.

• Employee Investigations

Investigate and analyze potential violations of acceptable use policy. Investigation is conducted as part of a security incident investigation, or as requested by the agency’s Human Resources department. Agency HR teams may contact the Office of Information Security for additional investigation services beyond acceptable use policy violations.