Part 1: Nebraska’s centralized approach to cybersecurity, compliance in age of coronavirus

This second part of this interview was published April 6.

Like the other 49 state chief information officers Nebraska’s Ed Toner, and thousands more in local governments, have been very busy on the front lines to help orchestrate the continuation of business operations for the millions of citizens they all serve during this pandemic.

Toner agreed that Nebraska had been very much in sync with the other states. Although with less than 100 confirmed cases at this point the lock down or sheltering in place orders have not been as drastic as we are seeing in other parts of the country — particularly on the coasts.

“Nebraska is still operating on a come-to-work basis. However, we are prepared to work from home. Our focus has really been, and always will be, to be able to run the office of the CIO from home without any interruption,” Toner said. He has a very high confidence level that they can do that.

“We periodically work from home at the current time anyway as any team would. So we feel pretty good about that. We’ll be able to keep the state up and running,” he said.

He emphasized the point that Nebraska agencies have all gone through rigorous continuity of operations planning (COOP) for the last several years, and he has the statistics to demonstrate their success. Each agency including his gets an annual COOP scorecard rating from 1 to 10, 10 being the best.

Ed Toner, Nebraska CIO
Ed Toner, Nebraska state chief information officer

“Our office is a 10. We have done all the exercises and proven that we can definitely run our organization without any interruptions,” he said. Toner went on to say that all state cabinet agencies and most of the non-cabinet agencies have at least a score of eight or better. “That means they will be able to work from home and continue to provide services to the constituents here in Nebraska.”

Toner’s next words reminded me that even in this pandemic era there’s still business as usual and work to be done. In this case it was cybersecurity and compliance issues, along with identity and access management (IAM). Like most of us who have been state CIOs, Toner is often chagrined by the plethora of regulatory compliance issues facing his organization.

“We’ve got Payment Card Industry (PCI) compliance in our environment. We’ve got CJIS; we’ve got all of the privacy laws to deal with. We’ve got the HHS HIPAA laws. We’ve got 1075 encryption requirements from the IRS, and so on,” he explained.

Centralized risk mitigation and compliance team

Nebraska consolidated agencies and infrastructure a couple years ago, and Toner said that presented an opportunity to centralize all of the state’s compliance and security staff into Toner’s CIO office organization. He formed what was called a risk mitigation and compliance team.

“We brought in the [Health Insurance Portability and Accountability Act] experts out of [the  Nebraska Department of Health and Human Services] and the IRS 1075 experts from revenue. We brought in [Nebraska Criminal Justice Information System] out of state patrol — you name it — PCI, all the different folks who had that expertise and they were subject matter experts,” Toner said. He put them all together and then added the security team to that group. “And the value of that from an audit compliance side, from the IT side, we now look at everyone, every agency that is getting audited, and they have the full force of that team behind them,” Toner said.

Within this team structure, they have a tool that actually monitors and illustrates the workflow for all state compliance reviews and responses. Any type of audit material or report gets loaded in, documenting everything that’s being done.

“So instead of having that information isolated at the state revenue agency, having an audit and having audit findings, and they’re isolated to revenue, this team knows every single agency’s audit findings.” In this way, if one agency may fail an audit, Toner’s team knows exactly why and can make sure that that doesn’t occur in any of the other agencies. “So we take a very centralized approach, but then the fix for one agency on an audit finding, we make the fix to all agencies,” he said.

Identity and access management relies on centralization

Toner explained that Nebraska’s IAM strategy likewise benefited from the state’s centralization approach. He stated that identity and access management was most certainly part of the entire fabric of what his CIO office does. “I keep going back to the centralization theme — we can definitely limit any type of access, especially those with admin rights and things of that sort to the groups that absolutely need it. You know, that’s one of my big tendencies. You always limit the number of users that really have access to databases with any type of Personally Identifiable Information (PII).”

His organization does that by restricting access to that data, or obtaining an admin right. From an agency’s perspective access is much more difficult, because his CIO office centrally manages that access within our own teams. Toner tries to limit the number of users with access to that data to just those who absolutely need it.

Returning to the coronavirus impact, Toner mentioned that he gets about 25 emails a day from his state CIO peers. His advice to them was familiar: “I think my biggest thing is probably the same thing as with everything else I do: Communicate to your teams what you’re going to do and how you’re going to do it. Communicate to your customers to make sure that they understand what your plans are and that you’re ready to go,” he said.

By doing this, agencies can focus on the particular services they provide.

“They’ve got other things to worry about so I’ve been really communicating that. We’ll be ready for business, the applications will be running. We will be able to support them,” Toner exclaimed. “So focus on your particular applications and services that you provide to the citizens. And don’t worry about our end. We will make sure you’re up, and ready to go.”