Part 2: Nebraska’s centralized approach to cybersecurity, compliance in age of coronavirus

Nebraska's CIO Ed Toner leverages his teaming approach for cybersecurity, compliance, risk and identity and access management (IAM) in the era of coronavirus.

This is a continuation of Ed Toner’s interview with Ask the CIO: SLED on March 26.

With confidence in Nebraska’s rigorous continuity of operations planning (COOP) procedures, including testing and even a scorecard, Chief Information Officer Ed Toner continues to believe that his state is adequately prepared for the coronavirus pandemic.

Nebraska is one of only eight states that have not issued a mandated so-called shelter-in-place directive. Toner’s boss, Gov. Pete Ricketts has ordered measures to shut down schools and dine-in restaurants, plus gatherings of more than 10 people. However, the Nebraska state workforce continues to come to the office.

“Nebraska is still operating on a come-to-work basis. However, we are prepared to work from home. Our focus has really been, and always will be, to be able to run the office of the CIO from home without any interruption,” Toner said. He has a very high confidence level that they can do that.

By instituting a comprehensive COOP program, with annual agency reviews and even a COOP scorecard, Toner has been able to assure that Nebraska state government is prepared. Furthermore, Toner’s insists that his CIO agency will be able to keep the lights on, so to speak, during this pandemic, delivering appropriate infrastructure, network and application availability to state agencies and other customers.

That last point about “other customers” is significant. Nebraska, perhaps more so than all other states, serves as data processing headquarters for 86 of the state’s 93 counties, plus a number of different local governments as well.

While the pandemic and the state’s preparedness are front and center these days, Toner emphasized that IT business and ongoing challenges remain — perhaps none more so than the problems state and local government face with regard to federal and state compliance mandates.

It’s been said that there’s nothing certain in the world but death and taxes. However, I think that government regulatory compliance issues may come in a close third. There currently are emerging federal and state government mandates that significantly affect not only cybersecurity, but many other compliance issues as well for state and local governments.

Nebraska’s risk mitigation and compliance team

However, Toner was able to make the proverbial lemonade from a lemon. Rather than gnashing its teeth Nebraska has been able to refashion a complicated, cross-jurisdictional, wasteful and expensive compliance environment into a focused, consolidated, and value-added performance enhancement. As part of the state’s departmental consolidation initiative at the beginning of the Ricketts administration, Toner was able to centralize all of the state’s compliance and security staff into his CIO office organization. He formed what was called a risk mitigation and compliance team.

“We brought in the Health Insurance Portability and Accountability Act experts out of the Nebraska Department of Health and Human Services and the IRS 1075 experts from revenue. We brought in Nebraska Criminal Justice Information System out of state patrol — you name it — Payment Card Industry, all the different folks who had that expertise and they were subject matter experts,” Toner said. He put them all together and then added the security team to that group. “And the value of that from an audit compliance side, from the IT side, we now look at everyone, every agency that is getting audited, and they have the full force of that team behind them,” Toner said.

Ed Toner, Nebraska chief information officer, stands with servers.

Within this team structure, they have a tool that actually monitors and illustrates the workflow for all state compliance reviews and responses. Any type of audit material or report gets loaded in, documenting everything that’s being done.

In this manner instead of having that information or finding it isolated at a single agency, Toner’s team knows every single agency’s audit findings. In this way, if one agency may fail an audit, his team knows exactly why and can make sure that that doesn’t occur in any of the other agencies.

“So we take a very centralized approach, but then the fix for one agency on an audit finding, we make the fix to all agencies,” he said.

California’s unorthodox teaming approach

Toner’s leveraging resources and teaming approach are somewhat reminiscent of my experience as California’s CIO in the late 1990s where I faced tremendous staffing and resources constraints both from budget and authority standpoints. I originally had a staff of 15 with only budget and policy responsibilities, not the strong CIO model with statewide operations and cabinet member status that would evolve over the next decade. Unfortunately, with this handicap I had to run herd and oversee 150 departments and their billions in annual IT spending, while at the same time facing intense scrutiny from the legislature, state auditor, and the media ravenous for exposing and exploiting state IT project failure.

With such a sparse and overworked staff it was unrealistic to cover all my project oversight bases, so I decided, if you can’t beat ‘em, join ‘em. Except for the Fourth Estate, and unknown to the governor’s office, I approached legislative committees, the state auditor and other good government committees sub rosa, and instead of following tradition by trying to deflect their attention from IT project problems, I actively encouraged them to specifically focus on them.

Anathema in government, I know, but it worked. Often unable to adequately convinced agency IT and especially agency executive and program leadership to take the necessary steps to address a plethora of project management issues, and with dilatory backup from the governor, I focused my secret armada (above) on the most feckless agency villains. To paraphrase Dr. Johnson,  nothing concentrates the mind of government bureaucrats more than a legislative committee hearing or state audit. Such developments and the resulting transparency were crucial to having the department and the administration take the appropriate measures, under my guidance of course, to reverse potential project failures.

Nebraska’s automated IAM in/outboarding process

Toner returned to state IT operational challenges during the pandemic and emphasized how critical it now was that identity and access management protocols were both rigorous and enterprise wide in approach. And it all starts with the employee on-boarding process. Naturally, in Nebraska, it’s a team approach.

Read more: Technology News

“We’ve automated the process. When you hire a person at the state of Nebraska, you put in a service request and it’s an automated function,” Toner said. The new employee gets their laptop or desktop, their account credentials, their username and password. All of that is automated within just literally a manner of minutes. “But I think we’re doing something unique in that we’re also making it, so that when someone leaves the state, especially those with privileged access, we treat them all the same.”

Working very diligently and teaming with the state HR group, Toner explained that when someone leaves the state, they literally push a button, answer a few questions, and then his team does the opposite of the onboarding process. Where in the former they auto-provisioned accounts, now they auto-delete accounts.

This process grew out of Toner’s centralized audit group who saw that access control was a critical issue and that there is a gap there if you’re just leaving it to the manager to fix. “We found that the one point, everyone is going to go through HR for their last paycheck. So we’re actually putting it into the hands of HR to make sure that one of their exit steps is to literally push this button, tell us who it is, and we’ll disable everything” Toner said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories