September 2008 Archives

The National Institute of Standards and Technology (NIST) has issued newly updated security checklists for government regarding best practices in configuring IT products. Sponsored by the Department of Homeland Security (DHS), the NIST Special Publication 800-70 is entitled: "National Checklist Program for IT Products - Guidelines for Checklist Users and Developers (Draft)."

After the executive summary, introduction, and overview of the checklist program, the guide covers such topics as checklist usage, checklist development, and even examples as Appendix B offers a checklist description template and Appendix C offers operational procedures.

Government Computer News (GCN) announced the new guide  and described some of the goals of the National Checklist Program (NCP):

The 2008 NASCIO Annual Conference ended today. Government Technology Magazine did a nice job of summing up a few of the items I intended to write about, so I won't dwell on the 2008 NASCIO Award winners or Teri Takai's well-deserved selection for the annual NASCIO Meritorious Service Award.    

The ceremony last night ended with several important announcements, including the introduction of the new executive committee and NASCIO President John Gillispie, CIO from Iowa, handing over the gavel to the new President, Gopal Khanna, CIO of Minnesota. As the new leader, Gopal's speech was a rousing call to action for CIOs and their staff members to make a difference and commit to improving our nation's approach to IT engagement in the public sector in all 50 states.       

Overall, I thought this was an excellent conference. NASCIO remains a very strong organization with considerable power and influence with various groups across the country. As many states transition to new Governors and our nation elects a new President, it will be interesting to see how things develop in state government IT in 2009.

One very positive recent development for NASCIO was the announcement by Senator Norm Coleman (MN) on a bill to strengthen state government cyber security. Hopefully, this bill will become law. My view is that this bill is a sign of closer ties with Congress and federal government agencies in years to come.
  

This morning began with a keynote address from Dr. Kathleen Hall Jamieson, Director of the Annenburg School of Public Policy at the University of Pennsylvania.

Dr. Hall's main message was that our language matters much more than we realize, and we need to reexamine our vocabulary to more clearly articulate important messages externally and sell public policy and IT priorities. For example, acronymns like IRE (which stands for Information Resource Executive) and even CIO are not well understood by the public. Other words to avoid include infrastructure, GIS, IPv6 and other technical terms.

On the other hand, Dr. Hall recommends using phrases like "Identity Theft" which are well-understood by the public.

As we make the case for IT to the public, we need to explain what our roles are in clear terms. For example: save lives, save money, save the planet, are well-understood. Take another look at the questions: "What do you do to support the taxpayer?" Translate your job into positive actions that can gain buy-in.

Dr. Hall challenged the audience to tell their neighbor what they do at work in an easy to understand single sentence. She did an excellent job of pointing out public perception of the work that we do, with video examples of IT going down and causing public disruption at airports. When things go well, say at schools or in transportation, others get the praise. We need to repackage our entire approach and show the value that public CIOs and IT shops add on a daily basis.

Later in the morning, another session was held entitled: CIO Reflections: Perspectives from both sides of the table. The session was moderated by Teri Takai, CIO of California, and it brought in current state government CIOs who came from the private sector as well as former piblic sector CIOs who are now in the private sector. It was a great conversation.

Here are a few of the takeaways:

 - CIOs who go to the private sector are often shocked that they aren't seen as "thought leaders"  but rather new execs that need to grow the business and the bottom line.

 - Relationships and understanding of roles and issues are two of the greatest benefits you bring from a public sector CIO job to the private sector.

 - Private sector execs who become public sector CIOs will fail if they take the job to "save government." The issues and challenges are large and different, and they better listen to the advice of other CIOs who have gone before them.

 - One panelist said that you are there to not just run the IT business but to help the Governor get re-elected. Help your boss succeed on their priorities.

- All of the panelists saw huge value in NASCIO before during and after they were public CIOs. Some even called other public CIOs and learned more before they accepted the job.

- Know your strengths and weaknesses, and seek out other mentor CIOs who can offer advice and direction. Both sides agreed that humility was very important in dealing with relationships all-around.

Overall, a great day. More to come on the afternoon sessions and the awards banquet tomorrow. 

The National Association of State Chief Information Officers (NASCIO) is holding it's annual meeting this week in Milwaukee, Wisconsin. I am blogging some of the highlights (from my perspective) each day.

This morning's keynote address featured the Honorable Tom Ridge, former Governor, Commonwealth of Pennsylvania and first Secretary, U.S. Department of Homeland Security.

Governor Ridge congratulated NASCIO on their bipartisan approach to dealing with state government technology problems in a world where everyone has "special interests." His main themes included:

- A need to elevate the message and add a sense of urgency to pressing IT issues in government.

- CIOs need to develop advocates or champions to sell their messages.

- Security of cyberspace is a "national priority."

 -  CIOs have one of the toughest jobs in government, because they get all the blame but little of the credit for successes. Citizens expect nothing bad to happen - just like with Homeland Security.

- Not much trust in government. We need to work on developing more

In the Q/A session, Governor Ridge said we need to consolidate IT more and eliminate silos in a new adminstration, as we address IT and cyberspace in the future. When asked what he would have done differently if he had the chance, he joked that he should have finished his term. He closed with a reiteration of the importance of IT and expressed his willingness to advocate for NASCIO at the National Governor's Association.

A later session focused on consolidation efforts in IT by many states. Stories were told about Tenn, Texas, and Indiana. The numbers were impressing, with savings quoted by Tennesee in the range of $34 million.

In Indiana, 800 servers were decomissioned, a new state portal was built, IT contracts were combined (with savings over $20 million), and TPI benchmarked their improvements and showed results as being top in service and lowest in cost. Indiana also added disaster recovery services.

Overall, it is clear that consolidation is happening all over the USA and in greater numbers than I ever thought possible. The benefits are ranging from improved security to lower cost and better service.

An afternoon session on Green IT presented the economic case for going green. Virginia talked about telework programs and Michiagn layed out aggressive green IT programs. Google also discussed their approaches to Green IT.

Overall, the first day was well-attended, with about 500 attendees, including CIOs, their staff, and vendors. More to come tomorrow.  

Recently, Virginia's Governor Tim Kaine announced a new Online Suggestion Box. This new online community is much more than just a place to input ideas. Rather, the site allows users to:

There is a growing debate about the state of cyber security within state and local governments around the country. Despite huge investments by many over the past few years, many argue that the situation is getting worse. A recent article in the LA Times pointed to different points of view.

Meanwhile, the grades given to federal agencies are improving, even if the overall grade is still a "C."

But before I give you my view, I'd like to hear your opinion. Is cyber security improving in your government office, agency or state? Are operational plans working? Is enough being done to protect sensitive information? Is too much attention being paid to this topic? Should more money be spent on identity management or other aspects of computer security?  

There are many metrics and various ways to measure cyber security, but one important measure is user experience. So what's your view? Are things better or worse than a few years back? I'd love to hear from you and get a dialogue going.  

Social networking is very popular, but many governments are banning Facebook, MySpace and other social networking sites at work. Is there an internal model that can bring the benefits of sharing and collaboration without the temptations and security risks associated with checking-in and sharing files or other information with friends all over the country? 

Federal Computer Week (FCW) ran an article this week on a product called A-Space, that Intelligence Community officials hope will provide just the right Intranet solution.  

 Here's more from FCW, "The program's designers want A-Space to give analysts from all 16 intelligence agencies a place to share ideas and information more freely and collaborate across agency lines.

After logging in, analysts will have access to shared and personal workspaces, wikis, blogs, widgets, RSS feeds and other tools. To log in, analysts will need to prove their identity using public key infrastructure, and their agencies must list them in the governmentwide intelligence analyst directory."

Each user will have their own unique profile and be able to post notes to others' profiles. 

The idea is not new, with many companies like IBM and Microsoft offering social networking tools for enterprise Intranets.  The key is to gain adoption and get users working together in more efficient ways without developing another hard to use office tool set that never gains traction. Bottom line: many users want the real Facebook or MySpace.  

A Google search for "Intranet social networking" brings a million results, with numerous options available to governments. And yet, installing and configuring a separate internal toolset seems to be daunting to most technology shops. Therefore, few governments have gone down this road to date. 

Perhaps A-Space is the model, perhaps not. One thing is for sure, there will be plenty more examples to come.     

Google has shaken our technology world - again. Yesterday afternoon, Google announced (on their official blog) that they are launching a new browser called Google Chrome in 100 countries today.  Don't be fooled by the "beta version" label. This is a big development, and yes, this has security implications - for the better.

Here's an excerpt from their website: "Under the hood, we were able to build the foundation of a browser that runs today's complex web applications much better. By keeping each tab in an isolated "sandbox", we were able to prevent one tab from crashing another and provide improved protection from rogue sites. We improved speed and responsiveness across the board. We also built a more powerful JavaScript engine, V8, to power the next generation of web applications that aren't even possible in today's browsers."

There's no doubt that improved protection from rogue sites is needed. Microsoft's new Internet Explorer (IE) 8 (beta 2) browser, which was released last week, promises to offer similar advancements. Here's some of the security and privacy benefits promised from the official Microsoft download site:

- Automatic crash recovery

- Browse privately (which some have nicknamed "porn mode")

- Stay Safer Online - The new IE 8 beta offers better protection from malware and phishing with  new filtering mechansisms. Here's an excerpt from their site:

"SmartScreen Filter

Internet Explorer 8's new SmartScreen Filter builds upon our leadership in the detection of phishing sites and now helps protect you against inadvertent installation of malware--or malicious software--which can compromise your data, privacy, and identity while also damaging your computer and valuable data. Today Internet Explorer is detecting over 1 million attempts to visit known phishing sites weekly.

Meanwhile, skeptics claim that Microsoft is just adding features that are already available in Mozilla Firefox.  Here's how one site described the battle: "The new version; Windows Internet Explorer 8, will promise a stack of new features as the Seattle based software giant hopes to claw back lost ground lost against the Mozilla foundation and its Firefox browser." 

So expect a rush of articles on all aspects of this browser battle over the next week. As cloud computing heats up in the coming months and years, this topic will become one of the major front line competitions between Google and Microsoft.

ComputerWorld, PCWorld, and many others offered their own stories on this big Google announcement. Major newspapers like USA Today also proclaimed the new browser battles today. The good news in all of this is that security will almost certainly get better for all of us - and it's about time since the bad guys are getting better as well. 

Enterprises need to take a thorough (but quick) look at these new offerings and not drag their feet in implementing changes this fall. Your network security is at stake.