Upload
trinhxuyen
View
218
Download
3
Embed Size (px)
Citation preview
Administrative and Supporting Services 110 - PL - KS - DSHS CYBER COMPLIANCE MONITORING
Agency Submittal: 21-2018 Suppl Agency Req Budget Period: 2017-19
REQUEST
The Department of Social and Health Services (DSHS) Enterprise Technology (ET) requests $1,343,000 ($940,000 GF-State) for equipment and 1.4 FTEs to protect highly sensitive client information from internal and external threats.
PROBLEM STATEMENT
DSHS does not have adequate cyber security technologies and resources to identify and prevent persistent and complex security threats that put client information at risk of disclosure on a daily basis. While DSHS continues to partner with WaTech on information and asset protection, a solution to monitor and protect DSHS specific systems, networks and sensitive information is currently missing. WaTech does not provide these services. This request would result in the implementation and integration of an enterprise logging and analysis solution and two security analysts who are critical to protecting our systems and highly sensitive information. This funding will increase DSHS capability to secure confidential client information, put DSHS in compliance with state and federal mandates, improve security measures without detracting from mission critical efforts, and reduce the overall risk security threats pose to our most vulnerable citizens. DSHS provides services or support to 2.8 million people. Our systems contain highly-confidential information such as social security numbers, medical and mental health information, names and contact information, financial information, fingerprints, photographic images, race, and religion. For DSHS, the impacts of data breaches, unauthorized disclosure of confidential information, and non-compliance with federal and state regulations are significant. We incur administrative costs for notification to affected clients, including translations, and potential costs for credit monitoring. U.S. HHS Office for Civil Rights (OCR) penalties can range from $100 to $50,000 per violation; up to $1,500,000 for multiple violations of the same HIPAA requirement per year. For violations of multiple HIPAA requirements, the fines can reach into the multi-million dollar range. Legal costs related to settlements from lawsuits are another risk, and importantly, the loss of public trust and confidence in government services.
110 - PL - KS - DSHS Cyber Compliance Monitoring
PROPOSED SOLUTION
INFORMATION TECHNOLOGY ITEMS FY 2018 FY 2019
Log Indexing and Archiving 0 $633,909 Licensing 0 $371,000 Tier 3 Analyst IT/AS5 (2) $82,180 $255,974
TOTAL COST: $82,180 $1,260,883
The funding will procure hardware, software, and related support to collect and preserve system log data (Log Indexing and Archiving), and licenses to perform log monitoring, alerting, and detection of security events (Licensing). The funding will also provide for two Information Technology Specialist (ITS) 5 Security Analysts, whose primary objective will be to use the newly acquired tools to analyze the complex log data to detect intrusion, exfiltration of data, exploitation, unauthorized behavior, and other malicious acts against DSHS information systems.
EXPECTED RESULTS DSHS will be able to appropriately protect confidential client information, and systems, against security threats. In doing so, we will preserve public trust and confidence in government services, and increase DSHS’ compliance with state and federal mandates. This will reduce risk to client safety and privacy, and lessen service interruptions, by reducing risk to the DSHS systems that manage and provide services to Washington’s citizens.
STAKEHOLDER IMPACT DSHS provides direct services to approximately 2.8 million clients, and shares data with other state agencies and external entities. This implementation will have a positive impact on our clients and partners by way of added protections and controls around our data to ensure privacy and confidentiality. It is anticipated that the public, Legislature, employee unions, and Department of Labor and Industries will favorably endorse our efforts to concentrate qualified expertise and essential technology on the critical issues of safety and security. Agency Contact: Adam Lewis, (360) 902 - 8179 Program Contact: Kim Anderson, (360) 902-8443
OTHER CONNECTIONS
1. Does this DP provide essential support to one or more of the Governor’s Results Washington priorities?
Goal 5: Efficient, Effective & Accountable Government - Customer Satisfaction and Confidence - 1.1 Increase
customer services.
2. Identify other important connections or impacts below. (Indicate ‘Yes’ or ‘No’. If ‘Yes’ identify the connections or impacts related to the proposal.)
a) Regional/County impacts? No
110 - PL - KS - DSHS Cyber Compliance Monitoring
b) Other local government impacts? No c) Tribal government impacts? No d) Other state agency impacts? Yes e) Responds to specific task force, report, mandate or executive order? Yes f) Does request contain a compensation change or require changes to a Collective Bargaining Agreement? No
g) Facility/workplace needs or impacts? No h) Capital budget impacts? Yes i) Is change required to existing statutes, rules or contracts? No
j) Is the request related to litigation? Yes k) Is the request related to Puget Sound recovery? No l) Other important connections? Yes 3. Please provide a detailed discussion of connections/impacts identified above.
Implementation of an enterprise logging solution and the expertise of highly-trained security analysts will improve the security of the valuable data within our networks, which includes Personally Identifiable Information (PII) such as social security numbers, as well as medical and mental health information, and financial information, and bring DSHS into compliance with federal and state requirements for incident response, system log monitoring, and detection policies and systems. Increased security will result in reduced financial loss related to litigation and fines, affording DSHS the ability to focus more effort and funding toward the support of the critical services our clients rely upon.
Alternatives/Consequences/Other 4. What alternatives were explored by the agency, and why was this alternative chosen?
Submission of 2017-19 Decision Package to increase WaTech security tools.
5. How has or can the agency address the issue or need within its current appropriation level?
DSHS, in collaboration with WaTech and the Office of Cyber Security (OCS), has made great advancements in securing DSHS data via the State Government Network (SGN), which provides an a perimeter of protection around all state agencies. However, additional funding is required to address the assets within DSHS’ internal network. The SGN does not protect against threats that originate within its perimeter, such as employee-generated malicious
110 - PL - KS - DSHS Cyber Compliance Monitoring
behavior, threat actors who have gained physical access to agency devices or networks, and actors or entities who have made it through the SGN’s layer of protection. With the use of mobile devices, cloud computing, Software as a Solution (SaaS), wide use of the Internet to do business, and the potential of insider attacks, securing the perimeter alone does not provide adequate protection from the threats to information security. Services offered through our partnership with WaTech and OCS do not reach beyond our perimeter to protect the valuables within our walls.
6. Does this decision package include funding for any IT-related costs (hardware, software, services, cloud-based
services, contracts or IT staff)?
☐ No
☒ Yes (Include an IT Addendum)
Fiscal Detail 110 - PL - KS - DSHS Cyber Compliance Monitoring
Operating Expenditures FY 2018 FY 2019 FY 2020 FY 2021
001-1 General Fund-State 58,000 882,000 225,000 235,000
001-2 General Fund-Federal 24,000 379,000 96,000 100,000
Total Cost 82,000 1,261,000 321,000 335,000
Staffing FY 2018 FY 2019 FY 2020 FY 2021
FTEs 0.7 2.0 2.0 2.0
Performance Measure Detail
Incremental Changes
Activity: FY 2018 FY 2019 FY 2020 FY 2021
Program: 110
H001 Administrative Costs
No measures submitted for package
Object Detail FY 2018 FY 2019 FY 2020 FY 2021
TZ Intra-agency Reimbursements 82,000 1,261,000 321,000 335,000
Total Objects 82,000 1,261,000 321,000 335,000
DSHS Source Detail
Overall Funding
Operating Expenditures FY 2018 FY 2019 FY 2020 FY 2021
Fund 001-1, General Fund-State
Sources Title
0011 General Fund State 58,000 882,000 225,000 235,000
Total for Fund 001-1 58,000 882,000 225,000 235,000
Fund 001-2, General Fund-Federal
Sources Title
FLIV Fed Entered as Lidded (various%s) 24,000 379,000 96,000 100,000
Total for Fund 001-2 24,000 379,000 96,000 100,000
Total Overall Funding 82,000 1,261,000 321,000 335,000
2018 Supplemental Budget 110 – PL – KS – DSHS Cyber Compliance and Monitoring IT Addendum 1 – Attachment 1
Revised 5-23-2014
Office of the Chief Information Officer, Washington State
Procedure No. 121: IT Investment Approval and Oversight
Appendix B: Concept Briefing Document Template
(See OCIO Policy 121- IT Investment Approval and Oversight) OCIO Log Number:
Email this Document To:
0 Tentative Project Title: Cyber Compliance and Monitoring Will this concept lead to a decision package submittal to OFM for the upcoming budget cycle? Yes Preliminary Oversight Assessment: Level 2
1 Agency Name: Department of Social and Health Services Contact Name: Kim Anderson If known:
Project Manager Name/Title:
Executive Sponsor Name/Title: Cheryl Strange, DSHS Secretary
Business Owner Name/Title: Wayne Hall, CIO
Phone No. and E-mail: 360.902.8443 [email protected] Phone No.:
Phone No.: 253.756.2870
Phone No.: 360.902.7652
2 Describe the business problem the agency is trying to solve with this project: (100 word max): Logging solutions are required to support compliance with both federal and state regulations. This funding increases the ability of the DSHS Information Security Office to support enterprise-wide logging and integrate existing logging solutions. Risk of not funding this request includes non-compliance with regulatory requirements, resulting in fines or impact to client services and client, employee, and agency data.
3 Please describe any additional relevant factors that further motivate this project, such as legislation or a financial analysis. DSHS is currently working to comply with state and federal requirements for information security. Funding approval would help ensure that DSHS is able to comply with OCIO Standards 10.1 (Logging Policies) and 10.2 (Logging Systems), and federal requirements for system log monitoring and detection procedures.
4 Describe likely funding scenarios for this project: Currently, the funding proposal is limited to a decision package submittal to OFM for the upcoming budget cycle.
5 Estimated Range of Project Cost: More than $1M and less than $2M Estimated 5-year Maintenance Cost: More than $1M and less than $3M Estimated Range of Total Lifecycle Cost: More than $1M and less than $5M
6 If there is a hoped-for Project Start Date, please note it here: January 2018 Estimated Project Duration in Months: 6 Months
7 Describe performance outcomes and how they will be measured. Updated infrastructure hardware and segmented sites by June 30, 2019.
8 What discovery or market analysis will the agency do to inform the technical solution? (Survey other agencies/states, RFI, RFQ, Feasibility Study, etc.): Solution research and analysis, and product testing and feasibility studies.
2018 Supplemental Budget 110 – PL – KS – DSHS Cyber Compliance and Monitoring IT Addendum 1– Attachment 1
Revised 5-23-2014
9 Will this project deliver customer-facing value? If so, please describe that value and at approximately what point in the Project Duration that value will be delivered. In your response, please describe who the primary customer is: This project will deliver value in the form of implemented logging solution and highly-trained security analysts that will increase DSHS’ ability to protect confidential and sensitive data, and reduce the overall vulnerability of clients and partners to security threats. Value will be delivered upon implementation of the logging solution and associated security protocols. The customer is identified as the DSHS clients and partners, who will benefit from secure personal and health information.
10 Describe how this concept aligns with the State IT Strategic Objectives: Aligns with the Governor’s Results Washington priority Goal 5: Efficient, Effective & Accountable Government – Customer Satisfaction and Confidence – 1.1 Increase customer services. This proposal aims to increase customer satisfaction and confidence through increased data security. If funded, this proposal will also align with building customer satisfaction and confidence through implementing log monitoring and analysis, which will protect confidential and sensitive client information.
11 Agencies are expected to utilize CTS and DES applications and services when appropriate and/or mandated by legislation. What is the status of your consult with CTS? With DES? Log archiving per the estimate ($575,000) from WaTech used in the 2017-2019 security decision package was not funded and the current solution is not capable of supporting DSHS requirements.
12 What are the biggest concerns about the project at this point in time? The biggest concern with this project at present is the lack of funding to purchase and implement logging solution and hire adequately skilled security analysts.
OCIO NOTES Meeting Date: / / Comments:
INSTRUCTIONS
1. Using an "X" in the AGY Rate column, choose one value for each criterion.
Write comments, if needed, in the Agency Notes column.
2. Complete one worksheet per decision package.
3. Send completed worksheet/s for ML DPs by August 19, 2017 and PL DPs by
August 25, 2017 to [email protected], for the DSHS CIO review.
2018 Supplemental Budget
110 - PL - KS - DSHS Cyber Compliance and Monitoring IT Addendum 1 - Attachment 2
Parent Criteria
Criterion Name AGY Rate Agency Notes
Business Process
Improvementx
Rating Value Scale Definition
Major
Transformation
100% The project is transformative and sets up the agency for
continuous process improvement.
Significant
Transformation
50% The project is transformative by improving or leaning out
significant business processes.
Moderate
Transformation
25% The project is transformative and improves some business
processes.x
No
Transformation
0% The project is not a transformative initiative.
Criterion Name AGY Rate Agency Notes
Risk Mitigation /
Organizational
Change
Managementx
Rating Value Scale Definition
Strong Risk
Mitigation
100% The project has anticipated and budgeted for risk mitigation
or has no associated risks.
Moderate Risk
Mitigation
50% The project has budgeted for a minimal amount of risk
mitigation.x
Minimal Risk
Mitigation
25% The project speaks to risk mitigation but has not identified
resources to address the issue.
No Risk Mitigation 0% The project has not considered or planned for associated
risks.
Criterion Name AGY Rate Agency Notes
Measurable
Business
Outcomes
Aligned to Agency
Strategy
x
Rating Value Scale Definition
Significant,
Measurable
Outcome Metrics
100% The project proposal identifies significant performance
measures that have a direct impact on the business of the
agency. Measures are base-lined and have target goals.x
Significant
Transformation
50% The project has identified at least one outcome measure but
has not baseline data or target goals.
Outcomes
Identified / Not
Measurable
25% The project speaks to business improvements but has not
identified any measurable outcomes.
No Business
Outcomes
Identified
0% The proposal has not identified any performance outcomes.
Criterion Name AGY Rate Agency Notes
Impact of Not
Doing x
Rating Value Scale Definition
Significant Impact 100% Failure to meet statutory or legal mandates. Include
Imminent failure of a mission critical system.x
Moderate Impact 50% There is a risk of failure for aging systems and high cost for
recovery and support.
Criterion Definition
Primary goal of the proposal is to transform an agency business process --
This criterion will be used to assess the transformative nature of the
project (INTENT: to incentivize agencies to take transformative projects
that may include risk.)
Criterion Definition
Primary goal is to assess the agencies anticipation of the risk of an
initiative and planned mitigation of those risks. This criterion will be used
to determine if the initiative provides adequate resources to mitigate risks
commensurate with the risks associated with a technology initiative. Risk
planning may include budgeting for independent Quality Assurance,
organizational change management, training, staffing, etc. (INTENT:
Drive business value by encouraging risk taking that is well managed.)
Administration: Services and Enterprise Support Administration
DP Name: Cyber Compliance and Monitoring
Business Driven IT Management
Criterion Definition
The goal of this criteria is to assess the extent to which the IT proposal
has established measurable business outcomes aligned to agency
strategies. (The intent is to drive agencies to establish business
outcomes and measures those outcomes).
These criteria are used to assess how IT proposals support business changes made to improve services or access to information for agency users,
customers or citizens and are staged for success.
Criterion Definition
Primary goal is to assess the impact of not funding an IT initiative as it
may relate to service failure, mandates, legal requirements, or loss of
opportunity.
2018 Supplemental Budget
110 - PL - KS - DSHS Cyber Compliance and Monitoring IT Addendum 1 - Attachment 2
Minimal Impact 25% Loss of opportunity for improved service delivery or
efficiency.
Parent Criteria
Criterion Name AGY Rate Agency Notes
Interoperability
x
Rating Value Scale Definition
Plays great with
others
100% Interoperability is built into the core IT systems used by the
project. The system publishes a clear Application
Programming Interface (API) that allows other state systems
to exchange data with it simply and reliably without
restrictions, additional purchases or new custom coding.
Optional Vendor
Add-on
50% The project will use a system that can inter-operate with
other systems through one or more proprietary connectors,
services, etc., usually created and supported by the system
vendor for an additional fee.
x
Custom coding
required
24% New connections can or have been made to external
systems via custom development.
Isolated 0% Isolated. The systems in this project will not really
communicate with other systems in state government, except
by virtue of sharing another database.
Criterion Name AGY Rate Agency Notes
Leverages
Existing Systems
or Creates
Reusable
Components
x
Rating Value Scale Definition
Significant Reuse 100% Completely leverages and existing system already in use
within the state or has the potential to be reused by other
agencies or programs.
x
Moderate Reuse 50% Leverages some system components already in use within
the state but has the potential for additional reuse by other
agencies or programs.
Minimal Reuse 25% Leverages some existing components but does not have the
potential for additional reuse by other agencies or programs.
No Reuse 0% Does not leverage any system or components already in use
within the state and does not have the potential to be reused
by other agencies or programs.
Architectural Standards
The goal of these criteria are to assess the IT proposal's implementation of interoperability standards and reuse of existing systems or components.
Application/system has the capability to share information with other
systems without additional custom development (either in house or by the
vendor/s) or additional investment in order to achieve interoperability.
INTENT: Drive agencies to aquire and/or develop systems that are
interoperable across the state enterprise.)
Criterion Definition
Reuse: leverages an existing system already in use within the state or
has the potential to be reused by other agencies or programs.
Criterion Definition
2018 Supplemental Budget
110 - PL - KS - DSHS Cyber Compliance and Monitoring IT Addendum 1 - Attachment 2
Parent Criteria
Criterion Name AGY Rate Agency Notes
Mobility
x
Rating Value Scale Definition
Primarily Mobile 100% The project primary objective is to create anytime, anywhere
mobile access to a state system or service for a significant
number of external customers.
Moderate Mobile
Improvement
50% The project will improve the mobility for state workers or
provide access to a small number of external customers.
Incremental
Mobile
Improvement
25% The project may provide an incrementally improved mobile
experience for external customers or workers.
No Mobile
Component
0% The project provides no improvement to a mobile experience
for external customers.x
Criterion Name AGY Rate Agency Notes
Open Data
x
Rating Value Scale Definition
Open, Useful +
Multi-Agency
100% Two or more agencies are collaborating to publish open data
in this project that they know will be used and useful.
Open and Useful 50% The agency will produce more open data as part of this
project and knows that it will be useful to the public - perhaps
through a stakeholder feedback process or analysis of web
analytics on current offerings.
New Open Data 25% The project will publish some new open data, but the agency
or project team are working within a single agency and are
not in a position to assess how useful it may be.
No Open Data 0% The project will not publish open data. It may be that the
project's data is confidential, or that the agency prefers to
publish PDF's, printed reports or eyes-only briefings.
x
Criterion Name AGY Rate Agency Notes
Modernization
x
Rating Value Scale Definition
Modern and
Cloud
100% The project is designed to significantly modernize a core part
of state IT infrastructure using a cloud-based approach. We
value a cloud first strategy that means SaaS, hosted COTS,
PaaS, and IaaS.
Modern and
Hybrid
50% The project uses a significantly newer technical solution that
is a combination of cloud and non-cloud.
Newer with no
Cloud
25% The project uses a significantly newer technical solution that
is not cloud based. x
Not More Modern 0% The project replaces legacy systems or technologies with
technology that is not significantly more modern.
Technology Strategy Alignment
The goal of these criteria are to assess the alignment of the IT proposal to the technology strategies of the state as articulated by the Office of the
Chief Information Officer.
Criterion Definition
New mobile services for citizens or state workforce -- This criterion will be
used to assess the contribution of the initiative to support mobile
government services for citizens and a mobile workforce. (INTENT: to
drive agencies to look for ways to deliver results and services that are
accessible to citizen from mobile devices. We value mobility for
employees as well but value mobility for citizens more).
Criterion Definition
New data sets exposed -- This criterion will be used to assess if the
initiative Will the project increase the citizen's access to state data with
no strings attached and in a format that's easy to use? The legislature
has found that government data are a vital resource to both government
operations and to the public that government serves. RCW
43.105.351 Publication of open data reduces time spent on records
requests, helps our companies adapt to a dynamic economy, and helps
civic groups, researchers and small agencies get their work done.
Cloud, SaaS, PaaS, COTS before custom development -- This criterion
will be used to assess if the initiative will result in replacing systems with
contemporary solutions. (INTENT: to drive agencies to look more intently
at leveraging modern solutions).
Criterion Definition
2018 Supplemental Budget
110 - PL - KS - DSHS Cyber Compliance and Monitoring IT Addendum 1 - Attachment 2
Criterion Name AGY Rate Agency Notes
Early Value
Deliveryx
Rating Value Scale Definition
Value Within 6
Months
100% The project is designed to produce customer-usable value
every six months.x
Value Within 12
Months
50% The project is designed to produce customer-usable value
every twelve months.
Value Within 18
Months
25% The project is designed to produce customer-usable value
every 18 months.
Value Over 18
Months
0% The project does not take an agile approach and/or does not
deliver customer-facing value every 18 months.
Parent Criteria
Criterion Name AGY Rate Agency Notes
Security
x
Rating Value Scale Definition
Agency-wide
Impact
100% The project’s primary purpose is to introduce new capabilities
to improve security across in an agency.x
Adds New
Security
50% The project addresses a business problem AND includes
significant security improvements.
Improves Existing 25% The project incrementally improves the existing security for
an agency.
No Impact 0% The project will have no impact on an agency’s security
posture and/or infrastructure.
Criterion Name AGY Rate Agency Notes
Privacy Principles
x
Rating Value Scale Definition
Agency-wide
Impact
100% The project’s primary purpose is to introduce new capabilities
to improve data privacy across in an agency.x
Adds New Privacy
Capabilities
50% The project addresses a business problem AND includes
significant data privacy improvements.
Improves Existing 25% The project incrementally improves the existing privacy
posture and/or capabilities.
No Impact 0% The project will have no impact on an agency’s data privacy
posture and/or infrastructure.
Criterion Definition
Improve agency security -- This criterion will be used to assess the
improvements to the overall security posture for an agency. (INTENT: to
award points to projects when the purpose of the initiative is to improve
security across an agency.
Criterion Definition
Adds value in short increments -- This criterion will be used to determine
if the initiative provides “customer-facing value” in small increments,
quickly to drive our agile strategy. (INTENT: Drive agencies to producing
value more quickly and incrementally).
Criterion Definition
Privacy principles applied to investment -- This criterion will be used to
assess if the initiative will be implemented in whole or in part with
consideration of established privacy principles (e.g., data minimization,
data retention, data quality, controlled data access, etc.).
Security and Privacy
The goal of these criteria are to assess the IT proposal's impact on the security fo agency systesm and data AND the impact on the privacy of
citizen data.
Agency Preliminary Assessment Tool - Agency Tool
(Note: You will also soon be receiving an email confirmation with this information)
Customer Information
Primary Contact Name: Kim Anderson
Phone Number: (360) 902-8443
Email Address: [email protected]
Agency Name: Social and Health Services, Department of (DSHS)
Project Name: DSHS Cyber Compliance and Monitoring - Decision Package
Project Acronym: CCM - DP
Project Start Date: Jan 2018
Project End Date: Jun 2018
Project Budget: $1500000
Additional Notification Emails:
Questions
Question 1: What is the anticipated duration of the project?
Answer: 2 | Project initiation through closure is more than 6 months but less than 12 months.
Comments:
Question 2: Are there constraints on the project schedule?
Answer: 1 | The project schedule has contingency or slack and/or is flexible.
Comments:
Question 3: What is the anticipated project budget from initiation through
implementation, transition to operations and close-out. Include all Business and IT
costs such as staff and professional services, hardware, software, and any other
incurred internal costs associated with the project?
Answer: 3 | $1M to $2M
Comments:
Question 4: Is adequate project funding, including maintenance & operations, secured? Answer: 3 | Not all funds are confirmed. Internal agency dollars, grants, or federal funds will need to be identified and committed OR a funding request will need to be submitted to OFM in
2018 Supplemental Budget 110 - PL - KS - DSHS Cyber Compliance & Monitoring IT Addendum - Attachment 1
an upcoming budget cycle.
Comments:
Question 5: Does the project require changes to, or implementation of, a system that
impacts citizens, other state or local organizations, or service providers?
Answer: 1 | The impact is to internal agency business processes / operations only.
Comments:
Question 6: How well defined are the changes the project will introduce?
Answer: 3 | The business requirements exist, but only at a high level.
Comments:
Question 7: What is the degree of impact to agency operations or business
rules/processes?
Answer: 3 | There is impact to business rules/processes to multiple programs within one
agency.
Comments:
Question 8: Does this project impact compliance with policies, mandates, or
provisos/laws?
Answer: 4 | The project impacts compliance with state and/or federal mandates or
provisos/laws and may affect future agency funding.
Comments: HIPAA, IRS, and CJIS compliance.
Question 9: Are there dependencies with other projects?
Answer: 2 | This project is dependent on one project OR one project is dependent on this
project.
Comments:
Question 10: Is the agency prepared for the organizational change management
required to successfully implement the proposed solution?
Answer: 4 | There is major impact to technical and/or business users and limited or no internal
subject matter expertise exists and significant training is required.
Comments:
Question 11: Who is assigned to project tasks?
Answer: 2 | Core project staff are not assigned 100%, but impacted IT and business sponsors
are actively engaged on the project steering committee and have committed to assign staff to
the project as needed.
Comments:
Question 12: Does the executive sponsor have authority and experience?
Answer: 1 | The project has an executive sponsor with BOTH the authority to allocate
organization-wide staff and prior experience sponsoring Major Projects.
Comments:
Question 13: Does the project have experienced project management staff and
resources?
Answer: 1 | The agency has documented, repeatable project management and governance
processes and project managers have at least 24 months of experience leading Major Projects.
Comments:
2018 Supplemental Budget 110 - PL - KS - DSHS Cyber Compliance & Monitoring IT Addendum - Attachment 1
terpriseservi
es.formsta
k.
om/f
Question 14: How many Major Projects has the agency managed in the last five years?
Answer: 1 | >15
Comments:
Question 15: What is the degree of project impact to technology (e.g. architecture,
network, software, infrastructure, or connectivity to external services and systems)?
Answer: 2 | The project will make minor change to technology.
Comments:
Question 16: Does the proposed solution require any new development or
customization be done by State IT staff [vs. full Commercial-off-the-Shelf (COTS) or
Cloud services]
Answer: 2 | The project requires minor change or minimal customization to an existing system
leveraging experienced staff or vendor resources.
Comments:
Question 17: Is there existing agency technical expertise regarding the proposed
solution?
Answer: 2 | The proposed technology is new to the agency, but there is industry or 3rd party
expertise and requires minimal knowledge transfer and/or training.
Comments:
Question 18: Does the system collect or process sensitive data? (per OCIO policy 141.10
Section 4.1 Data Classification)
Answer: 3 | Only category 1-3 data is stored or processed.
Comments:
Question 19: Does the project replace or significantly modify a financial or
administrative system?
Answer: No
Comments:
Question 20: Will the project introduce any deviations from OCIO policy, standards, or
statewide enterprise architecture?
Answer: No
Comments:
Final Score: 40
This form is for your agency use preliminarily to your official submission. We appreciate
the efforts you have put into this project to date and look forward to helping you in the future.
Please note: it is the responsibility of the agency to follow all OCIO Policies for IT Projects
http://www.ocio.wa.gov/policies, any procurement policies internal to your agency or from the
Department of Enterprise Services, and any other internal agency polices that might be
relevant to this investment. If you have questions you can contact the OCIO Oversight
Consultants at [email protected]. You will use the IT Project Assessment Tool –
Submission form when you are ready to submit to the OCIO.
2018 Supplemental Budget 110 - PL - KS - DSHS Cyber Compliance & Monitoring IT Addendum - Attachment 1
1
2018 Supplemental Budget - IT Addendum – 110 – PL - KS - DSHS Cyber Compliance & Monitoring
Part 1: Itemized IT Costs Please itemize any IT-related costs, including hardware, software, services (including cloud-based services), contracts (including professional services, quality assurance, and independent verification and validation), or IT staff. Be as specific as you can. (See chapter 12.1 of the operating budget instructions for guidance on what counts as “IT-related costs”)
Information Technology Items in this DP
(insert rows as required) FY 2018 FY 2019 FY 2020 FY 2021
Log Indexing and Archiving 0 $633,909 0 0
Licensing 0 $371,000 $53,025 $53,025
Tier 3 Analyst ITS 5 (2) $82,180 $255,974 $268,772 $282,211
Total Cost $82,180 $1,260,858 $321,797 $335,236
*Current estimates will not exceed $1,000,000 over the biennium.
Part 2: Identifying IT Projects If the investment proposed in the decision package is the development or acquisition of an IT project/system, or is an enhancement to or modification of an existing IT project/system, it will also be reviewed and ranked by the OCIO as required by RCW 43.88.092. The answers to the three questions below will help OFM and the OCIO determine whether this decision package is, or enhances/modifies, an IT project:
1. Does this decision package fund the development or acquisition of a ☒Yes ☐ No new or enhanced software or hardware system or service?
2. Does this decision package fund the acquisition or enhancements ☐Yes ☒ No of any agency data centers? (See OCIO Policy 184 for definition.)
3. Does this decision package fund the continuation of a project that ☐Yes ☒ No is, or will be, under OCIO oversight? (See OCIO Policy 121.)
If you answered “yes” to any of these questions, you must complete a concept review with the OCIO before submitting your budget request. Refer to chapter 12.2 of the operating budget instructions for more information.