Administrative and Supporting Services PL KS DSHS … - PL - KS - DSHS Cyber Compliance Monitoring PROPOSED SOLUTION INFORMATION TECHNOLOGY ITEMS FY 2018 FY 2019 …

Administrative and Supporting Services 110 - PL - KS - DSHS CYBER COMPLIANCE MONITORING

Agency Submittal: 21-2018 Suppl Agency Req Budget Period: 2017-19

REQUEST

The Department of Social and Health Services (DSHS) Enterprise Technology (ET) requests $1,343,000 ($940,000 GF-State) for equipment and 1.4 FTEs to protect highly sensitive client information from internal and external threats.

PROBLEM STATEMENT

DSHS does not have adequate cyber security technologies and resources to identify and prevent persistent and complex security threats that put client information at risk of disclosure on a daily basis. While DSHS continues to partner with WaTech on information and asset protection, a solution to monitor and protect DSHS specific systems, networks and sensitive information is currently missing. WaTech does not provide these services. This request would result in the implementation and integration of an enterprise logging and analysis solution and two security analysts who are critical to protecting our systems and highly sensitive information. This funding will increase DSHS capability to secure confidential client information, put DSHS in compliance with state and federal mandates, improve security measures without detracting from mission critical efforts, and reduce the overall risk security threats pose to our most vulnerable citizens. DSHS provides services or support to 2.8 million people. Our systems contain highly-confidential information such as social security numbers, medical and mental health information, names and contact information, financial information, fingerprints, photographic images, race, and religion. For DSHS, the impacts of data breaches, unauthorized disclosure of confidential information, and non-compliance with federal and state regulations are significant. We incur administrative costs for notification to affected clients, including translations, and potential costs for credit monitoring. U.S. HHS Office for Civil Rights (OCR) penalties can range from $100 to $50,000 per violation; up to $1,500,000 for multiple violations of the same HIPAA requirement per year. For violations of multiple HIPAA requirements, the fines can reach into the multi-million dollar range. Legal costs related to settlements from lawsuits are another risk, and importantly, the loss of public trust and confidence in government services.

110 - PL - KS - DSHS Cyber Compliance Monitoring

PROPOSED SOLUTION

INFORMATION TECHNOLOGY ITEMS FY 2018 FY 2019

Log Indexing and Archiving 0 $633,909 Licensing 0 $371,000 Tier 3 Analyst IT/AS5 (2) $82,180 $255,974

TOTAL COST: $82,180 $1,260,883

The funding will procure hardware, software, and related support to collect and preserve system log data (Log Indexing and Archiving), and licenses to perform log monitoring, alerting, and detection of security events (Licensing). The funding will also provide for two Information Technology Specialist (ITS) 5 Security Analysts, whose primary objective will be to use the newly acquired tools to analyze the complex log data to detect intrusion, exfiltration of data, exploitation, unauthorized behavior, and other malicious acts against DSHS information systems.

EXPECTED RESULTS DSHS will be able to appropriately protect confidential client information, and systems, against security threats. In doing so, we will preserve public trust and confidence in government services, and increase DSHS’ compliance with state and federal mandates. This will reduce risk to client safety and privacy, and lessen service interruptions, by reducing risk to the DSHS systems that manage and provide services to Washington’s citizens.

STAKEHOLDER IMPACT DSHS provides direct services to approximately 2.8 million clients, and shares data with other state agencies and external entities. This implementation will have a positive impact on our clients and partners by way of added protections and controls around our data to ensure privacy and confidentiality. It is anticipated that the public, Legislature, employee unions, and Department of Labor and Industries will favorably endorse our efforts to concentrate qualified expertise and essential technology on the critical issues of safety and security. Agency Contact: Adam Lewis, (360) 902 - 8179 Program Contact: Kim Anderson, (360) 902-8443

OTHER CONNECTIONS

1. Does this DP provide essential support to one or more of the Governor’s Results Washington priorities?

Goal 5: Efficient, Effective & Accountable Government - Customer Satisfaction and Confidence - 1.1 Increase

customer services.

2. Identify other important connections or impacts below. (Indicate ‘Yes’ or ‘No’. If ‘Yes’ identify the connections or impacts related to the proposal.)

a) Regional/County impacts? No


b) Other local government impacts? No c) Tribal government impacts? No d) Other state agency impacts? Yes e) Responds to specific task force, report, mandate or executive order? Yes f) Does request contain a compensation change or require changes to a Collective Bargaining Agreement? No

g) Facility/workplace needs or impacts? No h) Capital budget impacts? Yes i) Is change required to existing statutes, rules or contracts? No

j) Is the request related to litigation? Yes k) Is the request related to Puget Sound recovery? No l) Other important connections? Yes 3. Please provide a detailed discussion of connections/impacts identified above.

Implementation of an enterprise logging solution and the expertise of highly-trained security analysts will improve the security of the valuable data within our networks, which includes Personally Identifiable Information (PII) such as social security numbers, as well as medical and mental health information, and financial information, and bring DSHS into compliance with federal and state requirements for incident response, system log monitoring, and detection policies and systems. Increased security will result in reduced financial loss related to litigation and fines, affording DSHS the ability to focus more effort and funding toward the support of the critical services our clients rely upon.

Alternatives/Consequences/Other 4. What alternatives were explored by the agency, and why was this alternative chosen?

Submission of 2017-19 Decision Package to increase WaTech security tools.

5. How has or can the agency address the issue or need within its current appropriation level?

DSHS, in collaboration with WaTech and the Office of Cyber Security (OCS), has made great advancements in securing DSHS data via the State Government Network (SGN), which provides an a perimeter of protection around all state agencies. However, additional funding is required to address the assets within DSHS’ internal network. The SGN does not protect against threats that originate within its perimeter, such as employee-generated malicious


behavior, threat actors who have gained physical access to agency devices or networks, and actors or entities who have made it through the SGN’s layer of protection. With the use of mobile devices, cloud computing, Software as a Solution (SaaS), wide use of the Internet to do business, and the potential of insider attacks, securing the perimeter alone does not provide adequate protection from the threats to information security. Services offered through our partnership with WaTech and OCS do not reach beyond our perimeter to protect the valuables within our walls.

6. Does this decision package include funding for any IT-related costs (hardware, software, services, cloud-based

services, contracts or IT staff)?

☐ No

☒ Yes (Include an IT Addendum)

Fiscal Detail 110 - PL - KS - DSHS Cyber Compliance Monitoring

Operating Expenditures FY 2018 FY 2019 FY 2020 FY 2021

001-1 General Fund-State 58,000 882,000 225,000 235,000

001-2 General Fund-Federal 24,000 379,000 96,000 100,000

Total Cost 82,000 1,261,000 321,000 335,000

Staffing FY 2018 FY 2019 FY 2020 FY 2021

FTEs 0.7 2.0 2.0 2.0

Performance Measure Detail

Incremental Changes

Activity: FY 2018 FY 2019 FY 2020 FY 2021

Program: 110

H001 Administrative Costs

No measures submitted for package

Object Detail FY 2018 FY 2019 FY 2020 FY 2021

TZ Intra-agency Reimbursements 82,000 1,261,000 321,000 335,000

Total Objects 82,000 1,261,000 321,000 335,000

DSHS Source Detail

Overall Funding

Operating Expenditures FY 2018 FY 2019 FY 2020 FY 2021

Fund 001-1, General Fund-State

Sources Title

0011 General Fund State 58,000 882,000 225,000 235,000

Total for Fund 001-1 58,000 882,000 225,000 235,000

Fund 001-2, General Fund-Federal

Sources Title

FLIV Fed Entered as Lidded (various%s) 24,000 379,000 96,000 100,000

Total for Fund 001-2 24,000 379,000 96,000 100,000

Total Overall Funding 82,000 1,261,000 321,000 335,000

2018 Supplemental Budget 110 – PL – KS – DSHS Cyber Compliance and Monitoring IT Addendum 1 – Attachment 1

Revised 5-23-2014

Office of the Chief Information Officer, Washington State

Procedure No. 121: IT Investment Approval and Oversight

Appendix B: Concept Briefing Document Template

(See OCIO Policy 121- IT Investment Approval and Oversight) OCIO Log Number:

Email this Document To:

[email protected]

0 Tentative Project Title: Cyber Compliance and Monitoring Will this concept lead to a decision package submittal to OFM for the upcoming budget cycle? Yes Preliminary Oversight Assessment: Level 2

1 Agency Name: Department of Social and Health Services Contact Name: Kim Anderson If known:

Project Manager Name/Title:

Executive Sponsor Name/Title: Cheryl Strange, DSHS Secretary

Business Owner Name/Title: Wayne Hall, CIO

Phone No. and E-mail: 360.902.8443 [email protected] Phone No.:

Phone No.: 253.756.2870

Phone No.: 360.902.7652

2 Describe the business problem the agency is trying to solve with this project: (100 word max): Logging solutions are required to support compliance with both federal and state regulations. This funding increases the ability of the DSHS Information Security Office to support enterprise-wide logging and integrate existing logging solutions. Risk of not funding this request includes non-compliance with regulatory requirements, resulting in fines or impact to client services and client, employee, and agency data.

3 Please describe any additional relevant factors that further motivate this project, such as legislation or a financial analysis. DSHS is currently working to comply with state and federal requirements for information security. Funding approval would help ensure that DSHS is able to comply with OCIO Standards 10.1 (Logging Policies) and 10.2 (Logging Systems), and federal requirements for system log monitoring and detection procedures.

4 Describe likely funding scenarios for this project: Currently, the funding proposal is limited to a decision package submittal to OFM for the upcoming budget cycle.

5 Estimated Range of Project Cost: More than $1M and less than $2M Estimated 5-year Maintenance Cost: More than $1M and less than $3M Estimated Range of Total Lifecycle Cost: More than $1M and less than $5M

6 If there is a hoped-for Project Start Date, please note it here: January 2018 Estimated Project Duration in Months: 6 Months

7 Describe performance outcomes and how they will be measured. Updated infrastructure hardware and segmented sites by June 30, 2019.

8 What discovery or market analysis will the agency do to inform the technical solution? (Survey other agencies/states, RFI, RFQ, Feasibility Study, etc.): Solution research and analysis, and product testing and feasibility studies.

mailto:[email protected]

2018 Supplemental Budget 110 – PL – KS – DSHS Cyber Compliance and Monitoring IT Addendum 1– Attachment 1

Revised 5-23-2014

9 Will this project deliver customer-facing value? If so, please describe that value and at approximately what point in the Project Duration that value will be delivered. In your response, please describe who the primary customer is: This project will deliver value in the form of implemented logging solution and highly-trained security analysts that will increase DSHS’ ability to protect confidential and sensitive data, and reduce the overall vulnerability of clients and partners to security threats. Value will be delivered upon implementation of the logging solution and associated security protocols. The customer is identified as the DSHS clients and partners, who will benefit from secure personal and health information.

10 Describe how this concept aligns with the State IT Strategic Objectives: Aligns with the Governor’s Results Washington priority Goal 5: Efficient, Effective & Accountable Government – Customer Satisfaction and Confidence – 1.1 Increase customer services. This proposal aims to increase customer satisfaction and confidence through increased data security. If funded, this proposal will also align with building customer satisfaction and confidence through implementing log monitoring and analysis, which will protect confidential and sensitive client information.

11 Agencies are expected to utilize CTS and DES applications and services when appropriate and/or mandated by legislation. What is the status of your consult with CTS? With DES? Log archiving per the estimate ($575,000) from WaTech used in the 2017-2019 security decision package was not funded and the current solution is not capable of supporting DSHS requirements.

12 What are the biggest concerns about the project at this point in time? The biggest concern with this project at present is the lack of funding to purchase and implement logging solution and hire adequately skilled security analysts.

OCIO NOTES Meeting Date: / / Comments:

INSTRUCTIONS

1. Using an "X" in the AGY Rate column, choose one value for each criterion.

Write comments, if needed, in the Agency Notes column.

2. Complete one worksheet per decision package.

3. Send completed worksheet/s for ML DPs by August 19, 2017 and PL DPs by

August 25, 2017 to [email protected], for the DSHS CIO review.

2018 Supplemental Budget

110 - PL - KS - DSHS Cyber Compliance and Monitoring IT Addendum 1 - Attachment 2

Parent Criteria

Criterion Name AGY Rate Agency Notes

Business Process

Improvementx

Rating Value Scale Definition

Major

Transformation

100% The project is transformative and sets up the agency for

continuous process improvement.

Significant

Transformation

50% The project is transformative by improving or leaning out

significant business processes.

Moderate

Transformation

25% The project is transformative and improves some business

processes.x

No

Transformation

0% The project is not a transformative initiative.


Risk Mitigation /

Organizational

Change

Managementx


Strong Risk

Mitigation

100% The project has anticipated and budgeted for risk mitigation

or has no associated risks.

Moderate Risk

Mitigation

50% The project has budgeted for a minimal amount of risk

mitigation.x

Minimal Risk

Mitigation

25% The project speaks to risk mitigation but has not identified

resources to address the issue.

No Risk Mitigation 0% The project has not considered or planned for associated

risks.


Measurable

Business

Outcomes

Aligned to Agency

Strategy

x


Significant,

Measurable

Outcome Metrics

100% The project proposal identifies significant performance

measures that have a direct impact on the business of the

agency. Measures are base-lined and have target goals.x

Significant

Transformation

50% The project has identified at least one outcome measure but

has not baseline data or target goals.

Outcomes

Identified / Not

Measurable

25% The project speaks to business improvements but has not

identified any measurable outcomes.

No Business

Outcomes

Identified

0% The proposal has not identified any performance outcomes.


Impact of Not

Doing x


Significant Impact 100% Failure to meet statutory or legal mandates. Include

Imminent failure of a mission critical system.x

Moderate Impact 50% There is a risk of failure for aging systems and high cost for

recovery and support.

Criterion Definition

Primary goal of the proposal is to transform an agency business process --

This criterion will be used to assess the transformative nature of the

project (INTENT: to incentivize agencies to take transformative projects

that may include risk.)


Primary goal is to assess the agencies anticipation of the risk of an

initiative and planned mitigation of those risks. This criterion will be used

to determine if the initiative provides adequate resources to mitigate risks

commensurate with the risks associated with a technology initiative. Risk

planning may include budgeting for independent Quality Assurance,

organizational change management, training, staffing, etc. (INTENT:

Drive business value by encouraging risk taking that is well managed.)

Administration: Services and Enterprise Support Administration

DP Name: Cyber Compliance and Monitoring

Business Driven IT Management


The goal of this criteria is to assess the extent to which the IT proposal

has established measurable business outcomes aligned to agency

strategies. (The intent is to drive agencies to establish business

outcomes and measures those outcomes).

These criteria are used to assess how IT proposals support business changes made to improve services or access to information for agency users,

customers or citizens and are staged for success.


Primary goal is to assess the impact of not funding an IT initiative as it

may relate to service failure, mandates, legal requirements, or loss of

opportunity.



Minimal Impact 25% Loss of opportunity for improved service delivery or

efficiency.

Parent Criteria


Interoperability

x


Plays great with

others

100% Interoperability is built into the core IT systems used by the

project. The system publishes a clear Application

Programming Interface (API) that allows other state systems

to exchange data with it simply and reliably without

restrictions, additional purchases or new custom coding.

Optional Vendor

Add-on

50% The project will use a system that can inter-operate with

other systems through one or more proprietary connectors,

services, etc., usually created and supported by the system

vendor for an additional fee.

x

Custom coding

required

24% New connections can or have been made to external

systems via custom development.

Isolated 0% Isolated. The systems in this project will not really

communicate with other systems in state government, except

by virtue of sharing another database.


Leverages

Existing Systems

or Creates

Reusable

Components

x


Significant Reuse 100% Completely leverages and existing system already in use

within the state or has the potential to be reused by other

agencies or programs.

x

Moderate Reuse 50% Leverages some system components already in use within

the state but has the potential for additional reuse by other

agencies or programs.

Minimal Reuse 25% Leverages some existing components but does not have the

potential for additional reuse by other agencies or programs.

No Reuse 0% Does not leverage any system or components already in use

within the state and does not have the potential to be reused

by other agencies or programs.

Architectural Standards

The goal of these criteria are to assess the IT proposal's implementation of interoperability standards and reuse of existing systems or components.

Application/system has the capability to share information with other

systems without additional custom development (either in house or by the

vendor/s) or additional investment in order to achieve interoperability.

INTENT: Drive agencies to aquire and/or develop systems that are

interoperable across the state enterprise.)


Reuse: leverages an existing system already in use within the state or

has the potential to be reused by other agencies or programs.




Parent Criteria


Mobility

x


Primarily Mobile 100% The project primary objective is to create anytime, anywhere

mobile access to a state system or service for a significant

number of external customers.

Moderate Mobile

Improvement

50% The project will improve the mobility for state workers or

provide access to a small number of external customers.

Incremental

Mobile

Improvement

25% The project may provide an incrementally improved mobile

experience for external customers or workers.

No Mobile

Component

0% The project provides no improvement to a mobile experience

for external customers.x


Open Data

x


Open, Useful +

Multi-Agency

100% Two or more agencies are collaborating to publish open data

in this project that they know will be used and useful.

Open and Useful 50% The agency will produce more open data as part of this

project and knows that it will be useful to the public - perhaps

through a stakeholder feedback process or analysis of web

analytics on current offerings.

New Open Data 25% The project will publish some new open data, but the agency

or project team are working within a single agency and are

not in a position to assess how useful it may be.

No Open Data 0% The project will not publish open data. It may be that the

project's data is confidential, or that the agency prefers to

publish PDF's, printed reports or eyes-only briefings.

x


Modernization

x


Modern and

Cloud

100% The project is designed to significantly modernize a core part

of state IT infrastructure using a cloud-based approach. We

value a cloud first strategy that means SaaS, hosted COTS,

PaaS, and IaaS.

Modern and

Hybrid

50% The project uses a significantly newer technical solution that

is a combination of cloud and non-cloud.

Newer with no

Cloud

25% The project uses a significantly newer technical solution that

is not cloud based. x

Not More Modern 0% The project replaces legacy systems or technologies with

technology that is not significantly more modern.

Technology Strategy Alignment

The goal of these criteria are to assess the alignment of the IT proposal to the technology strategies of the state as articulated by the Office of the

Chief Information Officer.


New mobile services for citizens or state workforce -- This criterion will be

used to assess the contribution of the initiative to support mobile

government services for citizens and a mobile workforce. (INTENT: to

drive agencies to look for ways to deliver results and services that are

accessible to citizen from mobile devices. We value mobility for

employees as well but value mobility for citizens more).


New data sets exposed -- This criterion will be used to assess if the

initiative Will the project increase the citizen's access to state data with

no strings attached and in a format that's easy to use? The legislature

has found that government data are a vital resource to both government

operations and to the public that government serves. RCW

43.105.351 Publication of open data reduces time spent on records

requests, helps our companies adapt to a dynamic economy, and helps

civic groups, researchers and small agencies get their work done.

Cloud, SaaS, PaaS, COTS before custom development -- This criterion

will be used to assess if the initiative will result in replacing systems with

contemporary solutions. (INTENT: to drive agencies to look more intently

at leveraging modern solutions).





Early Value

Deliveryx


Value Within 6

Months

100% The project is designed to produce customer-usable value

every six months.x

Value Within 12

Months


every twelve months.

Value Within 18

Months


every 18 months.

Value Over 18

Months

0% The project does not take an agile approach and/or does not

deliver customer-facing value every 18 months.

Parent Criteria


Security

x


Agency-wide

Impact

100% The project’s primary purpose is to introduce new capabilities

to improve security across in an agency.x

Adds New

Security

50% The project addresses a business problem AND includes

significant security improvements.

Improves Existing 25% The project incrementally improves the existing security for

an agency.

No Impact 0% The project will have no impact on an agency’s security

posture and/or infrastructure.


Privacy Principles

x


Agency-wide

Impact

100% The project’s primary purpose is to introduce new capabilities

to improve data privacy across in an agency.x

Adds New Privacy

Capabilities

50% The project addresses a business problem AND includes

significant data privacy improvements.

Improves Existing 25% The project incrementally improves the existing privacy

posture and/or capabilities.

No Impact 0% The project will have no impact on an agency’s data privacy

posture and/or infrastructure.


Improve agency security -- This criterion will be used to assess the

improvements to the overall security posture for an agency. (INTENT: to

award points to projects when the purpose of the initiative is to improve

security across an agency.


Adds value in short increments -- This criterion will be used to determine

if the initiative provides “customer-facing value” in small increments,

quickly to drive our agile strategy. (INTENT: Drive agencies to producing

value more quickly and incrementally).


Privacy principles applied to investment -- This criterion will be used to

assess if the initiative will be implemented in whole or in part with

consideration of established privacy principles (e.g., data minimization,

data retention, data quality, controlled data access, etc.).

Security and Privacy

The goal of these criteria are to assess the IT proposal's impact on the security fo agency systesm and data AND the impact on the privacy of

citizen data.

Agency Preliminary Assessment Tool - Agency Tool

(Note: You will also soon be receiving an email confirmation with this information)

Customer Information

Primary Contact Name: Kim Anderson

Phone Number: (360) 902-8443

Email Address: [email protected]

Agency Name: Social and Health Services, Department of (DSHS)

Project Name: DSHS Cyber Compliance and Monitoring - Decision Package

Project Acronym: CCM - DP

Project Start Date: Jan 2018

Project End Date: Jun 2018

Project Budget: $1500000

Additional Notification Emails:

[email protected]

[email protected]

[email protected]

Questions

Question 1: What is the anticipated duration of the project?

Answer: 2 | Project initiation through closure is more than 6 months but less than 12 months.

Comments:

Question 2: Are there constraints on the project schedule?

Answer: 1 | The project schedule has contingency or slack and/or is flexible.

Comments:

Question 3: What is the anticipated project budget from initiation through

implementation, transition to operations and close-out. Include all Business and IT

costs such as staff and professional services, hardware, software, and any other

incurred internal costs associated with the project?

Answer: 3 | $1M to $2M

Comments:

Question 4: Is adequate project funding, including maintenance & operations, secured? Answer: 3 | Not all funds are confirmed. Internal agency dollars, grants, or federal funds will need to be identified and committed OR a funding request will need to be submitted to OFM in

2018 Supplemental Budget 110 - PL - KS - DSHS Cyber Compliance & Monitoring IT Addendum - Attachment 1

an upcoming budget cycle.

Comments:

Question 5: Does the project require changes to, or implementation of, a system that

impacts citizens, other state or local organizations, or service providers?

Answer: 1 | The impact is to internal agency business processes / operations only.

Comments:

Question 6: How well defined are the changes the project will introduce?

Answer: 3 | The business requirements exist, but only at a high level.

Comments:

Question 7: What is the degree of impact to agency operations or business

rules/processes?

Answer: 3 | There is impact to business rules/processes to multiple programs within one

agency.

Comments:

Question 8: Does this project impact compliance with policies, mandates, or

provisos/laws?

Answer: 4 | The project impacts compliance with state and/or federal mandates or

provisos/laws and may affect future agency funding.

Comments: HIPAA, IRS, and CJIS compliance.

Question 9: Are there dependencies with other projects?

Answer: 2 | This project is dependent on one project OR one project is dependent on this

project.

Comments:

Question 10: Is the agency prepared for the organizational change management

required to successfully implement the proposed solution?

Answer: 4 | There is major impact to technical and/or business users and limited or no internal

subject matter expertise exists and significant training is required.

Comments:

Question 11: Who is assigned to project tasks?

Answer: 2 | Core project staff are not assigned 100%, but impacted IT and business sponsors

are actively engaged on the project steering committee and have committed to assign staff to

the project as needed.

Comments:

Question 12: Does the executive sponsor have authority and experience?

Answer: 1 | The project has an executive sponsor with BOTH the authority to allocate

organization-wide staff and prior experience sponsoring Major Projects.

Comments:

Question 13: Does the project have experienced project management staff and

resources?

Answer: 1 | The agency has documented, repeatable project management and governance

processes and project managers have at least 24 months of experience leading Major Projects.

Comments:


terpriseservi

es.formsta

k.

om/f

Question 14: How many Major Projects has the agency managed in the last five years?

Answer: 1 | >15

Comments:

Question 15: What is the degree of project impact to technology (e.g. architecture,

network, software, infrastructure, or connectivity to external services and systems)?

Answer: 2 | The project will make minor change to technology.

Comments:

Question 16: Does the proposed solution require any new development or

customization be done by State IT staff [vs. full Commercial-off-the-Shelf (COTS) or

Cloud services]

Answer: 2 | The project requires minor change or minimal customization to an existing system

leveraging experienced staff or vendor resources.

Comments:

Question 17: Is there existing agency technical expertise regarding the proposed

solution?

Answer: 2 | The proposed technology is new to the agency, but there is industry or 3rd party

expertise and requires minimal knowledge transfer and/or training.

Comments:

Question 18: Does the system collect or process sensitive data? (per OCIO policy 141.10

Section 4.1 Data Classification)

Answer: 3 | Only category 1-3 data is stored or processed.

Comments:

Question 19: Does the project replace or significantly modify a financial or

administrative system?

Answer: No

Comments:

Question 20: Will the project introduce any deviations from OCIO policy, standards, or

statewide enterprise architecture?

Answer: No

Comments:

Final Score: 40

This form is for your agency use preliminarily to your official submission. We appreciate

the efforts you have put into this project to date and look forward to helping you in the future.

Please note: it is the responsibility of the agency to follow all OCIO Policies for IT Projects

http://www.ocio.wa.gov/policies, any procurement policies internal to your agency or from the

Department of Enterprise Services, and any other internal agency polices that might be

relevant to this investment. If you have questions you can contact the OCIO Oversight

Consultants at [email protected]. You will use the IT Project Assessment Tool –

Submission form when you are ready to submit to the OCIO.


1

2018 Supplemental Budget - IT Addendum – 110 – PL - KS - DSHS Cyber Compliance & Monitoring

Part 1: Itemized IT Costs Please itemize any IT-related costs, including hardware, software, services (including cloud-based services), contracts (including professional services, quality assurance, and independent verification and validation), or IT staff. Be as specific as you can. (See chapter 12.1 of the operating budget instructions for guidance on what counts as “IT-related costs”)

Information Technology Items in this DP

(insert rows as required) FY 2018 FY 2019 FY 2020 FY 2021

Log Indexing and Archiving 0 $633,909 0 0

Licensing 0 $371,000 $53,025 $53,025

Tier 3 Analyst ITS 5 (2) $82,180 $255,974 $268,772 $282,211

Total Cost $82,180 $1,260,858 $321,797 $335,236

*Current estimates will not exceed $1,000,000 over the biennium.

Part 2: Identifying IT Projects If the investment proposed in the decision package is the development or acquisition of an IT project/system, or is an enhancement to or modification of an existing IT project/system, it will also be reviewed and ranked by the OCIO as required by RCW 43.88.092. The answers to the three questions below will help OFM and the OCIO determine whether this decision package is, or enhances/modifies, an IT project:

1. Does this decision package fund the development or acquisition of a ☒Yes ☐ No new or enhanced software or hardware system or service?

2. Does this decision package fund the acquisition or enhancements ☐Yes ☒ No of any agency data centers? (See OCIO Policy 184 for definition.)

3. Does this decision package fund the continuation of a project that ☐Yes ☒ No is, or will be, under OCIO oversight? (See OCIO Policy 121.)

If you answered “yes” to any of these questions, you must complete a concept review with the OCIO before submitting your budget request. Refer to chapter 12.2 of the operating budget instructions for more information.

https://ocio.wa.gov/policies/policy-184-data-center-investments

https://ocio.wa.gov/policies/121-it-investments-approval-and-oversight

Documents

Administrative and Supporting Services PL KS DSHS … - PL - KS - DSHS Cyber Compliance Monitoring PROPOSED SOLUTION INFORMATION TECHNOLOGY ITEMS FY 2018 FY 2019 …