In 2016 and 2017, MNIT began using Security Risk Scorecards for State of Minnesota government. The Scorecards have now become of our standard operations, they are helping to improve the security of information and information technology systems for State of Minnesota government.

The initial project stemmed from the belief that government business leaders need to understand their IT and the risks involved in order to make informed decisions about IT.

Using a foundational framework, common business software, color coding and plain business language, the scorecards bridged the gap of understanding between business and information security.

Now business leaders know exactly what information and technology they have, what the security risks are, and how their business decisions and investments impact those risks. The feedback from all agency leaders has been very positive. In a letter to the State CIO, Minnesota Department of Human Services’ business leaders called the Scorecard review meeting “the most useful meeting of the year”.

The Security Risk Scorecard project not only met a business and security need, but it also aligned with the priorities of Minnesota Governor Mark Dayton, who in 2017 signed onto “A Compact to Improve State Cybersecurity,” an effort by 38 governors to improve state cybersecurity. The compact covered three main areas of cybersecurity, which Minnesota is already leading on: (1) build cybersecurity governance; (2) prepare for and defend against cybersecurity threats; and (3) develop a cybersecurity workforce.

It also aligns with the continuing top priority of MNIT’s Commissioner and State Chief Information Officer Thomas Baden for the management, control, and protection of state systems and data to protect the privacy and security of all Minnesotans.

Why is this important?

In order to secure and protect state systems and data, we needed to know exactly what we were working with. This project helped us build that foundational knowledge base.

For the first time ever, we have a complete picture of all the information technology being used by Minnesota State government, and the risk posture of our state. That knowledge can help business and IT leaders make informed decisions about IT investments.

An innovative approach

Security Risk Scorecards were designed to give business leaders a picture of risks they accept by default. What’s unique is that by using common business terms and formats, we opened the way for frank conversations. Knowing agency business needs and constraints allows MNIT to re-prioritize, escalate or postpone IT projects, making us more effective and efficient at any level of investment.

One of our first steps was to choose a holistic approach that covered all potential information at risk, not just technology systems and applications, but information in any form, such as sensitive information shared over the phone.

Then we chose a nationally recognized framework and business standards from the National Institute of Standards and Technology (NIST). This aligned the Scorecards with state and national standard business practices so government leaders were presented with a common language that didn’t use IT jargon. The categories (Identify, Protect, Detect, Respond, Recover) were intuitive to those with no IT background, so leaders could understand the consequences of risks and posture. We used:

• The NIST Cybersecurity Framework to create, implement, and review our program, with organizational guidelines and benchmarks for critical infrastructure.
• The International Standards Organization (ISO) Cybersecurity Standard framework, a certifiable standard for securing all information and information technology systems.
• Microsoft Excel to display the Scorecards, software that is readily available and low-to-no cost because we already used it for other purposes.

Lastly, we took this effort personally and proactively. Security staff collaborated with each agency business to set a target for each key Risk Scorecard area – where they think they need to be in terms of risk and maturity of their systems. This will always be different for each agency, for example the Department of Revenue may have greater risk, and need more maturity than systems at the Department of Agriculture.

What’s the value?

Ultimately, risk is owned by the business. However, that risk, and the relative business decisions, affect the service delivery, operations and cost of the services MNIT provides to those agency businesses.

The real focus of the Scorecards is to show business leaders the health of the information systems and applications they rely on. That knowledge opens the way for hard conversations that many state governments are engaged in about modernizing outdated systems and applications. Knowing the risks involved help business and IT leaders make informed decisions about when and how to invest in IT.

Our dashboard for Scorecards includes NIST’s key framework areas: Identify (assets, information and technology), Protect, Detect, Respond, and Recover. The words are straightforward plain language, they make sense to non-IT, and it is endorsed by the National Association of Board of Directors and Business Associates. The benefits of using the framework to create the Scorecard is that it leverages business language to bridge the gap between non-IT business person and IT. It’s easier to benchmark when there’s a common language for leadership and their peers.

How does the Scorecard work?

The Security Risk Scorecard is actually a spreadsheet in Excel that displays like an application. Behind the scenes, a data set generates detailed dashboards with numeric risk/maturity scores that roll up into a business-friendly main dashboard.

Building the foundational data set was the most labor-intensive part. Over the past three years, MNIT’s enterprise security and IT staff gathered information about and from applications, infrastructure, computers, facilities and other business processes. The sheer volume of data is enormous: we secure and manage systems at over 1,300 locations, support and secure over 2,800 agency applications; oversee and deliver over 350 projects with major IT components; maintain 4,368 virtual and 1,598 physical servers; we deliver over 3,000,000 emails per week; we support over 28,000 enterprise IP telephony stations. Some agencies also have specific federal and state compliance and data privacy regulations that factored into the process.

One of the best features is that once the data set and the Excel framework were created, the Risk Scorecards can be used forever. Updates are loaded semi-annually, so there is always a current snapshot of the risk and health of IT for the entire state.

What’s next?

Security Risk Scorecard reviews have been completed for 2017 for every agency except one. Now that they’re part of our standard operations, we’re updating the foundational data set and gearing up for the next round of reviews with agency leaders.

We aren’t aware of any other states that have similar efforts in place, but the word has gotten out about this project, and the interest has been very high. Our staff have given nearly a dozen presentations about this project in the past year, including to the Minnesota Society of CPAs’ Risk Management Conference and a recent MS-ISAC conference.

The concept and implementation are completely repeatable by anyone. The only cost is staff time to gather information and input it into the Scorecard.