ISD: IT Security (1850P)

Program Outcome Statement

Protect the County's network, data, and connected devices from malicious activities and ensure the County workforce follows IT best practices, standards, and policies.

Program Services

  • Centrally-managed anti-virus and anti-spam services for workstations and servers
  • Centrally-managed patch management environment for workstations and servers
  • Centrally-managed e-mail security and encryption services
  • Centrally-managed desktop and laptop encryption services
  • Identity Management (Single Sign On) services
  • Log Management services
  • Vulnerability Management services
  • Annual IT Security Awareness training and reporting
  • Periodic Security newsletters and e-mail
  • Expert Witness services
  • Incident Response services
  • Security investigations and reports

Overview

ISD’s Security Program provides centralized Countywide services and support in the areas of information technology security. The primary function of this program is to protect County information resources. The program is responsible for identity and access management, remote access, investigations, information technology auditing, information technology security policies, information technology security training, and network services.
At the start of FY 2017-18, the IT Security Program was created, and the following three measures were established to monitor its performance: Completion of Annual Information Technology Security Training Countywide, Median Number of Minutes to Respond to High Priority Incidents, and Usage of Multi-Factor Authentication Countywide. The expectation is that these three measures will increase security awareness among County users as well as assist in making County resources more secure.

Completion of Annual Information Technology Security Training Countywide

Median Number of Minutes to Respond to High Priority Incidents

Usage of Multi-Factor Authentication Countywide

FY 2018-19 Mid-Year Story Behind Performance

Completion of Annual Information Technology Security Training Countywide
This measure demonstrates that as of December 31st, 87% of the County’s workforce have completed the annual IT security training. This is below the target of 90%.

Security awareness training is a top priority for all organizations due to the continued increase in security threats, phishing, and other types of attacks. The County uses its annual IT security training requirement to develop awareness of threats and educate personnel on the importance of IT security.
This measure is calculated monthly by comparing the number of County staff assigned security training to the number of staff who have completed it. ISD has been working with all County departments to encourage completion of this training through reminders and reports. Training was assigned Countywide on July 1st with the expectation that the training be completed within 90 days, ensuring that we met the target of 90% completion earlier in the current Fiscal year.  Due to the steady rise in completion rates we expect to reach completion by the end of February.
Median Number of Minutes to Respond to High Priority Incidents
ISD Security support team responded to Six high priority tickets, which can be made up of Priority 1 and Priority 2 tickets in the first half of FY18-19. ISD Security Program staff responded to high priority incidents in an average of 6 minutes. This well exceeds the target of responding within 60 minutes.
This measure demonstrates the program’s commitment to monitoring systems and responding appropriately to address urgent incidents. A rapid response time helps meet ISD’s broader goal of minimizing downtime for customers. In addition to responding to incidents quickly, the Security Program also reviews high priority incidents on a monthly basis. This provides insight on ways to better track performance and proactively plan responses to future high priority incidents.
Usage of Multi-Factor Authentication Countywide
Security Program data shows 62% of County employees utilize multi-factor authentication. This falls short of the target of 73%.
ISD’s Security Program rolled out multi-factor authentication (MFA) Countywide in 2017. The goal was to help secure County resources, applications, and data by requiring users to provide more than one type of credential when logging in to County systems from outside the County’s network. For example, instead of only providing a password, users ideally prove their identities by providing a password and performing a cell phone verification.
This performance measure tracks the percentage of users utilizing MFA technology on a monthly basis. It compares the number of users who have registered at least one form of multi-factor authentication on their employee accounts against the number of users actively accessing secured County resources outside the County's network. At a peak so far of 70%, this measure falls just below the annual target of 73%. ISD continues to work with County departments and end users to increase MFA compliance. The department actively encourages employees to use resources that trigger MFA activation and urges new applications to use the County’s Identity and Access Management system, which automatically includes MFA functionality.

Future Priorities

  • Wireless Networking: The Security Program will continue to enhance and add expand the capabilities of a secure wireless network across the County’s facilities. 
  • Active Directory: The Security Program plans to assess the Countywide requirements and initiatives related to the Active Directory service. It will then implement a simplified design that incorporates the County's future strategy for managing identity and access.
  • Remote Access: The program will implement a new remote access solution to enhance security and offer a simpler way for County employees, contractors, and vendors to access the County’s network.
  • Auditing and Compliance: The program will continue to enforce County IT security policies with regards to network access, controls, and administration will be reviewed and enhanced.

Author: Stormy Maddux     Contact Email: SMaddux@smcgov.org     Date Updated: 01-25-2019