- They help draft and revise cybersecurity policies that describe in detail how agencies should protect sensitive government information from threats.
- The team's members meet with agencies to understand if there are any gaps in meeting the state's security policies and create a road map to close the gap.
- The team guides agencies along the road to closing the gaps, helping them find the best route that meets their needs. And along the way, they work with agencies and other teams within OCS to monitor and mitigate risks.
Stevens Fox, the Deputy CISO Policy and Program Management at OCS, recounted a recent case, where a member of his team helped an agency navigate certain IRS requirements by tracking down the records that were needed, working with other WaTech teams to resolve questions and then packaging the material for the agency to provide to the IRS. Along the way, his team educated the agency about the process and how to resolve similar issues as they come up in the future.
"We help agencies understand, here's what this means to you, so they have fewer findings in the future. It's not just a compliance issue. It's more addressing underlying risk to it," Stevens said.
The Policy and Program Management team has a veteran staff. Fox oversees the team, which includes Jen Smith and Cory Williams. Both of whom have extensive experience in cybersecurity and policy and program management.
Jen said she sees her role as "sort of your trail guide from end to end. I'll help you pack up your gear. Get you ready for a day of walking through the process of where you are afterwards."
Similar to Jen, Cory said "I reach out to state agencies and guide them through the risk assessment process. Right now, I'm building up risk assessment tools that can be provided for state agencies so they're easy to use and easy to understand. We're working to facilitate with them step by step and then to eventually, where we can prop them up enough to where they can then move forward and use the risk assessment themselves."
The importance of what the team does is primarily preventative, Fox said.
"Given my background as a former penetration tester, I know security comes from addressing your risks. So, the key value add that we have to provide to the community is to help them identify the risk, but also understand, okay, given where we are currently with our level of maturity, how do we address this risk? How do we prioritize the risks and then manage those risks?"
When asked what they'd like agencies to know about their team, Jen said, "I'd really like people to know we're available to you. This is a resource that's here for you at any time. Any time you have questions about risk management or security policy compliance, we're your resource. Even if we don't have the answers for you. We'll help you get to the point where you can find the answers."
Fox said he wants agencies to know that his team isn't looking for perfection when it comes to meeting state security requirements.
"That's not what it's about. It's about knowing where you are right now," he said.
While the state uses a seven-point National Institute of Standards and Technology scale for determining an agency's maturity level to meeting security requirements, "hardly anyone needs to be at a seven. Most people are fine around a five. If you come to us saying hey, right now we're at a two, we want to get to a four. That's cool."
Jen noted that agencies should not be afraid to contact the team. It's never too early, or too late.
"All we have is tomorrow," she said. "We're taking steps every day and we want to take a step to make things better if today's the day you want to make a step."