Due to work schedules, Niamh Darcy, Sondra Chaffee, Shannon Tufts & Frieda Artis could not attend the meeting.
The meeting began at 9:05 a.m.
Lib Wanner welcomed everyone to the meeting and ensured that all members received the proper documents and presentation to accompany the meeting. Lib then introduced the committee to John Higgins, IT Manager for Technical Infrastructure, and Dan Edwards, IT Manager for Strategic Planning, to give the presentation on the Information Risk Management Strategic Plan.
Information Risk Management Strategic Plan
John Higgins began the presentation by referring to the agenda consisting of Information Risk Vision, Strategic Plan for Information Risk Management, and Putting the Information Risk Program into Operation. John indicated that we used research materials from two reputable IT research organizations, Gartner and the Corporate Executive Board (CEB).
John first presented the Information Risk Mission Statement and then gave an overview of Strategic Plan, which included: Mapping Business Drivers to Information Risk Strategy, Communicating Program Status, and Outlining Budget and Spend Outlook. While discussing the Information Risk Implications of Local Government Business Trends, John gave examples for each of the identified risk drivers-stringent regulatory requirements, increasingly sophisticated attackers, and increased options for electronic access.
John then continued to discuss certain business strategies that had information risk implications as follows: always on/available information systems, increasing mobility of workforce, continued cost pressures and ever changing business processes.
In the next part of the discussion John introduced the six Information Risk Focus Areas that Wake County would be focusing on and how they related to the both the IS Department’s strategy and the business strategy for the organization. The focus areas John highlighted were:
1. Implement standard framework for evaluating and assessing information risk
2. Apply identity and access management
3. Increase end-user awareness
4. Improve data privacy and content protection
5. Meet regulatory compliance standards
6. Expand disaster recovery and business continuity measures.
John then presented a graph as a sample of the Current Capability and the Capability Goal for each of the Strategic Information Risk Focus Areas and indicated that in the months ahead the County would perform a gap analysis between the two to determine where the most work is needed. The goals for each focus area will be set by a combination of benchmark data from the IT research organizations and priorities set by the organization. Lib Wanner asked the ITAC members if there were any other focus areas that should be included, and the members agreed that the chart was well constructed and included all necessary information.
John’s next area of discussion covered the Communicating Program Status agenda item. Another diagram was shown, mapping proposed projects to the six focus areas by fiscal year. Lib noted that the diagram presented was dependent on the ability of the Information Services department to move forward with funding for the projects. John Killebrew also noted that in the period of FY2010 there were many objectives and that we may want to spread them out more.
The third area of discussion from John was regarding Outlining Budget and Spending Outlook agenda item. John indicated that the department would create project proposals, present multi-year budget and staffing estimates as part of the annual budget process, and progress would be dependent on those decisions.
John then turned the presentation over to Dan Edwards to discuss the agenda item entitled putting the Information Risk Programs into Operation.
Dan began by discussing the responsibility for information management. Dan stated that to fulfill the responsibility, IT must protect information as an asset, protect and guide the use of sensitive information, manage the technologies that handle information, ensure the continuation of business operations in the event of a disruption, and ensure that information is handled according the external laws and regulation.
The discussion moved to the topic of why the department should even be concerned with an issue such as information risk management. Dan noted that while every business unit must be concerned with risk management, the Information Services Department has been placed in a role of ensuring that recent audit requirements be met in terms of information security, which is why the IS Department is taking a lead role in this effort. Dan explained the findings of the audits and some of the research he has done on how other organizations have handled these responsibilities.
Dan then presented the concept that information risk management is best achieved if the business process owners and the Information Services department work together, and he outlined a framework for this collaborative effort. Dan indicated that the County’s plan is to establish a team consisting of key members from business process, information technology and other key focus areas to work together to establish policies and procedures for handling known risks and oversee the risk assessment work and the prioritization of resulting recommended actions in the near term and then recommend a longer-term structure for managing information risk. Dan finished the presentation by asking for the concerns, comments, questions and advice of the ITAC committee.
Darryl McGraw asked about the cost to complete some of the tasks and where funding would come from, in light of the current economic pressures. Lib answered that the County’s Senior Management Team would make these decisions based on presentations given to it by the Information Risk Management core team. Vass Johnson noted that technology is not always the issue, rather that business processes needed to be reviewed and changes considered in the way things are done; for example, information may not have to be available 24/7. Lib said that was a very good observation.
Robert Michaud suggested that whatever tools and processes were used at the outset of the information risk assessment initiative be selected or created with a view of the future in mind. He said to be careful not to just look at what is in front of you, but also talk to the business units about what they plan on buying or doing in the future. Lib said that was a very good suggestion, as well.
John Higgins and Dan Edwards were thanked by the ITAC committee for their input on the presentation.
Brief Overview of Wake County’s Economic Situation and its Impact on Technology Expenditures
Lib Wanner gave a brief overview of the economic status regarding the organization and Information Services Department and highlighted the fact that each department was asked to prepare a 4% budget reduction plan for the current budget year. Lib indicated that there may be possible layoffs in the future; at this time the County Manager has indicated that layoffs will be a last-resort option. Lib then noted that she will meet with all departments in November and December to get their feedback on IS services and ideas for budget reductions and will share that input with the group at their meeting in December.
Suggestions for New Members
Lib asked the ITAC Committee for recommendations for new members to join the ITAC Committee. Robert indicated that a colleague of his may be interested and, if so, he would send Lib an e-mail. Darryl and Frieda also said they would make some inquiries and send Lib an e-mail, as well.
Other Topics for Discussion
None
The ITAC members thanked Lib for the presentation and materials delivered, and Lib Wanner thanked the group for their input and participation.
Meeting adjourned at 9:45 a.m.