About the Engagement
In June 2013, following the occurrences of Hurricanes Irene and Lee, and Superstorm Sandy, a state-level disaster recovery organization was created to focus on recovery and rebuilding efforts for effective areas of New York State. The agency’s aid focused on four areas: housing recovery, small business, community reconstruction and infrastructure.
The agency identified the need to ensure data security best practices were in place and were compliant with state/federal data security, while also ensuring their data security policies and procedures were in-line with the New York state’s central technology office.
The first set of challenges were focused on preparations and information gathering. To ensure state and federal compliance, along with understanding the client needs, our requirements gathering across multiple stakeholders and agencies was challenging because of the need for constant communication and stakeholder engagement. Another challenge was maintaining varying agile, hybrid-agile and waterfall software development lifecycle approaches, since multiple systems, or lack of, were used daily. The second set of challenges faced were centralized around the agency. One need was the development of customer service and support strategies for both staff and applications, which were implemented through trainings and presentations. As a result, we developed quality assurance and quality check procedures and created associated documentation for them.
Project Impacts and Outcomes
The Engagement team conducted an assessment to understand the current-state data security policies and processes that were in place. In conjunction, our team analyzed state and federal data security policies to understand guidelines and rules and regulations to ensure agency compliance. Once there was a comprehensive understanding of the current-state and the optimal future-state, we developed a roadmap to ensure compliance, and meet data security guidelines. As a result, while working with the agency, we implemented three components, the Data Privacy Office, software and hardware risk mitigation, and identity and access management. The Data Privacy Office is an agency group, dedicated to monitoring and leading the agency in the event of a data security event. This group implemented proactive policies and procedures for risk mitigation purposes and developed procedures for how to respond in the event of a data security event. The second component, software and hardware risk mitigation, was developed by working with the technical team, overseeing the implementation of enhanced privacy measures (e.g., ensuring all sensitive information access was monitored and had enhanced security beyond other agency data). The third component was identity and access management, created by designing and developing a system to aggregate identity and access information for agency staff, and limited access to information based on “least privileged access” principles.