Post-audit and minus a CIO, Florida’s IT office says it’s robust enough to move forward
When former Florida Chief Information Officer Jason Allison left his position at the Agency for State Technology for the private sector last month, it sent mixed signals.
On one hand, AST shows many outward signs of growth and prosperity, including a recent successful 90-day data center move and plans to install a chief data officer and GIS office. But his departure also coincided with a recent report from the state auditor general’s office that contained 12 findings, some of which cited violations of state law.
AST told StateScoop that Allison’s departure was to “pursue an opportunity” in the private sector and maintained that troubled IT offices are a thing of the past in Florida. Before AST’s 2014 launch, two previous state IT agencies were dissolved within several years of creation.
At a legislative hearing on Feb. 22, Republican state Rep. Blaise Ingoglia opened discussion of the audit, saying the report contained some “reasons for concern,” including the report’s first finding, which is that some AST employees and adjacent state agencies maintained “inappropriate” access to the state’s data center — access that was meant to be terminated upon AST’s formation.
Arthur Hart, audit manager for the operational audit, told StateScoop he was unable to characterize the findings of the audit beyond what is found in the report. At the hearing, Hart stated that some of his office’s findings were not included in the report because releasing the data could jeopardize the security of the state’s data centers.
AST representatives also spoke before the committee to explain the findings. Eric Larson, state chief technology officer and chief operations officer, told StateScoop that he didn’t wish to minimize the report’s findings, but added that some were common across most — 26 of 28 — state agencies, while the issue of inappropriate access privileges were a “mitigated risk” that needed more context to be fairly understood.
AST is now following the guidance of the auditor’s office, but looking back, Larson said, all of the people with inappropriate access are trusted employees with CJIS2 clearance. He added that operationally, there were good reasons for the arrangement.
“In cases where they don’t have enough privileges, that’s a completely destructive outcome,” Larson said. “I mean, you may think it’s secure, but if the people who have the ability to fix something don’t have the privilege, it’s kind of like the janitor letting you into your office every morning. There’s overhead to that and that has a real cost to the agency.”
In highlighting some of AST’s upcoming projects, Larson noted that work is mounting on a new identity access management system that will both curtail sprawl and allow for more granular controls that alleviate this problem, both in terms of the access that his agency needs and complying with state law.
Another violation of the audit included missing records of eight data tapes encrypted with AES that AST destroyed during its recent data center move. This was an issue of improper cataloging from before the move, not actual missing tapes, Larson explained. He also noted that the audit happened concurrently with the forced data center move.
Larson, who has been with the state for 13 years, said that he witnessed the two previous incarnations of the state technology office fail and that he does not believe AST is destined for the same fate.
“The prior implementation was primarily a policy unit,” Larson said. “It didn’t have oversight of the data centers, the data centers ran themselves through board governance. So there really wasn’t a central approach to managing the data center and that’s one of the reasons why I was willing to join back when it was formed back in ’14 is the idea that we would have the ability to be able to set standards and run the data center as a uniform service, and also to get authority over things like enterprise architecture.”
The agency is continuing with the initiatives that were ramping up before Allison departed, Larson said. A new GIS office and chief data officer would position the state for central governance for interdepartmental data sharing and increased open data publication. The agency is continuing its cybersecurity risk assessments and budgeting for remediation of findings in the first half of the assessment.
Larson reported IT security training is ramping up with 105 state personnel participating in on-site SANS training alongside 40 to 50 workers from nearby states and government offices.
“That’s a big win for us from a cost perspective because of the scale and the audience, we were able to achieve some pretty significant cost savings,” he said.
A newly launched cybersecurity program within the data center will also expand the agency’s capabilities and allow other agencies across the state to purchase services, he added.
Disaster recovery is another big focus point for AST. The new arrangement, he said, will integrate the state’s DR within its data centers, rather than as an external unit.
“It’s actually embedded into the topology of the data center to make sure DR will work, even for the applications that are too fragile to have any changes made to them,” Larson said.
“The way the agency was put together, I believe this is the most sustainable way that I’ve ever seen it in Florida’s history, at least in the last 13 years.”
On March 7, Eric Larson will become the interim state chief information officer until a permanent replacement is found, a spokesperson from Republican Gov. Rick Scott’s office said.