ITS Tech Talk - Mar. 1, 2024

I'm thrilled to share that Phase I of our ServiceNow project, featuring IT Service Management (ITSM), went live in December. A huge thank you to the teams for building out the foundation for one of our most critical enterprise software. ITSM is at the core of how we deliver services to agencies as a support organization. It is so important that ITS maintains a steering group that consists of several administrators.

The next important element is IT Asset Management (ITAM) which includes hardware and software asset management. ITS customers must know what IT equipment (computers, switches, wireless access points) and software (Microsoft, Adobe) they own so they know when to order more.

Phase II Plan highlights:

• IT Asset Management (ITAM):
• Establish a best practice approach for ITAM per industry best practice
• Manage cross dependencies with the Configuration Management Database (CMDB)
• Develop IT Asset reporting dashboards
• HAM (Hardware Asset Management)
• Define and implement the end-to-end lifecycle for all hardware assets
• Manage cross dependencies with the CMDB
• Opportunities for hardware cost optimization
• SAM (Software Asset Management)
• Streamline license compliance and renewals
• Improve software cost management
• Enhance decision-making with usage insights

Service level agreements (SLAs) define the relationship between our supported agencies and ITS. They also detail the responsibilities of each party and provide the framework on how ITS will deliver services. But the current version of the SLA was last updated in Aug. 2022, and a LOT has changed in the past 16 months.

The Service Delivery Management team (SDMs) has been tasked with owning the SLA work center, hopefully managing a more dynamic process that includes regular updates to the documentation, ensuring all agencies have signed SLAs, and helping agencies create their agency-specific list of exemptions for applications or hardware that ITS would not support.

SDMs are actively working with agencies to identify gaps, potential improvements, etc., in the existing documentation (formal SLA and as many as six addendums) before drawing up a final version to circulate amongst agencies for a new signature. This new version will be the one our new Phase 4 agencies will sign, too.

ITS is currently preparing for another major firewall upgrade that is required to update certificates within our environment. Certificates are used to validate connections as a means of ensuring they are trusted and secure. Significant firewall work occurred in December, and this upgrade builds upon that functionality. This is a mandatory upgrade that will affect roughly 80 firewalls and must be completed by Apr. 7th.

In an effort to reduce impacts to agencies, this important work is scheduled the weekend of Mar. 8-10th. During this time, ITS will have employees and contractors onsite during anticipated short-term planned outages.

ITS will be reaching out to individual agencies that may be affected to provide additional information and answer questions. 

To keep a current and supported hardware platform, ITS has begun the process of a migration of workstations/PC/laptops from Windows 10 to Windows 11. Windows 11 is the next iteration of Microsoft’s operating system. Currently, 1,833 devices have been upgraded or deployed in supported state IT environments. 

The initial pilot of Windows 11 began Aug. 2023. Agencies below are a sampling of conversion completion percentages:

• Dept. of Administration: 52%
• Commission for Libraries: 95%
• Vocational Rehabilitation: 98%
• Correctional Industries: 100% 

Recently, the pilot has expanded to include 15 more agencies.

A variety of factors impact the migration, which are mostly centered around aged non-supported hardware and the sunsetting of Microsoft support of specific native tools (i.e., Snip and Sketch).

The entire project could take up to four years to complete, dependent on annual hardware replacements. Internally, ITS has 168 of its own devices migrated and we will continue to work on the upgrade until all agencies and eligible devices are converted.

Our budget made its way through the Joint Finance-Appropriations Committee (JFAC) and is now being read in the House as bill 648. The Governor’s budget includes our full request plus an additional $1.5 million for citizen engagement and a 3% change in employee compensation. Alberto presented our budget to JFAC on Jan. 19th.

Budget Summary:

Key Takeaways:

1. Agencies are now able to pay vendors directly.
2. The quoting process remains the same.

For more information, continue reading here.

In an effort to provide agencies with resources and information they are seeking in one location at its.idaho.gov, ITS wants to hear from you.

As part of a seven-question survey, ITS would like feedback about what topics, training materials, or resources you would like to see in a single location on our website. This information is designed to improve the user experience and also, provide a one-stop hub for materials you rely on.

To take the survey, please visit Agency Resource Page Feedback anytime until Mar. 15th.

ITS is proud of the customers we serve and are highlighting those partnerships and success stories. On our Customer Spotlights page on the ITS website, you can find stories highlighting this. Have a story you’d like to share, or person you’d like to give a kudos to? Please click the Submit Spotlight Story link.

Do you create documents, training guides, or other materials that are shared externally with our customers or the general public? If so, as a reminder, they need to be accessible and compliant for those who might be visually or otherwise impaired. Text or screenshots that are too small or blurry, don’t meet ADA compliance, meaning they aren’t accessible to those with a disability.

Some best practices  for document creation and using an Accessibility Checker can be can be found on this website: Make your Word documents accessible to people with disabilities - Microsoft Support.

ITS is exploring more options to collectively address ADA compliance. Stay tuned for more information.

The Idaho 2024 annual Cybersecurity Training campaign begins Mar. 1st. This campaign, which was previously administered by the Division of Human Resources, is now managed by the Idaho Office of Information Technology Services.

Why is the training important:

Cybersecurity and related training are top priorities for the State of Idaho. In 2023, phishing threats became more efficient, with 96% of targeted organizations negatively impacted by these attacks, compared with 86% during the previous year, according to Infosecurity Magazine.

Timeline:

• The Mar. 2024 training will be available to all employees Mar. 1-31st. It takes approximately 18 minutes to complete.

Where is the training located?

• Training modules are located in Luma. You can access them in the Employee Learning and Development profile beginning Mar. 1st.
• The training ID is DHR_000050 titled '2024 Annual Cybertraining.'
• Please review this flyer and forward, share, or post as necessary.

For individuals requiring accommodation for training, please email ada.coordinator@dhr.idaho.gov or call 208.854.3077.

Questions?

If you have questions, please visit https://its.idaho.gov/2024-annual-cyber-training/.  For all other questions please contact ITS at cybertraining@its.idaho.gov.

Kudos to all employees, both in ITS as well as partner agencies, that are working hard to roll out multi-factor authentication (MFA) as an enhanced security feature for users accessing state systems. 

Over the last six months, ITS has actively investigated and monitored six major cybersecurity incidents affecting state agencies as well as over 43 cybersecurity incidents that would have been prevented by use of MFA. These incidents directly affected more than 300 employees with impacts including:

• Employees being locked out of performing business duties for multiple days
• Exposure of sensitive information including social security numbers, address and date of birth
• Loss of paychecks

ITS has noticed a remarkable drop in compromised user accounts among state agencies that have MFA enabled versus agencies that do not. 

On Jan. 29th, a record setting personal data breach being hailed as the Mother of all Breaches (MOAB), exposed 26 billion individual personal records discovered by security research firm SecurityDiscovery.com.

The compromised information is known to contain data from past breaches as well as new data. The breach contains user login credentials and other sensitive information that is valuable to malicious actors.

Link to the news story: https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/ 

What does this mean for you?

Malicious actors will likely start using information to attack other accounts from compromised users. Attackers will try to use compromised passwords to see if they were reused for more high value accounts like email or banking. Attackers are also likely to send many more phishing attacks and spam emails targeting compromised people.

How can you protect yourself?

Good password hygiene practices are the best way to mitigate the risk of your compromised user login information being used against you to access your accounts.

Password Hygiene Best Practices:

1. Use passphrases. Passphrases are a sentence-like string of words that contains a mixture of uppercase, lowercase, and special characters that is easy to remember but hard to hack.
2. Don’t reuse passwords or passphrases. Use a unique login for every online account you own. This prevents an attacker from gaining access to all your accounts with minimal effort.
3. Use a password manager program. These are applications that store all your passwords in an encrypted database for easy use, can assist in generating new, unique passwords, and sync them across all of your devices. A much better idea than a sticky note.
4. Frequently change all your account passwords. Recommendation for password rotation is every 90 days. If that seems too frequent for you, try rotating passwords at least once a year on all your personal accounts.
5. Use multi-factor authentication (MFA) whenever possible. Most users are already familiar MFA for their bank or work accounts. This protects accounts from compromise by forcing users to provide their passcode along with a code. Typically, this is provided directly to a user’s cell phone via a one-time passcode or a phone application that pushes a request asking for approval to the device’s screen.
6. General cybersecurity awareness training. The state mandates annual cybersecurity training for all employees. This training is designed to help highlight current cybersecurity threats and increase knowledge of how to be cybersecurity aware.