Time:09:38 AM to 03:44 PM
Place:HCR 0107
This Meeting was called to order by
Representative Tyler
This Report was prepared by
Matt Kiszka
X = Present, E = Excused, A = Absent, * = Present after roll call
Bills Addressed: Action Taken:
Presentation Regarding State Cyber Security - OIT
Office of the State Auditor Presentation of Confidential Office of Cyber Security, Governor's Office of Information Technology, Performance Audit - November 2010 Report
Presentation of OIT Budget Decision Items
Discussion of Committee Process
Discussion of IT Budget Request from the Colorado Department of Education
Presentation Regarding Judicial Branch Information Technology Systems
Presentation from the Statewide Internet Portal Authority
Witness Testimony and/or Committee Discussion Only
Executive Session
Recommendation(s) Approved
Committee Discussion Only
Witness Testimony and/or Committee Discussion Only
Witness Testimony and/or Committee Discussion Only
Witness Testimony and/or Committee Discussion Only

09:38 AM -- Presentation Regarding State Cyber Security, OIT

Representative Tyler, Chair, called the meeting to order.

Jonathan Trull, Chief Information Security Officer, Governor's Office of Information Technology (OIT), came to the table and provided an overview of his role and what it requires according to statute. He noted that he has a staff of 15 people. Mr. Trull also noted that state systems face 600,000 malicious events each day.

09:43 AM

Representative Tyler asked Mr. Trull to distinguish, out of these 600,000 attacks, how many are directed at secure state systems versus individual users. Mr. Trull stated that most of the attempted intrusions come from "botnets," or brute force intrusion attempts. According to Mr. Trull, specific attempts are mostly made up of phishing attempts directed towards executive branch individuals, which constitute roughly five percent of all attacks.

09:46 AM

Representative Tyler asked Mr. Trull if the office was able to block specific attacks or prosecute the individuals involved. Mr. Trull responded that the OIT is more concerned with blocking or recovering from attacks, and that OIT does not hunt down a lot of attempted intrusions. He added that the office is currently looking at the ways in which it can be more diligent in pursuing these. According to Mr. Trull, the FBI has not been involved because this only happens when damages greater than $100,000 have been incurred., which has not yet occurred. He added that OIT has started a "computer crime task force" in an attempt to do something about the people attacking the state.

09:49 AM

Representative Rankin asked Mr. Trull how often the office is approached with a significant attack, and how frequently serious incidents occur. Mr. Trull answered that roughly 13 serious incidents occur in a month that he is involved with.

09:50 AM

Representative Tyler had the record reflect that Senator Schwartz joined the meeting.

Mr. Trull continued, stating that 80 percent of the office's time is spent performing security operations. He then summarized the daily work of OIT.

09:52 AM

Senator Schwartz asked if strict protocols are going to be imposed upon staff due to the recent security dangers that resulted from a state employee losing a USB drive with sensitive information on it.

Mr. Trull explained the different security measures that are in place and the data loss prevention strategies that OIT is looking to put into place. He noted that a lengthy process would be involved in the deployment of these strategies across state agencies as the office oversees 26,000 endpoints for security.

09:56 AM

Senator Newell asked if General Assembly members would be a part of annual training plans from OIT. Mr. Trull responded that any IT security services training would be administered by the Legislative Council, and that he could not speak to their plan for the General Assembly.

Representative Rankin asked Mr. Trull to confirm the 26,000 security endpoints he mentioned, and which state entities are included in this number. Mr. Trull explained that this number includes the 17 core state executive branch agencies, for which he has security oversight and influence. He added that he can however set cyber security policies for other state entities that they must abide by.

10:00 AM

Mr. Trull moved on to summarize OIT's plans for the future, explaining the different security controls the office has adopted and intends to put in place.

10:05 AM

Mr. Trull went on to talk about the office's need to upgrade the state's perimeter firewall, which is at capacity and needs to be replaced. He also spoke about the 135,000 IP addresses that the state owns and the need to implement stronger security controls over these as well as the 26,000 users that OIT has oversight for.

10:08 AM

Senator Schwartz asked Mr. Trull to confirm the security risks involved in the office's average response time to a security breach, which is currently 48 hours. Mr. Trull responded that Colorado state security is constructed of a layered defense, which will slow down attempted intrusions. He added that with the resources that his office has, the response time is a tremendous effort, but he would like to improve it over time. He stated that it is also a sufficient response time, and different breaches are treated accordingly in terms of severity and danger.

10:10 AM

Mr. Trull proceeded, and spoke to OIT's push for higher levels of data loss prevention. He said the office also intends to revisit its cyber security policies and adjust them to counteract the evolution of threats over the Internet. Mr. Trull also commented on the different training initiatives that the office is currently working on, and spoke to his team's drive towards being more service-oriented.

10:14 AM

Senator Newell asked if there was a learning management system (LMS) in place for OIT's employee training. Mr. Trull summarized the resources available to state employees, and stated that the office has an LMS that tracks employee usage of the system. He stated that the office's goal last year was to achieve a 98 percent employee training engagement, which it did.

10:17 AM

Representative Rankin asked Mr. Trull to comment on how the state measures up in its cyber security standards versus other states. Mr. Trull analyzed where the state stands, and estimated that Colorado is in the top 10 of all states in terms of its cyber security standards.

Senator Newell asked Mr. Trull to explain how different executive directors throughout state agencies have the authority to create their own policies for their staff. Mr. Trull explained that OIT does not oversee human resources matters, but that it does have 15 cyber security policies that executive branch agencies must implement.

10:23 AM -- Office of the State Auditor Presentation of
Confidential Office of Cyber Security, Governor's Office of Information Technology, Performance Audit - November 2010 Report
BILL:OSA Executive Session
TIME: 10:24:44 AM
MOTION:Enter into executive session in order to discuss security matters pursuant to section 24-6-402 (3)(a(IV), C.R.S. The motion passed on a vote of 5-0, with 1 absent.

11:16 AM -- Presentation of OIT Budget Decision Items

Brenda Berlin, Chief Financial Officer, and Dan Krug, Financial Planning and Operations Director, both representing the Governor's Office of Information Technology (OIT), came to the table. A copy of their presentation was distributed to the committee (Attachment A). Ms. Berlin began by summarizing the different budget change requests that OIT made for FY 2014-15, which are detailed in Attachment A.

140106 AttachA.pdf140106 AttachA.pdf

11:22 AM

Senator Newell asked if OIT's "Eliminate Redundant Applications" budget change request will result in a savings for the state. Ms. Berlin spoke to the goals of the request.

Senator Newell and Representative Rankin asked if OIT's budget submissions could include a quantification of savings, and stated that the committee wants to be able to talk about the efficiencies achieved from implemented changes.

11:28 AM

Mr. Krug directed the committee to a detailed report of the different budget requests from OIT for FY 2014-15, which he said would be provided to the committee by staff (Attachment B). Representative Rankin asked for OIT to explain what would improve if the budget change requests were approved by the committee. Mr. Krug responded that quantified savings were still being developed, and that some of the change requests deal with aging systems that have no ongoing maintenance costs, and simply need to be replaced.

140106 AttachB.pdf140106 AttachB.pdf

Senator Newell asked Mr. Krug to define the dollar amounts in the requests. Mr. Krug stated that the amounts listed were estimates, as the specific applications marked for redundancy and the departments involved had not yet been determined. Committee questioning around and discussion of the "Eliminate Redundant Applications" change request ensued.

11:33 AM

Senator Schwartz asked OIT how security came into its "Eliminate Redundant Applications" request. Ms. Berlin responded that more standard applications and newer technology will inherently involve better security as well as the ability to monitor the applications, and said that they would follow up with the committee with more detail.

11:36 AM

Ms. Berlin proceeded in summarizing OIT's budget change requests. Senator Schwartz questioned OIT's plans for the "Broadband Mapping and Planning Services" change request in relation to the data collection problems that were experienced during the usage of federal funds under the Connect America Fund (CAF) for broadband development. Monica Coughlin, IT Economic Development and Broadband Strategy Director, OIT, came to the table to respond. Ms. Coughlin responded that once federal funds expired, OIT would no longer be bound by federal requirements for data on broadband mapping, which would give the state more flexibility in developing broadband.

Senator Schwartz asked about the CAF Funds, and to what extent OIT would be identifying what was available to the state. Ms. Coughlin responded that the office is looking at being more strategic and the different ways it might access these federal funds. Committee questioning and discussion of its role in broadband deployment in the state ensued.

11:46 AM

Ms. Berlin continued addressing the specific OIT budget change requests. Senator Newell asked if there was an asset management system in place for the "Digital Trunked Radio System Operations Increase" budget request. Ms. Berlin explained the asset management system that OIT has in place.

11:50 AM

Ms. Berlin spoke to OITs final budget change request item, "IT Technical Development," which would help get executive branch agencies staff advanced IT training. Committee discussion of the importance of IT training for state employees ensued.

Senator Newell asked about the intended lean process implementation for the "Eliminate Redundant Applications" request. Mr. Krug spoke to OITs intentions for the implementation of a lean process in this request.

11:56 AM -- Discussion of Committee Process

Representative Tyler addressed the committee on how it might make recommendations to the Joint Budget Commmittee (JBC). A copy of the funding requests from OIT was distributed to the committee (Attachment B). The committee discussed how it might consider different budget requests and the decision matrix it could use.

12:01 PM

The committee went on to review the budget request information template that was put together by staff for use by the committee, and discussed the additional questions to add to the template that should be asked for each budget request. Representative Tyler requested for staff to add a question relating to the department's engagement of end users of the intended system implementation or change.

Representative Rankin asked for the template to include a request for information on a department's current IT budget, how many people the department has dedicated to IT, and what systems it is running.

Senator Schwartz asked for the template to reflect the consideration of whether or not a budget request is effective, and if it might not be better to rebuild than to fix a system that a department has in place.

12:05 PM

Senator Schwartz brought up the committee's ability to evaluate a budget request, and whether it has sufficient in-house resources to evaluate a request adequately, or if it might rely more heavily on external sources in the private sector. Committee discussion ensued.

Representative Tyler stated that the committee needs to know what OIT looks at when it considers an IT budget request, and how the decision to fix or build is made. He suggested that a presentation from OIT director Kristin Russell might be of use. The committee discussed the best ways in which it might consider budget requests and the different parties it could engage.

12:18 PM

The committee provided further guidance for staff on the budget request template, requesting the addition of questions on training plans and the usage of change management.

Representative Rankin expressed his concern with not simply adding another layer of bureaucracy to the budget request process and ensuring the provision of value by the committee.
TIME: 12:21:13 PM
MOTION:Motion to draft a communication to the Joint Budget Committee signifying the Joint Technology Committee's general support of OIT budget change requests, with a specific request for further detail and oversight on redundant applications in the $2.9 million request to "Eliminate Redundant Applications," and an additional committee request for the $554,000 "Broadband Mapping and Planning" request to include continued mapping of state assets. The motion passed on a vote of 5-0, with 1 absent.

12:23 PM

Jessika Shipley, Legislative Council Staff, asked the committee to consider meeting with the Capital Development Committee on February 4, 2014, which it agreed to, as well as how often the committee is planning on meeting during session.

12:26 PM

The committee recessed for lunch.

01:37 PM -- Discussion of IT Budget Request from the Colorado Department of Education

The committee returned to order.

Robert Hammond, Commissioner of Education, and Dan Domagala, Chief Information Officer, both representing the Colorado Department of Education (CDE), presented their FY 2014-15 budget request related to IT (Attachment C). Commissioner Hammond explained that the department is requesting approximately $3 million in General Fund and 4.6 FTE, annualizing to 5.0 FTE in future years at a cost of $1.6 million per year. The other $1.4 million is a one-time cost for infrastructure needs. The money and staff will be used to update and improve the department's information technology systems. He discussed how the department's responsibilities have increased over time without increasing resources. Mr. Domagala responded to questions about how end users and customers have been involved in the process of planning for future IT needs. Commissioner Hammond returned to an explanation of the changing responsibilities of the CDE. He talked about how the updated and improved system is expected to assist the department in fulfilling its role.

140106 AttachC.pdf140106 AttachC.pdf

01:46 PM

Mr. Domagala walked the committee through the department's budget decision items. He discussed the infrastructure, staffing, and capacity needs of the CDE. Representative Tyler asked for more specific information about how CDE will expand its data capacity. Mr. Domagala talked about the equipment that needs to be replaced in order to make such an expansion and improvement. Senator Schwartz commented that the department's request is very modest, considering the cost of IT services and products, and asked what the new system will require on a long-term basis. Mr. Domagala discussed many of CDE's strategic planning goals for the future, especially with regard to smaller school districts and those that are outside major metropolitan areas. Commissioner Hammond spoke about how rural school districts rely on CDE for data management assistance. Mr. Domagala explained the ongoing portion of the budget request. The new FTE will staff a help desk, provide software programming services, and establish a full-time information security officer. Additionally, ongoing funding is required for maintenance and support contracts for new software and hardware systems. He discussed the department's intent to seek out and take advantage of existing expertise at other departments and in the Governor's Office.

02:02 PM

Mr. Domagala spoke about the importance of security audits. He listed the department's outcome goals for the infrastructure improvements. Representative Tyler asked whether the basic structure of CDE's databases will remain the same. Mr. Domagala indicated that the department will go forward with current solutions while remaining flexible. Senator Newell asked about CDE's plans for change management. The committee discussed the lean process, performance and IT audits, and the budget increase being requested with Mr. Domagala and Commissioner Hammond. Senator Schwartz asked what percentage of the total cost of the system will be ongoing and devoted to maintenance.

02:15 PM -- Presentation Regarding Judicial Branch Information Technology Systems

Judge Jerry Marroney and Chad Cornelius, representing the State Court Administrator's Office in the Colorado Judicial Branch, presented information about IT in the Judicial Branch (Attachment D). Judge Marroney spoke about the branch's budget requests related to IT, which include four new regional technicians for courthouses across the state. In response to questions from the committee, Judge Marroney explained the various IT needs of the Judicial Branch. Mr. Cornelius weighed in as well, highlighting some of the data exchanges with executive branch agencies.

140106 AttachD.pdf140106 AttachD.pdf

02:25 PM

Senator Schwartz asked about the possibility of video conferencing with regard to hearings in rural areas. Judge Marroney addressed the branch's budget request related to that issue and stressed that $85,000 of the $1 million total request will be ongoing for an increase in bandwidth. He also spoke about historic courthouse upgrades in rural areas, which will addressed by legislation in the 2014 legislative session. Mr. Cornelius talked about bandwidth availability in rural areas. In many places, the bandwidth is not adequate to meet needs related to video conferencing, digital recording backup, and an electronic enterprise content management system. Discussion about broadband expansion ensued.

02:37 PM

Senator Newell asked for more information about change management with regard to branch's new content management system. Mr. Cornelius spoke about his efforts to improve change management and training in all of the branch's system improvements. Judge Marroney pointed out that individuals who used to be clerks and other users of a system help to develop any new software systems. The committee discussed the timeframe for providing connectivity to all courthouses in the state. Mr. Cornelius raised issues about the state's internet service provider and some barriers that exist to expanding broadband.

02:51 PM

Representative Singer discussed a program whereby the City of Longmont built its own internet backbone. He asked if the Judicial Branch is involved in telecommunications legislation for the upcoming session. Mr. Cornelius discussed future initiatives for the branch's IT department, including information security, mobile device management, cloud-based data storage, content management, inventory and asset management, and a hardware refresh. Judge Marroney closed with thanks to the committee for taking on its role.

03:00 PM -- Presentation from the Statewide Internet Portal Authority

John Conley, executive director of the Statewide Internet Portal Authority (SIPA), presented information about the role of SIPA in state government (Attachment E). He introduced his deputies and some of SIPA's private sector partners. He provided history of SIPA and talked about its mission. SIPA serves all governments in Colorado except the federal government. SIPA also provides oversight for the official web portal. He explained how SIPA has grown its services beyond web portals and now provides its services to more than just state agencies, across the state as a whole for all governments. He stressed that SIPA does not receive a state appropriation and talked about how SIPA is funded by a portion of statutory fees. He stated that, due to the scale of SIPA's enterprise, it is able to purchase products and services at a discount and sell those back to state and local government agencies at lower-than-market prices.

140106 AttachE.pdf140106 AttachE.pdf

03:15 PM

Mr. Conley continued to discuss the organization of SIPA, focusing on the role of the board of directors and the various services SIPA provides. He matched each of the services provided with the private sector partners that help to provide the service. He talked about a new the Department of Health Care Policy and Financing call center that might be leveraged for needs across the state.

03:24 PM

Mr. Conley continued introducing private sector partners and explaining the services they provide. He spoke about the government entities that are served by SIPA across Colorado and commented about the savings to governments for performing functions online rather than in a physical location. He discussed SIPA's plans for the future, especially with regard to cyber security assessments, cloud telephony, electronic document signing, new call center technology, and a law enforcement network that will allow real-time information sharing at the arresting or stopping officer level.

03:36 PM

Representative Rankin asked Mr. Conley to comment on SIPA's growth potential. Mr. Conley indicated that growth is not a problem because there is a lot of potential. The problem is keeping up with demand. Senator Schwartz asked how SIPA is involved in discussions and efforts to expand rural broadband connectivity. He continued responding to the committee's questions.

03:44 PM

The committee adjourned.