Workforce Data Task Force - OEO · Workforce Data Task Force November 30, 2017. Agenda A. Call to...

Workforce Data Task ForceNovember 30, 2017

Agenda

A. Call to order

B. Update on development of Arizona Workforce Evaluation Data System (AWEDS)

C. Presentation by contractor on development and security plan

D. Presentation by Arizona Strategic Enterprise Technology Office (ASET) on ongoing monitoring, security compliance & best practice reviews

E. Adjournment

Update on Development of AWEDS

Primary design goals:

• No long-term storage of data

• Strong privacy protections during operations and data use


RFP:

• RFP was posted on April 14th, 2017

• Evaluation panel with representation from OEO, DES & MCCCD

• Bids were opened on May 17th, 2017

• Received 5 offers from:• Andrew J Wong• Accenture• CenturyLink• Deloitte• The Nerdery

• Awarded contract to The Nerdery on October 26th, 2017


Current work by OEO:

• Project Investment Justification (PIJ)• Submitted, awaiting approval

• Information Technology Authorization Committee (ITAC)• Plan on getting approval in December

• Initial development will use data from 3 programs

• Intergovernmental Agreement between 3 agencies

Proprietary and Confidential

+WORKFORCE DATATASK FORCE

Proprietary and Confidential 2

OUR HISTORY

Founded in 2003, The Nerdery has helped thousands of clients leverage technology to achieve their business goals.

Delivering complex solutions at enterprise scale is what we do.


OFFERING THE BEST

3

With over 400 people representing deep expertise in architecture, engineering, strategy, and design, The Nerdery works with our clients on-site and from our offices in Phoenix, Chicago, Minneapolis, and Kansas City.


WHERE WE’RE POSITIONED

SOFTWAREINTEGRATORS

BUSINESSADVISORS

TRADITIONALAGENCIES

4


INDUSTRY RECOGNITION

THE SOLUTION

6


The Ask: Create a secure and flexible computing system that anonymizes, matches, and analyzes administrative data to enable

useful insights in employment and state services across Arizona.

OUR MISSION


IDEAL SOLUTION

8

Secure, fully extensible, and built with purpose

• Architected from a “Security and Compliance First” perspective

• Fully Custom longitudinal data system derived from best in class tools.

• User-Centric Design to provide the State of Arizona with useable data

• Applies cutting edge data science methodologies to drive precision, ensure anonymity and eliminate the need for long-term data storage


SECURE

‣ Immutable infrastructure and zero trust networks

‣ 2-factor authentication

‣ No OS-level root access

AUTHORIZE

‣ Full-team sign off before moving to production

‣ DevOps as change management

‣ “Day 1” dry-runs for incidents

ASSESS

‣ Source code analysis and automated penetration testing

‣ Architecture review

‣ Incident response simulation

MONITOR

‣ Tamper-resistant & centralized logging

‣ Automatic alerts

‣ Re-scan code for analysis on every push

SECURITY & COMPLIANCE

9



Presto

AWS EMR (database) AWS EC2 (compute)

AWS S3 (storage)AWS IaaS

Apache SparkApache Solr

Java Virtual Machine (JVM)

Jupyter NotebookAlteryx

Red Hat Enterprise Linux (RHEL)

cloud.gov (ElasticSearch) +

industry implementations

Java DISASTIGs

RHEL DISASTIGs

FedRAMP Customer

Responsibility Matrix

Design a solution that aligns with key regulatory compliance packages


DATA SECURELY DELETED ON A

REGULAR BASIS

ONE-WAY ANONYMIZATION

( Hashing )

TRANSPORT LEVEL

ENCRYPTION TO THE CLOUD

( HTTPS )

ACCESS CONTROLS AND ENCRYPTION AT

REST IN THE CLOUD

The Nerdery provides privacy measures at every step of the process.



DATA ENGINEERING


DATA SCIENCE

COMPARE DECIDE

Perform a more computationally intensive

method for comparing possible record pairs.

Using string comparison features, train a machine

learning model in order to precisely predict true

record pairs.

SEARCH

Narrow down all possible / theoretical record

pairings to something more manageable.

PROJECT LEADERSHIP

Proprietary and Confidential14


DANNY ESTAVILLO Regional Director

15

• 15 years of experience in client relationship management and digital strategy for enterprise initiatives

• Leads The Nerdery’s expansion into the western United States and the development of robust customer relationships throughout the region

• United States Marine Corps veteran

• Master of Business Administration from Arizona State University

• Key Stakeholder in projects for: American Express, Wells Fargo, Wachovia, Apriva, and VeriFone

• Communications Management• Stakeholder Management• Contract Management• Digital Strategy• ITIL Implementation

Skills

Client Relationship Leader


CHRIS LOCHER Vice President of Delivery Operations

16

• 20 years of experience in product development and delivery for enterprise initiatives.

• 11 years as an officer in the U.S. Navy

• Leads Nerdery’s efforts across product development, design/UI, engineering, and technology operations.

• United States Naval Academy graduate

• Master’s Degree in Environment Science and Management from the University of Rhode Island

• Key Stakeholder in projects for: State of Minnesota, Verizon, United Health Group, The Department of the Navy, Medtronic, 3M, Google, and Boston Scientific.

• Service Design, Transition, and Operation• Multi-Partner & High Risk Engagements• Digital Change Management• Product Management• Agile Methodology

Skills

Delivery Leader


NOAH KUNIN Business Consultant

17

• Over 15 years as a technologist, including 8 years with the US Government, where his work included the development of cloud.gov

• Significant contributor to FedRAMP initiatives and implementing the Trusted Internet Connection (TIC) policy in the cloud

• Founding Member of the Consumer Financial Protection Bureau’s (CFPB) Technology Team, serving as a Technology Portfolio Manager

• Founding Member of 18F, the General Services Administration’s (GSA) government-wide digital agency, serving as the Infrastructure Director

• Regulatory Compliance• Information Security Best Practice Implementation• Risk Management• Government Procurement• Cloud Data Management

Skills

Compliance & Security Leader


CHAD DVORACEK Data Architect

18

• Domain lead for Data Services at The Nerdery

• Directed the evolution and growth of the data services best practices for clients 3M and Infor.

• Domain expert providing thought leadership for industry growth as a key presenter at MinneAnalytics and Device Talks Minnesota

• Master of Science in Data Science from the University of St. Thomas

• Graduate Certificate in Big Data

Data Services Leader

• Cloud Architecture• Big Data & Distributed Systems• Data Warehouse• Data Analysis & Visualization• Data Mining & Machine Learning

Skills


BRANDON VEBER Data Scientist

19

• Leads Data Science practice focusing on enhancing The Nerdery’s capabilities in record linkage, algorithmic transparency, recorded masking, predictive modeling, etc.

• Lead on many customer projects aimed at reducing manufacturing waste through the evaluation and implementation of machine learning.

• Published numerous data science publications

• Master of Electrical Engineering with a specialization inMachine Learning

• Data De-identification & Masking • Data Evaluation & Visualization• Data Transformation & Record Linkage• Signal Processing & Relational Database• Predictive Modeling & Trend Analysis

Skills

Data Science Leader

• Minnesota Neuromodulations Symposium 2015 Best Poster Award “Reliable Seizure Prediction Using EEG Data”

• BICB Symposium 2014 Best Poster Award - “A new method for prediction of epileptic seizures from EEG data”

Awards


ADRIAN SLOBIN Chief Strategy & Operations Officer

20

• 17 years at SapientNitro (now Sapient Razorfish) leading strategy and most recently, as North American head of business transformation services.

• Worked with Fortune 100 clients in retail, CPG, healthcare, automotive, financial services, restaurants and telecommunications

• Adrian has spoken publicly about the future of retail banking, marketing and analytics, and has been quoted by a number of publications, including Ad Age and NPR Marketplace

• Master’s Degree in Philosophy from Northwestern University

• Business and Digital Strategy• Complex Delivery• Qualitative Research• Organizational Change

Skills

Delivery Leader


STRATEGIC ADVANTAGES

NATIONALLY RECOGNISED (CEDS) DATA

SCHEMA

HOLISTIC SECURITY

ARCHITECTURE

EXTENSIBLE SOLUTION

BEST OF BREED TOOLS TODAY

AND IN THE FUTURE

LEADERSHIP, EXPERTISE, AND

CAPABILITY

Purpose-built for the State of Arizona's Office of Economic Opportunity.

AZRamp – Cloud Assurance Program

Owen Zorge State Compliance and Privacy Officer

Equifax Breach

• 145.5 Million consumers affected

• $200 - $300 Million cost estimate after insurance

• Total $4 Billion company value loss

• Preventable – Apache Struts patch available 2 months prior to breach.

– Encryption of sensitive data • Personally Identifiable Information

• Protected Health Information

Equifax CEO

State of Arizona IT Security Policies

• 17 policies – Based on National Institute of Standards and Technology

(NIST) Publication 800-53 Revision 4

• Data Classification

• System Security Acquisition and Development

• Incident Response Planning

• Media Protection

• Personnel Security Controls

• System Security Audit

• System Privacy

Data Classification

Data Classification - Data created, stored, processed or transmitted on agency information systems shall be classified according to the impact to the state or citizens resulting from the disclosure, modification, breach or destruction of the data. Identification - All data shall be identified as one of the following data classifications: a. Confidential; or b. Public (data that is not identified is assumed to be Public).

Confidential Classification

• Confidential Data - Data that shall be protected from unauthorized disclosure based on laws, regulations, and other legal agreements. Examples are included in the policy. – Protected Health Information (PHI)

• All vendors required to sign Business Associate Agreement (BAA) for processing, transmitting and storing PHI

– Personally Identifiable Information (PII) • Names, Social Security Numbers, Dates of Birth, etc.

– Individual Financial Account Data • Payment Card Industry (PCI)

• (P) Policy statements preceded by “(P)” are required for agency information systems categorized as Protected.

Public Classification

• Public Data - In accordance with Arizona public record’s law, data that may be released to the public and requires no additional levels of protection from unauthorized disclosure.

AZRamp - Cloud Baseline Security Controls

• Based on NIST 800-53 Rev 4 controls.

• Used to evaluate Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).

• Three levels of control assessment:

• AZ Mandatory Control Baseline: 35 Controls • For RFP and other processes to assess multiple vendors

• For public facing data and websites

• NIST Low Control Baseline: 125 Controls • For Data Classification Category: Public

• NIST Medium Control Baseline: 325 Controls • For Data Classification Category: Confidential

Federal Risk and Authorization Management Program (FedRAMP)

• FedRAMP Marketplace – Vendors with Authority to Operate

• IaaS, PaaS, SaaS

• Low, Moderate, High

• ASET Enterprise Security reviews System Security Plan of vendors who have FedRAMP Authority to Operate

• Vendors using an already approved AZRamp IaaS – Signed letter on letterhead from the approved IaaS/PaaS/SaaS stating

vendor is customer

– Signed letter on letterhead from vendor stating State data and services will be hosted in the approved IaaS environment

Credit: Albert Barron, IBM

Administrative Controls

• State Procurement Office (SPO) – Mandatory Baseline Controls (35) for all multi vendor procurement

actions

– AZRamp Low or Moderate review required based on Data Classification

– IT Security Contract Language • Required to comply with AZ IT Security Policies & Standards

• Requirement to allow assessment (penetration testing and vulnerability assessment)

• ASET Oversight – Project Investment Justification (PIJ) – All IT projects exceeding $25,000 must be approved through the PIJ

process.

• Statewide Information Security Officers (ISO) and Privacy Officers

Information Privacy

• Health Insurance Portability and Accountability Act (HIPAA) – www.hhs.gov/hipaa/index.html

– Do you process or store Protected Health Information (PHI)?

• Payment Card Industry Data Security Standard (PCI DSS) – www.pcisecuritystandards.org

– Do you process or store any Payment Card information?

• Personally Identifiable Information (PII) – NIST SP 800-122

• www.nist.gov/publications/guide-protecting-confidentiality-personally-identifiable-information-pii

– Do you process or store names, addresses, SSNs, Date of Birth, etc.?

http://www.hhs.gov/hipaa/index.html

http://www.pcisecuritystandards.org/

http://www.nist.gov/publications/guide-protecting-confidentiality-personally-identifiable-information-pii













Owen Zorge

State Compliance and Privacy Officer

Arizona Department of Administration (ADOA)

Arizona Strategic Enterprise Technology (ASET)

Office: (602) 542-0742

Cell: (602) 620-2932

[email protected]

aset.az.gov

Questions

mailto:[email protected]

https://dema.az.gov/

Workforce Data Task Force - OEO · Workforce Data Task Force November 30, 2017. Agenda A. Call to...

Documents

Transcript of Workforce Data Task Force - OEO · Workforce Data Task Force November 30, 2017. Agenda A. Call to...