Case Study | 2022

State of Michigan

Cybersecurity Assessment and Advisory Services

Environment

The State of Michigan, through the Department of Technology, Management, and Budget (DTMB), required a vendor to assess the information technology (IT) security environment and controls. The contract included each State of Michigan selected Friend of Court (FOC) and Prosecuting Attorney (PA) offices to ensure controls are in place to safeguard Title IV-D child support data.

Challenge

Perform an independent assessment of each FOC and PA office for over 50 counties in Michigan by September 30, 2022, with a project start date of mid-January 2022. The project includes providing consistent county-level assessments and reports on the security findings of the county-managed IT systems and environments, a comprehensive statewide summary report, and remediation advisory services for the remainder of the three-year contract. Also, this contract consisted of performing vulnerability scans of each County’s environment.

Solution

Dewpoint deployed a team consisting of our Chief Information Security Officer (CISO), Security architect, Sr. Project manager, business analyst, and technical writer. Our team utilized the Center for Internet Security (CIS) Controls Self-Assessment Tool (CSAT) platform V8.0 to ensure consistency throughout the project. We created an organizational structure within its instance to record each County’s assessment results, a roll-up of findings, and provide long-term tracking.

Our team used a consistent, repeatable process for the assessments:

  • Sent a Pre-Assessment Questionnaire to the FOC and PA office to provide background on the entity’s security posture before performing interviews.
  • Reviewed current IT security policies, processes, and procedures
  • Reviewed supporting data and documentation, including any recommendations implemented from prior IT security assessments (if applicable)
  • Held interviews with key stakeholders
  • Utilized the CSAT portal to measure the organization’s security posture against the CIS Critical Security Controls through inputs gathered above
  • Worked with the County to develop a Cybersecurity Improvement Plan of Action and Milestones (POAM), identifying priority actions to complete in the coming 24 months and other lesser priority activities that have a longer time horizon
  • Upload the findings into the State instance of the CIS CSAT tool and SharePoint site

Results

Successfully completed baseline review for all 50+ counties. Dewpoint provided an initial assessment report and improvement recommendations to increase its IT security posture. We are now moving into the next phase of setting up monthly meetings with the counties to review progress towards addressing items in their POAM and also provide consulting on areas that may be challenging to the County in its understanding of and implementing the cybersecurity improvements.

We are currently completing the comprehensive statewide report showing results by each entity in an easy-to-view format for the initial IT security maturity. This report allows the state to view which CSAT control is scoring consistently high and those scoring consistently low across all the counties to make improvements.

Key Statistics

  • Assessed 50+ FOC and PA Offices
  • Developed POAM to improve the cybersecurity posture
  • Size and scale of the project required in-depth project management oversight to complete within the timeframe

Download Case Study PDF