The State of Michigan, through the Department of Technology, Management, and Budget (DTMB), required a vendor to assess the information technology (IT) security environment and controls. The contract included each State of Michigan selected Friend of Court (FOC) and Prosecuting Attorney (PA) offices to ensure controls are in place to safeguard Title IV-D child support data.
Perform an independent assessment of each FOC and PA office for over 50 counties in Michigan by September 30, 2022, with a project start date of mid-January 2022. The project includes providing consistent county-level assessments and reports on the security findings of the county-managed IT systems and environments, a comprehensive statewide summary report, and remediation advisory services for the remainder of the three-year contract. Also, this contract consisted of performing vulnerability scans of each County’s environment.
Dewpoint deployed a team consisting of our Chief Information Security Officer (CISO), Security architect, Sr. Project manager, business analyst, and technical writer. Our team utilized the Center for Internet Security (CIS) Controls Self-Assessment Tool (CSAT) platform V8.0 to ensure consistency throughout the project. We created an organizational structure within its instance to record each County’s assessment results, a roll-up of findings, and provide long-term tracking.
Our team used a consistent, repeatable process for the assessments:
Successfully completed baseline review for all 50+ counties. Dewpoint provided an initial assessment report and improvement recommendations to increase its IT security posture. We are now moving into the next phase of setting up monthly meetings with the counties to review progress towards addressing items in their POAM and also provide consulting on areas that may be challenging to the County in its understanding of and implementing the cybersecurity improvements.
We are currently completing the comprehensive statewide report showing results by each entity in an easy-to-view format for the initial IT security maturity. This report allows the state to view which CSAT control is scoring consistently high and those scoring consistently low across all the counties to make improvements.