Roadmap to Michigan's Government Strategic Security Plan

  Back in January, we released our Michigan Strategic Security Plan for 2007-2010. This plans lays out our enterprise-wide security roadmap for Michigan State Government for the next four years.

 In early 2003, we developed a document in Michigan which we didn’t share with the public called the Secure Michigan Initiative or SMI for short. That extensive framework was basically a traditional “as is, to be, gap analysis” security document which mapped out many of the items which NIST now recommends at their public and private practices website,  and some of what are now the NIST 800-series recommendations.  Still, many of those recommendations and FISMA guidance didn't exist back in 2002 when we were building our original framework - so it wasn't as extensive.

This time we deliberately took a different approach. This plan is much shorter, more specific, with more deliverables and timeframes, and addresses weaknesses that the auditors have kindly pointed out to us. We focused on our customers and made the plan more readable for the business side. 

The executive summary version of this plan is available to the public and you can access it from the security section of our Michigan DIT website.  

Here’s a quick outline of the topics we cover: 

  •         Vision of Action – Messages from CIO and CISO

  •      Vision & Guiding Principles

  •          Collaboration as the Centerpiece

  •       Enterprise Information Security Framework

  •          Agency Security Plan Development

  •       Privacy Project

  •           Risk Reduction 

  •           Business Continuity

  •           Training & Culture

  •        Michigan Enterprise Security Future

Many federal, state governments and local governments have asked us for copies of our plan, and we’re already receiving excellent feedback on our approach. Of course there our many ways to do a Strategic Technology Plan, and we don’t pretend to know what’s best for you.

My only advice on this topic for CSOs and CISOs: it can be hard to get everyone on board, but just do it. (That is, get a plan in place) and execute. Otherwise, you'll always be chasing the latest security fires. 

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful cybersecurity companies