Letter From the Chair
Hello, NALIT members!
On behalf of the NALIT executive committee—Soren Jacobsen, vice chair; Nate Rohan, secretary/newsletter editor; Cindy O’Dell, past chair; and directors Dave Burhop, Guillermo Cordon, Michael Norris, Michael Ganesan, DeLynn VanDriel, Dave Warycha and myself—I hope this newsletter finds you and your families healthy. I have enjoyed the opportunity to serve NALIT over the last three years. This year has been especially challenging due to the COVID-19 restrictions we have seen nationwide. We are disappointed that, due to the many social distancing mandates, NALIT meetings will be different this year.
As you know, NCSL has announced that it is postponing the 2020 Legislative Summit that was scheduled for Aug. 10-13 in Indianapolis. This decision was made jointly by legislative leaders in the Indiana General Assembly and NCSL leadership. It is sad because so many people had worked hard to create a great meeting, but such a large gathering is just not feasible at present. It is especially sad for me, as I was the host for NALIT events, and I was eager to share my beautiful city with you. Happily, we were able to reschedule the Legislative Summit in Indianapolis to 2023 and I look forward to hosting you then.
After careful review, the NALIT executive committee made some tough decisions. We discussed the challenges that the NALIT officers have had this year in serving the association. Usually, the chair and vice chair travel to NCSL Legislative Staff Coordinating Committee meetings to represent NALIT, and our annual business meeting has always been held at the Legislative Summit. Unfortunately, almost all of these physical meetings were cancelled for the year. We feel it is important to maintain the continuity of the association until we can meet in person again. Because of these factors, we decided to delay the NALIT annual election and business meeting until 2021. All members of the executive committee, including the chair, vice chair and secretary, will remain in their positions until we can meet next year at the Legislative Summit in Chicago.
We also decided to postpone the 2020 NALIT Professional Development Seminar, scheduled for October in Madison, Wisc., to Oct. 3-7, 2021. We are grateful to the Wisconsin host committee for being flexible with us in delaying the meeting.
In the meantime, our 2020 goal is to bring you a new online newsletter and numerous professional development opportunities via webinars and Zoom!
Beginning in July, we will present a series of virtual events that include discussions of technical issues important to legislative IT and a few of the sessions that NALIT members find most valuable at our annual Professional Development Seminar, including “5 Minutes of Fame” and the legislative showcases. Please check our calendar of virtual events for more information.
As you can see, the NALIT newsletter has an updated look and will now be available online. Our goal is to release articles on a regular basis instead of periodically. I hope that you will enjoy the “NALIT News” and that you will submit articles on technology innovations, new applications you are developing and other items of interest to your peers.
As your chair, it has been a pleasure serving you and the executive committee, and I hope that we can help to provide you with the best possible programming for the coming year.
Thank you for all you do!
Chief Technology/Security Officer
Office of Technology Services
Indiana Legislative Services Agency
Upcoming Interactive Webinars and Meetings
The National Association of Legislative Information Technology (NALIT) will be presenting a multi-part series of interactive webinars and virtual meetings—beginning in July—geared toward legislative information technology issues.
The series will begin with two sessions: Remote/Virtual Meetings: Comparing the Software; Allowing Testimony on July 9 and Voting and Chamber Systems: What Technology Are We Using Now? on July 23. Subsequent sessions will include discussions on budget issues and security, demonstrations of peer applications and roundtables to talk with industry colleagues. There will also be a webinar later this fall on demystifying the dark web.
These sessions will feature legislative staff, NCSL staff and other experts. Participants will have the opportunity to share what is happening in their state and ask questions.
For more information and to register, please visit NALIT’s virtual meetings series website.
Document Workflow Systems
By: Chris Sewell (Wisconsin)
The Legislative Technology Services Bureau has been making an extra effort in the last year to assist various legislative groups to make more sense out of their document driven processes.
It has become very clear to us that traditional shared network drives can be very limited when customers are looking to do more dynamic file sharing and editing. In a small office with a small team, it is rather straightforward to operate using a printed paper process. A document is passed between colleagues, marked up, edited, finalized and archived. Trying to do the same when there are several tiers of complexity, physical barriers, deadlines, approvals, the rigors of parliamentary procedure, and so-on – it can be extremely difficult.
Applying the same type of workflow to a digital document on a traditional file share is also cumbersome. Staff members need to agree on a file organization structure, naming conventions, work assignments and other considerations. E-mailing documents creates more of an audit trail, but it also has the potential to create several versions of documents stored in several different locations. There's also no guarantee staff will remember to CC everyone who may have a stake in the document.
Many of the groups the Legislative Technology Services Bureau supports have made attempts to add efficiency and controls to their document creation process and have come up with some novel solutions. These include systems of stickers, labels, having staff members whose primary function is to control the physical document flow – none of these concepts are very efficient.
Long ago, in an attempt to gain efficiency and improve organization, we built an application to serve one very specific purpose: bill drafting and publishing. The application has evolved into a very sophisticated tool which accomplishes one specific task extremely well. What happens when a smaller group in the Legislature wants to transition their non-bill related document management process into a digital form the LTSB can support and maintain? We can't spin off different versions of the bill drafting system to meet each sub-group's needs – the Legislative Audit Bureau's needs are vastly different from the Joint Committee on Finance. We unfortunately do not have the capacity to custom build new systems to meet each specific need.
Because of this, the Legislative Technology Services Bureau spent many hours researching electronic document management systems and landed on one which seemed to be the best fit.
M-Files is an advanced and highly customization metadata and workflow driven document management system which has the ability to be rapidly and easily adapted to smaller sub-groups of the Legislature. So far, we've been able digitize a wide variety of document workflows which include: an accounts payable and invoicing system, a multi-office budget request workflow, a system to assign work to book and document travel for auditors, a human resource personnel file and employee evaluation workflow. We have several more specific processes we plan to automate and modernize. M-Files is extremely flexible and we've yet to come across a document workflow we can't model in the application.
By: Terri Clark, Director of Technical Services, Kansas
A cyber range is a network testing environment that can be configured to simulate an organization’s network. When simulated attacks are launched against the test environment a team must detect the attack, then isolate and mitigate the attack.
The test environment includes the network routing and switching, internet gateways and access, firewalls, servers, applications, and databases. Different attacks can be launched to simulate real-world scenarios, such as ransomware, denial of service, and SQL injection.
During an exercise, the instructor launches an attack on the testing environment. The users are coached on how to detect the attack, then determine the scope and impact of the attack. The exercise then moves into methods to contain the attack and restore services as quickly as possible, without destroying critical evidence. The final step is correcting the configuration that allowed the attack to launch. Following the exercise, instructors lead the team through an analysis of the exercise to identify the team’s strengths and areas for future training.
The NCSL Cybersecurity Task Force has investigated cyber range training as one aspect of security training for state government IT staff, including presentations from IBM’s X-Force Command cyber range in Cambridge, MA and the Nashville Cyber Range. In an onsite cyber range, user workstations are equipped with computers and telephones, and multiple displays in the room to allow everyone to monitor the activity. Cloud-based cyber ranges allow users to access the cyber range remotely from their location. The users are responsible for setting up their location to easily share information, such as using projectors to display computer desktops, so everyone can monitor the activities. Instructors can be either onsite or remote and communicate with the users via telephone. While there are similarities between the two, there are also key differences.
The onsite cyber range exercise is comprehensive and addresses all aspects of a security incident. The physical facility can accommodate a larger group of users and multiple instructors. Each user’s desk includes a computer and telephone, and the large displays make it easy for everyone to follow the activities of different users. Instructors can easily pause the exercise at critical points for discussion and training. Once the simulated attack is launched, telephones begin ringing and the news stations broadcast reports of the attack. System administrators begin receiving emails from users about application problems. This creates a realistic atmosphere and adds to the general sense of urgency and panic in the room. Learning to manage the panic is critical to an effective response.
Team roles include:
- Executives: receive reports on attack, determine media response.
- Legal: determine how/when to engage law enforcement, liability issues around a data breach.
- Communications Specialist: respond to media inquiries, manage media onsite, manage social media response.
- End Users: test status of applications and services, report problems.
- Network, Firewall, and System Administrators: detect the attack, then isolate and mitigate the attack.
- Team Lead: leads the team through the attack, an instructor filled this role
The classroom experience is able to provide training on all aspects of a security incident. The expanded roles the Executives, Legal, and Communication Specialist play in the incident response can be surprising. Once the technical problem is mitigated, the bulk of the work related to the incident is handled by these groups.
Cloud-based cyber range exercises are designed for 10 students and two instructors. The focus of this exercise is on coaching the technical team through an attack. During a recent exercise in Kansas, the team was located in one room and used a projector to display user activity. The instructor followed the team actions online and provided coaching throughout the exercise. At different points in the exercise notes were made to report to legislative leadership or the legal team, even though these groups weren’t actively participating. One important lesson learned is that in the rush to restore services, the evidence of how the attack was done can be erased. If the underlying problems aren’t corrected the attacker will simply launch another attack. Taking time to understand the attack may delay restoring services but will better protect the organization in the long run.
Both the onsite and remote cyber ranges are designed to provide periodic training sessions to develop and hone a team’s incident response skills over time. While the onsite facility cyber range provided the most comprehensive training, it can be expensive to send a team onsite for training. Taking advantage of remote training provides value for a technical team and introduces the skills needed for effective incident response. Regardless of the delivery method, incident response training will benefit an organization by improving the user’s confidence in detecting and responding to incidents and reducing the impact of an attack.