11 - Administration & Information Technology
The Administration Department is responsible for providing Division of Insurance employees with various operational and administrative services. It ensures that other departments have the necessary resources to carry out the regulatory mission of the agency.
The Information Technology Department provides technical service and support to Division. It ensures that IT initiatives have clear business goals and success metrics that align with, and fully support the Division's strategic mission. The Department also ensures the protection of IT assets and the integrity, security and privacy of information entrusted to or maintained by the Division. Finally, the Department develops and manages the implementation of the Division's custom applications.
The Administration Department's mission is to ensure:
- The availability of adequate funding to carry out the Division mission
- The efficient, accurate and secure receipt of revenue associated with fees, fines and assessments
- Communication of and compliance with federal, state and collective bargaining labor requirements.
- The availability of knowledgeable, motivated and trained human resources capable of carrying out the Division mission
- The timely payment of all Division fiscal obligations
- The best value procurement of goods and services
- The safety and security of employees, visitors and property
- A comfortable work environment for employees and visitors
The Information Technology Department's mission is to:
- Support the mission, goals and objectives of the Division, and provide efficient and useful services and technology to the Division's internal user community, as well as to external constituents
- Provide effective, reliable and responsive hardware, software, networking infrastructure, support services and development
- Provide quality services to our user community
- Strive for excellence and customer satisfaction in our networking, helpdesk, systems development and consulting endeavors. Perform our duties with a proactive approach and adopting a "can do" attitude
- Constantly improve on the Division's investment in technology by: safeguarding technology assets; expanding technical knowledge and skills; working cooperatively with business partners and users; and leveraging available State and NAIC technologies
11.2 2009 Goals
Spearhead the agency's relocation from 1 South Station to new office space. Work with the Division of Capital Asset Management (DCAM) to draft an RFR for leased space. Select a new building and finalize floor plans, building amenities and finishes. Coordinate purchase of new furniture, surplus of old furniture, identify audio visual needs, high density file systems and coordinate installation with vendors. Ensure smooth consolidation of the Division's Information Technology personnel to Executive Office of Housing and Economic Development IT department. Lead internal working group to communicate information pertaining to move to Division staff.
Complete billing of assessments according to timelines so as to ensure collection of all open receivables before year-end and compliance with state Comptroller guidelines and Division internal control plan.
Collect all revenue in a timely and accurate way and ensure compliance with state comptroller guidelines and Division internal control plan.
Complete all hiring and staffing requests in a timely way so as to ensure available human resources to carry out the Division mission.
Guide agency users in drafting and issuing Requests for Responses for various needed professional services. Assist in evaluating and selecting vendors. Ensure procurements are completed in compliance with Operational Services Division requirements.
Implementation of Executive Order 504 Security Standards..
Validate compliance with Payment Card Industry Data Security Standards (PCI DSS) by April 30, 2009.
Select and implement a service desk management tool to improve the IT Department's user support.
Complete NAIC Accreditation Exercise.
Implement Executive Order 510 to consolidate IT services at the Executive Office of Housing and Economic Development.
11.3 Primary Activities
IT Benchmark Project - Preparations for Consolidation Effort
In early 2009, the Division participated in an exercise known as the IT Benchmark Project. The Commonwealth engaged a consultant, The Hackett Group, to undertake a statewide analysis of IT operations. The objectives were to:
- Establish a baseline of Commonwealth IT spending and staffing
- Compare the Commonwealth's IT functions to peer groups and "world class" IT organizations
- Provide a balanced, qualitative perspective through Executive interviews and comprehensive stakeholder surveys
- Develop improvement recommendations to achieve and maintain world class performance
The benchmark project marked the commencement of what would become a multi-year project to consolidate IT operations across the Commonwealth. The Administration Department and IT Department dedicated considerable efforts to this project in the early part of 2009 and work continues into 2010.
IT Consolidation and Executive Order 510
Executive Order 510 Regarding the Enhancement of the Efficiency and Effectiveness of the Information Technology was signed by Governor Patrick on February 20, 2009 and it mandated that certain IT services be consolidated at the Commonwealth or Secretariat levels. The consolidation effort aimed to align Secretariat IT resources with their business strategies and priorities; standardize IT resources and create efficiencies; and, ensure that the Commonwealth's digital resource assets are secure.
After the issuance of the Executive Order, the members of the Administration Department and the IT Department joined a mobilized group of Secretariat representatives to implement the directive. The groups dedicated hundreds of hours to analyzing the Secretariat's IT infrastructure in the areas of help desk services, desktop and LAN services, website information architecture and application services. The IT Consolidation Working Group successfully drafted a comprehensive Secretariat IT Consolidation Plan, which identified the current state of the selected IT services, the intended future state, and the major activities that must be completed to realize the intended future state. The plan also provides guidelines for supporting domains such as governance, organizational development, communications, and budget & finance.
Compliance with Executive Order 504, Security and Confidentiality of Personal Information
In September 2008, Governor Deval Patrick signed Executive Order 504 (EO504) regarding the Security and Confidentiality of Personal Information. The order requires Executive Office agencies to adopt and implement the maximum feasible measures reasonably needed to ensure the security, confidentiality and integrity of personal information, as defined in Chapter 93H, and personal data, as defined in Massachusetts General Laws Chapter 66A, maintained by state agencies. Under the state law, the Division must develop, implement and maintain written information security programs governing the division's collection, use, dissemination, storage, retention and destruction of personal information.
The programs must ensure that the Division:
- Collect the minimum quantity of personal information needed to accomplish the legitimate purpose for which the information is collected
- Securely store and protect the information against unauthorized access, destruction, use, modification, disclosure or loss
- Provide access to and disseminate the information only to those persons and entities who reasonably require the information to perform their duties
- Destroy the information as soon as it is no longer needed or required to be maintained by state or federal retention requirements
- Address without limitation administrative technical and physical safeguards, and comply with all federal and state privacy and information security laws and regulations
In 2009, the Division's Information Security Officer (ISO), Joseph Murphy, directed the effort to comply with EO504. In May, the ISO, along with the IT Director, legal counsel and Deputy Commissioner of Administration, worked to finalize the agency's submission of the Information Security Plan and the Electronic Security Plan to the Information Technology Division (ITD). These plans are the first step in developing an information security program that governs the collection, use, dissemination, storage, retention and destruction of personal information with the Division.
During the summer of 2009, the Working Group developed a training program on EO504 to deliver to all Division personnel and contractors. The training was implemented by the September 2009 deadline established by ITD. Furthermore, the Working Group finalized the Self Audit Questionnaire which identifies the agency's compliance with laws, regulations, policies and standards concerning securing confidential and personal information.
After taking all remedial actions recommended by the ITD security team and after a careful review of the Division's submission to the ITD Enterprise Security Board, the Division received a pass mark and was found to be compliant with Executive Order 504.
Relocation of Agency to New Leased Space
In the fall of 2008, the Deputy Commissioner of Administration and representatives from the Division of Banks, the Department of Public Utilities, the Department of Telecommunications and Cable and the Division of Professional Licensure, began working with a project manager from the Department of Capital Asset Management (DCAM) to define space requirements for the issuance of a Request for Responses for leased space. The agencies, three of which are located at One South Station in Boston, were anticipating the expiration of their current leases in the summer of 2009. By early 2009, the agencies had issued the RFR and received numerous responses. In January, work commenced to solicit clarifications from the bidders and compile a cost analysis for each proposed building.
The team selected a building situated at 1000 Washington Street, Boston. Over the ensuing months of 2009, the team reviewed lease language and floor plans, and selected furnishings, audio visual equipment, and file systems, all with the goal of improving the working environment for staff and the facility amenities for visitors.
As the move date of March 20, 2010 approached, the Administration Department finalized seating plans, and surplused unnecessary furniture and assets.
The move also required enormous planning within the IT department, including:
- Reengineering of the consolidated EOHED IT environment
- Consolidation of server systems by virtualization
- Decommissioning and retirement of old telecommunication systems and replacement with cutting-edge Voice over Internet Protocol (VoIP) systems
- Upgrade of the Audio Visual systems and electronic signage in Hearing Rooms and conference rooms
- Improved physical security in and around the new data center
- Replacement of computer peripherals such as copiers, printers and faxes for the Division
The Administration Department was a participant in a project to certify that the agency is compliant with payment card industry data security standards (PCI DSS). PCI DSS is a mandatory compliance program of the major credit card associations (Visa, MasterCard, American Express, Discover) to create common industry security requirements for cardholder data. These standards include requirements for security management, policies, procedures, network architecture, software design and other critical measures to ensure the safe handling of sensitive credit card information.
In 2008, the Office of the Comptroller and the Information Technology Division issued a memo directing departments that accept credit card payments to validate PCI Data Security Standard compliance no later than April 30, 2009. While the Division does not currently accept credit card payments for any of its fee processing, it does accept online payments via ACH. Despite being exempt from the requirement, the Division opted to contract with a PCI compliance vendor to review and test security standards employed by the agency. This exercise was both rigorous and thorough. The consultant delivered a Readiness Review report which identified the necessary remediation for PCI compliance validation. The Division followed through with the recommendations to improve and tighten overall security. This in essence, reduces the chances of experiencing security breaches, fraud, and potential catastrophic financial losses, penalties, and loss of public trust.
IT Service Desk Tool
The Division is committed to adopting and deploying cutting-edge technological solutions to streamline business processes, maximize efficiencies, improve productivity and consolidate its strategic advantage. HelpSTAR was identified as a compelling service dek management tool that provides effective relief and optimized efficiency for the IT service desk. With its rich out-of-the box functionality and productive user interface, HelpSTAR improved IT Department's support of end users and enhanced users interactions with technology. HelpSTAR intuitively equipped the Division's IT Service Desk with the tools necessary to address ITIL processes for best-practice service management, including:
- Problem Management and Incident Management
- Change Management
- Knowledgebase Management
- Service Level Agreements (SLA)
- Asset Management including License Compliance
- Reporting and Data Analysis capabilities for strategic management and quality improvement
Today, HelpSTAR is delivering a streamlined process, saving labor, showing better reports and helping the hard working support team at the Division keep up with crunch-times.
In 2009, the Administration coordinated a number of in-house training sessions for the agency employees, including diversity training for all managers entitled "Managing Multiple Generations: the New Diversity" and "Procurement Basics". In addition, Administration Department personnel received specialized training in the areas of the Family and Medical Leave Act (FMLA), Comm-PASS Quick Quotes, and the annual Security Officer training.
In 2009, the Administration Department was a key contributor to the Procurement Management Team responsible for the development and issuance of a Request for Responses for Producer Testing Services. The PMT evaluated bids and awarded the multiyear contract to Prometric.
A number of other RFRs were issued and awarded in 2009 including:
- RFR-2008-DOI-003 Legal Services for Counsel and Representation in Regard to Rehabilitation, Conservation and Liquidation of Certain Regulated Insurers. The RFR was evaluated and several law firms were pre-qualified as vendors
- RFR-2002-DOI-007 Market Conduct Services. The RFR was re-opened for new bids and revised cost proposals
The Administration Department drafted the agency's Diversity Plan and Affirmative Action Plan as required by the Office of Diversity and Equal Opportunity.