DIR Shared Technology Services Lorie Ramirez Customer Service

DIR Shared Technology Services Lorie Ramirez Customer Service Operations Division Director DIR Technology Forum October 9, 2018

Agenda 1 Introduction 2 DIR Shared Technology Services 3 Exploring the Service Offerings 4 Multi-sourcing Services Integrator 5 Enhancing the Customer Experience 6 Questions

DIR Shared Technology Services

DIR Information Technology Services • • “Outsource” • • • “Do it Yourself IT” pre- IT Strategic Planning Information Security Enterprise Solution Services Strategic Outsourcing Data Center Infrastructure Bulk Print Mail Managed Applications Managed Security Texas. gov Services negotiated master contracts for goods and services Policy and Planning Cooperative Contracts Shared Technology Services Bulk Purchasing Leverage “Known” volume for additional statewide price discounts

What are Shared Technology Services? A new strategic approach to simplify the way customer agencies access the technology services they consume by leveraging a single orchestration layer (digital MSI function) for all program services.

Shared Technology Services Goals • Enable agencies to modernize their IT environments • Develop and deploy new services and solutions • Extend the reach of the shared technology services program based on business needs and values to all eligible customers • Optimize and integrate delivery of IT services Benefits To: Relevance To: Our Customers Customer Service Efficiency Agility

Shared Technology Services Model Customers State Agency Local Government Higher Education DIR Sourcing Management & Governance Retained ITIntegrator Organization(MSI) - Capgemini Multi-sourcing Services Marketplace IT Business Mgmt Service Mgmt Operations Mgmt DCS Atos • Server • Mainframe • Network • Data Center Xerox • Print Mail Texas. gov Deloitte • Texas. gov Services NIC • Payment Services MAS DXC/Perspecta • Application Development • Applications Maintenance Allied • Application Rate Card DIR Shared Services MSS AT&T • Device Management • Incident Response • Risk & Compliance Other Open Data Portal Other New Services

Data Center Services

Data Center Services – Vision • Today’s Data Center Services program is based on 2005 legislation directing state agencies to share technology infrastructure. Goals for the Legislation include: • Consolidate and Modernize IT Infrastructure • Strengthen Security • Enhance Disaster Recovery • Manage Costs while Promoting Quality • Responsive to the diverse requirements of Texas agencies • DCS services built for government’s unique needs • CJIS Security • Employee Background Checks • Detailed chargeback to specific programs and funding sources • A collaborative and flexible program where DCS Customers participate in governance, including setting standards and strategic direction

DCS Customers 50 DCS Customers ‐ 27 Legislatively Identified Customers 23 Additional Customers Server Management, MF, Remote File, DRaa. S, O 365, Texas Imagery, Print/Mail Texas Higher Education Coordinating Board

Data Center Services SERVER- STATE PRIVATE CLOUD 7500 Servers 3+ petabytes online ; 38 petabytes stored Capacity on demand Automated Data Backup Software Currency Fully Managed and Semi Managed Services Disaster Recovery with various RTOs Auto‐provisioning via Marketplace Transformed 40 legacy DC and 300 remote centers across the state ü CJIS Compliant Security ü ü ü ü ü SERVER – GOVT PUBLIC CLOUD Cloud 49 ü Integrate State Data Center with Amazon and MS Azure Cloud Providers ü DCS Assurances and Security ü Self Provisioning via Market Place ü Fully Managed and Semi Managed Services ü ITIL Service Management Processes MAINFRAME SERVICES ü ü 330, 000 batch jobs/month 6, 000 MIPS Optimized Performance Upgraded Storage and Tape BULK PRINT AND MAIL SERVICES ü ü ü ü ü 230 M pages/year printed 19 M pieces/month mailed Secure Print Impressions Address Cleansing & Mail Insertion Print to insert to mail closed loop tracking Only pay for the amount of services used. No capital investment in HW or SW CJIS Compliant Security Leverages DCS Facility and Disaster Recovery NETWORK and SECURITY ü Enhanced Disaster Recovery ü Enhanced Intrusion Detection & Prevention DATA CENTER FACILITY ü 72, 000 Square Feet ü Two facilities, providing self‐ supporting disaster recovery ü Tier III facility ü Robust, industry‐standard security and facility management ü 24 X 7 X 365 Management and Support

Print & Mail Overview - Xerox • Xerox provides bulk Print & Mail services including Transactional Printing and Intelligent Mail Inserting. • Xerox currently supports numerous state agencies ‐ printing over 394 million pages and mailing over 57. 6 million pieces annually ‐ in a state of the art Print & Mail facility that is operated seven days a week, 24 hours a day.

• • • Transactional Printing Intelligent Mail Inserting (Folding/BRE) Address Cleansing Workflow Design, Dev, Test, Implementation Closed Loop Tracking Courier Service Disaster Recovery Leverage DCS Facilities 24 x 7 x 365 Support Postage Savings to Agencies Optional Services Base services Print & Mail Services - Xerox • • • Procurement of Custom Envelopes Image Delivered Only (PDF) Fast Forward Service (via USPS) Manual Insertions Marketing & Transactional Color Transactional printing refers to the production of bills, statements, invoices, checks, insurance policies, and other informational documents with content unique to each recipient. Intelligent Mail Inserting uses intelligent mail production equipment when inserting direct mail components into an envelope.

Managed Application Services Helping Customers modernize legacy Applications

Managed Application Services (MAS) is a program comprised of three Service Components, each with distinct statements of work. DCS Customers may request services to provide application remediation, transformation, development, and/or maintenance work efforts. Three different service approaches are available, with each service providing appropriate resource staffing to meet customer needs: Application Rate Card Services • Resources allows customers to select application resources by skill set Service Provider Allied Consultants Application Development Application Maintenance • Services support milestone ‐based customer development and modernization efforts • Fixed‐cost services are delivered based on customer‐defined requirements and project specifications Service Provider Perspecta/DXC Service Provider Perspecta/DCX

Managed Application Services (MAS) – cont’d Application Services Rate Card Resources Application Maintenance Application Development App skill set capabilities Production support Architecture strategy and design On demand resourcing Contractor consolidation Need Tactical Application maintenance Break/Fix Application development and testing Minor enhancements System integration Strategic Sourcing Model Work Tasks ----- Outsource ------- Partner Business Model Rate Card ------ Fixed Price ------- Outcomes

Managed Applications Services (MAS) • MAS Master Services Agreements are already in place • Accelerates Project Initiation phase • Enables Agency Customers to focus on business requirements & the application project • SB‐ 20 Compliant • Optimizes Agency financial flexibility & management • Leverages DCS Management, Governance, Reporting & Escalation • Integration of Applications & Infrastructure within DCS improves performance and manageability Note: MAS Services are available for DCS hosted Applications

Managed Security Services

Managed Security Services: Overview What is Managed Security Services? Managed Security Services (MSS) is an offering within DIR’s Shared Technology Services program, providing a cost-effective solution to state, local, municipal, and higher-education cybersecurity needs. MSS is composed of three (3) Service Components, each containing multiple services to choose from to meet your IT security needs: • Security Monitoring and Device Management – AT&T • Incident Response – AT&T • Risk and Compliance – AT&T Did you know? Certain security services are already included within the scope of the DCS infrastructure services contract. Therefore, a separate procurement of these services are not needed for devices residing in a Consolidated Data Center (CDC) or covered by the DCS public cloud offering.

Managed Security Services Device Management • Endpoint Management Services • Intrusion Detection Systems /Intrusion Prevention Systems Services • Host‐based Intrusion Prevention Services • Managed Firewall Services • Web Application Firewall Services • Security Information and Event Management • Targeted Threat Research • 24 x 7 x 365 Security Operations Center Incident Response • Security Incident Management • Digital Forensics • Response Preparedness Risk and Compliance • Penetration Testing • Risk Assessment • Cloud Compliance • Vulnerability Scanning • Web Application Scanning

MSS – Security Monitoring and Device Management (SMDM) 24 x 7 x 365 Security Operations Performance Management of Devices: Security Monitoring of Devices: • Hardware failures • Analyst Review of High severity alerts • Loss of visibility • Notifications to customers for out‐of‐policy events (ex: successful malware infection on host) • Failure to respond • Change in status • Alert Areas ‐ based on capability and scope of Solution Assets being supported (i. e. , Hard Drive Health, RAM Health, Memory Utilization, Fan Management). • Alert Types ‐ based on capability and scope of Solution Assets being supported (i. e. , Memory/Available Mbytes, Processor % Processor Time, Bytes total/sec). • Notifications include analyst recommendations • Elimination of false positives • Custom signature deployments for significant events (ex: heartbleed) • Analyst review of additional security devices to deploy countermeasures

MSS – Security Monitoring and Device Management SMDM: Threat Research is a complement to SIEM or SOC services, but can also be a stand‐alone service. Threat Research subscriptions are available on a month‐to‐month basis: • 1– 3 months Automated Alerts: • 4– 12 months • Crimeware • 13– 24 months • Dynamic DNS Threat Research leverages intelligence data from multiple sources, • Phishing Attacks and URLs including: • Anonymous VPN AT&T Global Network Operations Center (GNOC) • Hacking Tools • Provides proprietary intelligence data • Malware C&C AT&T Chief Security Office (CSO) • APT IPs and Domains • Provides proprietary threat data • Brute Force, Spammer, Bot IPs Anomali • Provides threat data aggregated and de‐duplicated from 300+ public, private, and proprietary sources, including Anomali’s global Modern Honey. Net (MHN) project • TOR Detection

MSS - Risk and Compliance Services Risk Assessments Penetration Testing Vulnerability Scanning Risk Assessments focus on the maturity of processes, gaps against standards of good practice and compliance requirements, and risks to the organization Penetration Testing includes target selection/scope, reconnaissance if needed, mapping the network, discovery of vulnerabilities, exploitation of vulnerabilities (if permissible per the Rules of Engagement), post‐ exploitation/pivoting, and reporting. MSS customers can purchase a 12‐ month subscription for Vulnerability Scans and/or Web Application Vulnerability Scans (WAVS). An unlimited number of scans is available through the subscription service, and services are billed monthly based on the scope of scan performed. One‐time scans are also available. Texas Cybersecurity Framework: • Evaluate level of maturity • Flat fee per assessment Assessments can include: • HIPAA • FISMA • Cloud Provider Compliance • Other standards Web or mobile application penetration testing is also available to help state agencies meet the requirements set forth in House Bill 8 in the 85 th Legislative session.

MSS - Incident Response Services Incident Response Preparedness* Digital Forensics Provides a critical review of current internal processes and procedures for handling events, incidents, and evidence. Includes: • “On Demand” service • Use of Encase and/or Carbon Black for analysis of hard drive images • Detective control configurations • Deployed preventative and detective solution sets throughout the environment • Current incident response plans • Incident responder and handler skillset evaluations • Incident responder and handler training evaluations • Evidence seizure and storage procedure analysis • Electronic data recovery • Litigation support Incident Response Management • No retainer for this service • Address adverse events, issues, or occurrences that may occur in your environment • Includes detection, triage, response activities, and containment of computer security events * Important Note: DCS Program customers already receive Incident Response services as part of your DCS assurances. However, if a security incident moves beyond the level of Atos contracted support to security incident analysis, the analysis can be performed by the MSS vendor (AT&T) upon Customer request.

Texas. gov Application and Payment Services

Texas. gov New Business Model Structure Business Model Component Sourcing § Single service provider Current Approach 9/1/2018 Approach Rationale for Change Funding § Self‐funded through transactions and administration fees Revenue Sharing Governance § Share of Total § DIR provides strategic Revenue provided program guidance to the State and oversight for Service Provider § Multi vendor model § Self‐funded through § No change segmented by functional transactions fees, but DIR areas manages program revenue and expenses § DIR provides strategic program guidance and oversight for Service Provider(s) and uses Owner Operator governance structure that involves customers. Establish Texas. gov User group. § Increased competition, transparency and operational efficiency § Consolidated governance structure among DIR shared services programs § Increased cost transparency § Financial Accountability 26

Texas. gov Contracts Overview – 9/1/18 • Texas. gov Services contract awarded to Deloitte Consulting, LLP • Texas. gov Payment Services awarded to Texas NICUSA, LLC • Services commencement for both contracts is September 1, 2018 • Both contract terms are four (4) years with four optional one (1) year renewals, which could extend contracts through August 31, 2026. • Texas. gov will continue to be self‐funded through transaction fees collected under the program.

Texas. gov Payment Services Contract NICUSA, Inc. is responsible for the Transaction Payment Engine (TPE) for Texas. gov applications online or over the counter credit card and/or ACH payments. • Provide gateway services to support Customer’s payment needs including point of sales (POS) devices • Process payments in accordance with the Comptroller’s requirements • Ensure Payment Card Industry Data Security Standard (PCI DSS) compliance • Integrate electronic payment services with the Texas. gov Services SCP • Deliver an easy‐to‐pay Constituent experience, including custom branded checkout options and a Hosted Payment Page

Texas. gov Application Services Contract Deloitte is responsible for daily operations and maintenance of all hosted applications as well as application development for new requests. Develop new applications in alignment with approved standards Provide application testing services Operate and maintain the Texas. gov, Emergency, and Veterans portals Operate and maintain Texas. gov hosted applications through DIR’s Data Center Services (DCS) infrastructure • Integrate applications with Payment Services SCP offerings (e. g. , TPE) • Provide customer outreach and public marketing campaigns • •

Texas. gov - My Government My Way New Consumer Application A digital government assistant personalized to anticipate citizen needs and facilitate a secure, convenient, and efficient customer experience, My Government My Way will transform how Texans engage with government. 30

Multi-sourcing Services Integrator (e. MSI) Bringing all the Shared Technology Services together

Program Procurement History § 2007 – HB 1516 authorizes Texas Data Center Services (DCS) service § 2012 –State re‐procures and restructures DCS services using a multi‐ sourcing service integration model (MSI) § § § Multi‐Sourcing Integration MSI contract to Capgemini Service Component operations contracts to Xerox (now Atos) and Xerox Print/Mail 2018 – The State awarded e. MSI contract to Capgemini and expanding integration to DCS, Print/Mail, MAS, MSS, and Texas. gov

MSI Operating Model – Capgemini Customers State Agency Allows current and prospective customers to learn about and order DIR Shared Services. State Agency Local Government Higher Education DIR Sourcing Management & Governance Retained IT Integrator Organization Multi-sourcing Services (MSI) - Capgemini Marketplace IT Business Mgmt Service Mgmt Comprehensive ITILbased management of services provided by Shared Service Providers. Operations Mgmt Knits together operational services of service providers, allowing them to work together efficiently and effectively. DCS Atos • Server • Mainframe • Network • Data Center Xerox • Print Mail Texas. gov Deloitte • Texas. gov Services NIC • Payment Services MSS MAS Enterprise Services • Application Development • Applications Maintenance Allied • Application Rate Card AT&T • Device Management • Incident Response • Risk & Compliance DIR Shared Technology Services Open Data Future Portal New SCP Socrata • New Service • Platform for data sets to be available to the public Visibility, measurement, analytics, governance, strategy – managing the services that are provided to Customers as a business.

Enhancing the Customer Experience Capgemini Digital MSI Solution An advanced IT delivery platform/and Single Customer Portal to enable the modernization of our customers IT Environment A robust service quality function providing financial transparency and managing SLA’s and KPI’s designed to reduce outages and ensure overall customer satisfaction Dashboards and analytics to give Customers and participants relevant information IT Service Desk and addition of Texas. gov Constituent Help Desk to facilitate Simplified customer experience across services Automation and digitization of service provider process and procedures to optimize operations and promote rapid delivery of new services Integration with the State’s RSA investment, further digitizing program’s security Primary program interaction with Customers centered around a Customer Management Team leveraging a 360 view of customer satisfaction A new dedicated and focused outreach and growth platform and program

Enhancing the Customer Experience (cont’d) Capgemini Digital MSI Solution Service Catalog/Marketplace Customer Portal for all Shared Technology Services

New digital MSI brings a data driven and real-time environment with interactive dashboards and reports.

Enhancing the Customer Experience Monthly Customer Scorecard • Scorecard metrics capture customer feedback each month. • Ratings and feedback is evaluated by DIR and Service Providers for improvement opportunities. • Issues are managed on Issues log until resolution. • Customers can access to dashboard metrics to assist in evaluating service. • Ratings are reported and monitored by Customer Governance and evaluated for trends that will help focus on improving service.

Enhancing the Customer Experience Customer Relationship Management DIR Enterprise Relationship Managers oversee Customer Satisfaction program Service Provider CRMs and DIR ERMs partner directly with our customers DIR Enterprise Relationship Managers and Service Provider Customer Service Managers work to bring solutions to our customers Issue and Escalation Management Monitors performance and drives service improvements

Becoming a Customer with the Shared Technology Services IAC/ILC Global IAC/ILC (Level 1) Global, general terms that apply to all Shared Technology Services. By signing, your organization gains general access to the Share Technology Services program and may contract for one or more specific programs of service. Program Terms and Conditions (Level 2) Solution Terms (Level 3) DIR will provide separate terms for each program of service. Acceptance of the terms is communicated through an acceptance email to DIR which enables organization to request a specific service or solution in the program. A specific request for service (RFS), including a solution design and cost estimate, which the organization approves in the new Service Now System ticket to execute the purchase. 39

Questions

More Information: https: //dirsharedservices. service-now. com/dir dirsharedservices@dir. Texas. gov Lorie Ramirez Contact Us Customer Service Operations Director lorie. ramirez@dir. texas. gov 512 -475 -3668