Employing a governance-risk-compliance platform from R-SAM - a SQL database that provides a centralized repository and framework documenting risk, controls and remediation activities - Vermont is beginning to conduct risk assessments of all of its agencies, a process that should be completed in 18 months. R-SAM gives Vermont officials a multidimensional view of its risk versus a more one-dimensional view offered by the paper report issued by third-party contractors.
R-SAM and a more collaborative relation between IT security personnel and the agencies results in "a wonderful transfer of knowledge," Rowley says. "It allows the security person to interact with agencies and departments, and talk about security, talk about different aspects of security that isn't discussed when you have a third party working with them."
In the interview, Rowley discusses:
- Initial steps to institute an in-house risk assessment program.
- Roles IT security personnel and agencies perform using R-SAM to assess risk.
- Lessons she learned from bringing risk assessment in-house.
A former nurse who changed her career after a back injury, Rowley earned a master of science degree in information assurance from Norwich University, and has served as Vermont CISO since September 2008.