ENTERPRISE ARCHITECTURE Executive Summary With more than $1 billion in information technology investments annually, the Commonwealth of Pennsylvania has evolved into the equivalent of a Fortune 20 organization, providing a diverse cross section of IT services and solutions to its 12.3 million citizens and business customers worldwide. The Commonwealth s ongoing technology success rests with its ability to leverage the strengths and assets of the entire enterprise to attain solutions and deliver services in the most cost-effective and efficient manner. The Commonwealth s Bureau of Enterprise Architecture (EA) has design and governance responsibility for information technology solutions and standards utilized by agencies under the governor s jurisdiction. The goal of Enterprise Architecture is to support the governor s office by providing enterprise-wide technology policies and standards. Partnering with agencies, the goal is achieved by understanding key business drivers, leveraging appropriate, existing technology, sharing IT resources across the Commonwealth, and making sound technology investments. Enterprise Architecture leverages the NASCIO framework and has established a collaborative governance structure that leverages the skills and experiences of the Office for Information Technology (OIT) as well as key resources in various Commonwealth agencies. The Enterprise Governance Council (EGC) and the Enterprise Architecture Standards Committee (EASC), both comprised of senior agency directors and CIOs, provide leadership, prioritization of initiatives, and recommendations of standards. Domain teams, comprised of agency technologists, architects, and thought-leaders, realize these initiatives and create Commonwealth standards, IT policies, and Enterprise Architecture models. Over the past year focus areas and accomplishments of EA include: Baseline and Target Model Specification. The Commonwealth s Target Architecture has continued to evolve in response to business drivers prioritized by the IT governance structure. Key Target Architecture specifications include the creation of a common Citizen Information Model, establishment of a common portal architecture, expansion of the Business Solutions Center of Excellence (BSCoE), and the creation of a Grants Management Architecture. The Baseline Architecture has been elaborated to map existing applications to the key functions realized in the Business Architecture. This mapping is used to identify where redundant services are being provided and serve as input for business streamlining and technical consolidation. Specification Enterprise Security Architecture and Policies. The Commonwealth, through Enterprise Architecture, has developed a baseline security architecture that includes all aspects of cyber security and identity protection and access management. Enterprise Architecture is responsible for several far-reaching, critical security initiatives that specify standard security approaches and blueprints for all aspects of cyber security, monitoring, escalation, and identity protection and access management. Security assessments have to be put in place to identify threats, vulnerabilities and risks to Commonwealth IT resources. Additionally, the Commonwealth s Chief Information Security Officer (CISO) has implemented several security awareness and communication initiatives including a CISO Roundtable to provide agency security officers multi-directional information sharing among agencies and a Pennsylvania Information Sharing and Analysis Center (PA-ISAC) to disseminate warnings and share information among the state and different levels of local government. Architecture Compliance Process. A Technical Architecture Review (TAR) Board has been established and is fully operational. The TAR regularly reviews key agency initiatives, to assess compliance with Enterprise Architecture and standards and to grant waivers based on business justification. The TAR has been active, reviewing over 100 projects in the first five months of 2006. Enterprise Architecture has brought many advantages, both tangible and intangible, to the Commonwealth of Pennsylvania. It is now an institutionalized agent for innovation and standardization across the Commonwealth and has also evolved into a communication clearinghouse for sharing information about key agency technology initiatives. Significant cost savings have been achieved through enterprise purchasing agreements for product standards. The Domain Teams and other collaborative EA mechanisms have begun to foster an attitude and mindset of cooperation, communication, and sharing throughout Commonwealth agencies. 8/28/2006 1 EA NASCIO
Description of Project Enterprise Architecture (EA) was formally introduced in to the Commonwealth of Pennsylvania in late 2003. Previously the Commonwealth had centralized several key architecture components: email, telecom services, desktop operating systems, PCs, and SAP as the back office system. It is upon this infrastructure that EA initiatives were built, and with this foundation, have constructed a collaborative approach to EA governance and standards. The EA governance structure is part of a broader IT governance model that reports to the IT Governance Board. The purpose of the IT Governance Board is to oversee the investment and performance of information solutions across Commonwealth's agencies and to advise and counsel the governor on the development, operation, and management of the Commonwealth's IT investments, resources and systems. Governance continues to be an important part of Commonwealth initiatives. The Enterprise Governance Council (EGC) and the Enterprise Architecture Standards Committee (EASC), both comprised of senior agency Directors and CIOs, provide leadership, prioritization of initiatives and recommendations of standards. Domain teams, comprised of agency technologists, architects, and thought-leaders, realize these initiatives by creating Commonwealth standards, establishing IT policies, and specifying Enterprise Architecture models and blueprints. This governance structure ensures support and the rapid adoption of enterprise strategic initiatives that meet the diverse needs of Commonwealth agencies. Additionally, with the establishment of ten domain teams (see diagram below), participation has been solicited from all agencies and levels of staff. This has established a new way of doing business for the Commonwealth. Enterprise Architecture is now an institutionalized agent for both innovation and standardization across the Commonwealth. The Enterprise Architecture Governance Model was formed using the NASCIO framework for Enterprise Architecture. 8/28/2006 2 EA NASCIO
Enterprise Architecture communicates its standards and policies through Information Technology Bulletins (ITBs). ITBs provide a consistent format for standards and are published in a common location that is publicly available for agency use. Before an ITB is published, it undergoes several types of review. After the organizations in the governance structure have reviewed an ITB, it is subject to a broader agency review before publication. Standard, broadcast communication channels are in place to keep agencies educated of new or changing standards. A feedback and query mechanism is in place, enabling agency personnel to ask questions or comment on published EA standards. Additionally, EA members attend agency or Community of Practice meetings and share information on EA standards and plans on a regular basis. During the past year, EA has been actively advancing Enterprise Architecture Blueprints and Processes throughout the Commonwealth. Key focus areas and accomplishments of EA include: continued evolution and documentation of the baseline and target models, specification of comprehensive security architecture and processes, and roll-out of an architecture compliance process. Each is described below. Baseline and Target Model Specification The Commonwealth s Target Architecture has continued to evolve in response to business drivers prioritized by the EA Governance structure. Key aspects of the target architecture specified recently include: Creation of a Citizen Information Model. A conceptual citizen information model has been created and promulgated providing standards to Commonwealth agencies pertaining to citizen-related entities and data elements. This common citizen model is a critical step towards implementing integrated processes and shared information repositories. It has improved communication among agencies by establishing a common language related to the citizen and is enabling a key Commonwealth objective of providing improved services to citizens by promoting a higher quality of information. Establishment of a Common Portal Architecture. The Commonwealth has adopted a single, standard portal platform for both internally and externally facing web-sites. The common portal architecture provides a consistent look and feel for citizens and Commonwealth users alike. Additionally, implementing the common portal architecture improves the interoperability of agency applications via portlet technology and, in conjunction with the Enterprise Security Architecture, provides a consistent, robust web access and authentication vehicle across the Commonwealth. Continued expansion of the BSCoE frameworks. Enterprise Architecture initially conceived and served as an incubator for the Business Solutions Center of Excellence (BSCoE). BSCOE consists of standardized software engineering processes, service components, and application framework components. It promotes cross agency development efforts and fosters a common approach to training and education for all development teams. It provides uniformity of approach, process and results, allowing projects to leverage the broad pool of resources and assets that currently exist within the Commonwealth. BSCoE has emerged during the last year and EA remains an important member of the BSCoE governance structure helping to guide its ongoing roll-out and evolution. Creation of a Grants Management Architecture. Building on both the Common Portal Architecture and BSCoE, a Commonwealth-wide grants management architecture has been created. This architecture simplifies and automates the funding process associated with over $17 billion in federal and state grants. The architecture streamlines the underlying business process pertaining to grants processing, establishes a centralized portal to allow grant recipients to find and apply for grant opportunities in the Commonwealth, and establishes an enterprise business intelligence engine that support the reporting needs of the governor s office and federal and state agencies. 8/28/2006 3 EA NASCIO
Additionally, key aspects of the baseline architecture continue to be elaborated. During the past year, the Commonwealth has expanded the specification of the existing Business Architecture. Utilizing the Federal Enterprise Architecture (FEA) Business Reference Model (BRM), the Commonwealth has mapped agencies and applications to their relevant lines of businesses and sub-functions in the Services for Citizens Business Area. This mapping is used to identify where redundant services are being provided across agencies and applications to serve as input for business streamlining and technical consolidation. Specification Enterprise Security Architecture and Policies. One of the most important Commonwealth initiatives is security. Enterprise Architecture is responsible for several far-reaching, critical security initiatives. These initiatives specify standard security approaches and blueprints for many aspects of cyber security and identity protection and access management. Each is described below: Identity Protection and Access Management (IPAM). An interagency Identity Management initiative was launched to establish the Commonwealth approach and architecture pertaining to identity management and to align with federal and industry standards such as the Federal Information Processing Standard (FIPS) and Security Assertion Markup Language (SAML). IPAM is a comprehensive effort that covers many aspects of identity management including: Enterprise Directory Services Provides for consolidation, synchronization and aggregation of shared identity information for retrieval and user authentication; Access Management and Control Provides standards and policies for accessing Commonwealth facilities and information systems; Enrollment, Identity Proofing and Vetting Outlines the processes for validating and verifying an individual s identity for the purpose of establishing credentials, such as log-in identifications and identity cards; Identity Card Production, Personalization and Issuance Outlines the standards for creating, delivering and activating an individual s unique identity card; Enterprise Public Key Infrastructure (PKI) Outlines the standards for use of secure mechanisms (cryptography) to verify established identities, support digital signatures and encrypt sensitive data. Specification for a Commonwealth Personal Identification Verification (PIV) Card Provides the physical and logical layout for the components of the Commonwealth PIV card, (e.g. magnetic strip, smart chip, photograph). During the past year, the IPAM Initiative has made significant progress towards a Commonwealth-wide, identity management architecture and process. Some key accomplishments include: Specification of the Enterprise Directory Blueprint; Creation of a standard Web Access and Authentication architecture; Creation of a FIPS-compliant, Personal Identification Verification (PIV) card specification; Creation of a Commonwealth Digital Certificate Policy; and Selection of a Commonwealth-wide Digital Certificate Provider. Operation Secure Enterprise (OSE). OSE addresses the increasing security risks associated with technology based delivery of business services. OSE, led by the newly appointed EA Chief Information Security Officer (CISO), creates enterprise plans, approaches, and architectural blueprints to provide enhanced cyber security to the Commonwealth. OSE has established enterprise technology standards for critical areas of cyber security, including network intrusion detection and protection systems and Internet access control and content filtering. A consolidated Security Information Management solution has been established to provide an enterprise level view regarding the condition of security in the Commonwealth s IT environment. Additionally, security assessments have been put in place to identify threats, vulnerabilities and risks to Commonwealth IT resources. 8/28/2006 4 EA NASCIO
Security Awareness and Information Sharing. An organization depends on more than technology for implementing IT Security. Raising awareness of security and communications are equally as important. EA has implemented a security architecture communication process to address awareness and communication. In addition to standardized security awareness training, the Commonwealth has established a CISO roundtable. The CISO roundtable is comprised of agency CISOs and professionals and is chaired by the EA Commonwealth CISO. This provides a forum for multi-directional information sharing among agencies. Additionally, a Pennsylvania Information Sharing and Analysis Center (PA- ISAC) has been established to disseminate warnings and share information with state and various levels of local government. Roll-out of an Architecture Compliance Process As the Commonwealth s Enterprise Architecture grows and involves, it is vital that a process be established and executed to assess agency projects compliance with Enterprise Architecture standards. A Technical Architecture Review (TAR) Board has been established and is fully operational. The TAR is comprised of Enterprise Architecture resources as well as members from other cross-cutting, technology organizations within the Commonwealth. The TAR reviews select agency initiatives, based on objective criteria, to ascertain compliance with established enterprise architecture standards and to grant waivers based on business justification. The TAR has dramatically increased Enterprise Architecture visibility and compliance among Commonwealth agencies and has been extremely active, reviewing over 100 projects in the first five months of 2006. Significance to the improvement of the Operation of Government Enterprise Architecture has improved the Commonwealth s ability to interact with other government agencies and positions the Commonwealth to align with federal recommendations while also championing interstate communications. This is possible due to the implementation of standard technology solutions, a focus on standards-based solutions, and communication of the role that EA plays across all agencies. Vendor interaction has also improved as a result of identifying one group responsible for establishing enterprise-wide standards. The Commonwealth can now negotiate lower costs across the enterprise by implementing common technology solutions, leveraging its purchasing power. Enterprise Architecture is serving as a communication vehicle for technology initiatives within the Commonwealth. Through the TAR Board and the various groups in the governance structure (EGC, EASC and domain teams), agencies constantly interact in ways and at levels they previously did not. This has resulted in greater awareness of technology initiatives among the agencies. Another key change within the Commonwealth is a shifting from an agency-centric thought process to one that is Commonwealth-wide. EA serves as the focal point for defining and communicating a shared Commonwealth vision. As enterprise standards become more prevalent, agencies within the Commonwealth have realized the benefit of shared architecture and standards. The EA governance structure now relies heavily upon the EA organization to set standards and policies in technology areas. In the past, each agency would perform their own research and establish their own standards and policies. This change in thinking is particularly evident in the realm of security where consolidated Security Information Management and the CISO roundtable have led to holistic, enterprise security planning, monitoring, and cooperation. Additionally, with the expanded baseline architecture model that has been created, it is much more straightforward to identify improvements and streamlining opportunities for the target architecture. 8/28/2006 5 EA NASCIO
Benefits Enterprise Architecture has brought many advantages, both tangible and intangible, to the Commonwealth of Pennsylvania. The Commonwealth has taken an enterprise approach to standardization, working collaboratively with agencies via the EA domain teams. Ten domain teams were formed using the NASCIO framework for Enterprise Architecture. This has provided many benefits to the Commonwealth including the ability to share assets thus increasing their utilization and driving the use of common tool sets. In turn, this lowers the overall costs by better leveraging people and processes to provide training. We have fostered an enterprise approach to new initiatives, seeking out commonality and the strategic importance in each. With the focus and attention on cyber security and identity protection at a Commonwealth level, the Commonwealth s infrastructure and information is more secure. This increased security benefits taxpayers by making their sensitive data increasingly safer. With the adoption of a common citizen information model, a common language related to the citizen has been established. This in turn promotes a higher quality of citizen information, enabling a key Commonwealth objective of providing improved services to citizens. Return on investment Enterprise Architecture does materially impact the Commonwealth via monetary savings in enterprise license agreements. Over the past year, Enterprise Architecture has named several technology solutions as Commonwealth standards. Consequently, significant license and maintenance fee cost savings (over $34 million) have been realized through enterprise license agreements. This saving alone recoups the investment by the Commonwealth in EA several times over. Another key projected area for savings is in the area of grants management. Upon rollout of the common Grants Management Architecture and Processes, the Commonwealth is projected to achieve $1 million per year in cost savings due to a 25% reduction time for every grant application processed. 8/28/2006 6 EA NASCIO