County and municipal cybersecurity solutions\nIn Part 1, of this two-part series, I discussed the lack of infosec and cybersecurity programs in county and municipal government, as well as obstacles and impediments to establishing those programs. If you don\u2019t have appropriate information security and cybersecurity programs in place in your organization, let\u2019s take a look at some comprehensive approaches that will help you address the problem.\u00a0\u00a0\nStart with information governance (IG)\nWhat\u2019s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity.\nInformation security and cybersecurity must be components of an overarching information governance (IG) program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a stand-alone program outside of the context of your organization\u2019s information universe will produce a narrow approach. Do you currently have an IG program?\nI can hear some grumbling right now. \u201cJeff, when do we get to the important stuff?\u201d\nIG is the important stuff. There are no silver bullets. There are no miracle pills that will address your information security requirements. No miraculous hardware or software will magically keep your information safe unless you have the right policies in place. There is some real work to do here, and the "P-things" are the most effective tools to pack for your infosec journey. You will develop these from your IG program:\n| \u00ad People | \u00adPolicies | \u00ad Processes | \u00ad Procedures | \u00ad Protocols\u00a0\nWhat is information governance?\nI like Robert Smallwood\u2019s succinct definition of information governance: \u201csecurity, control and optimization of information.\u201d[i] In order to develop sound infosec and cybersecurity programs, you must know what you are protecting and why you are protecting it. The purpose of an IG program is to map, understand and manage your entire information universe. The map you create will serve as the foundation for your information security programs.\nIn a municipal government organization, an IG committee may include representatives of the legal, HR, records management, IT, finance and audit departments, as well as other departments. Let\u2019s say your municipality has a public health clinic, a recorder of deeds, a personnel\/payroll department and a sheriff. This means you have medical records, prisoner health records, recorded 911 calls, police reports, mortgage documents, confidential personnel records, payroll records, Social Security numbers and a lot more. The people with special knowledge about the nature and disposition of all of that information must be on your committee.\nIn some organizations, information and security policy is developed at the whim of the CIO or IT director. Is that IT director an expert in statutory requirements and industry best practices for all of the areas mentioned above? I doubt it. This is why you need a cross-functional team to map the universe and make a comprehensive plan.\nEstablishing a comprehensive information security program\nOnce you have begun building your IG foundation and framework, your infosec and cybersecurity requirements will be much clearer. Also, IG, infosec and cybersecurity are not one-time activities. They require a process for continuous improvement, like the PDCA (Plan, Do, Check, Act) or DMAIC (Define, Measure, Analyze, Improve, Control) methods. Get something in place first, and then continue to improve it. Attempting to get it perfect from the start will only result in implementation delays. This job never ends, but it gets much easier once a solid foundation has been built.\nInformation security management systems (ISMS), frameworks and standards\nOnce you have a comprehensive understanding of your information universe, develop security policies and programs for implementation and enforcement of those policies.\nUse an existing framework. Designing comprehensive information security programs is more complicated than installing firewalls and antivirus software, and there is a great deal to think about.\nThere are many freely available information security tools in addition to standards and frameworks that require payment or membership in an organization. You can build a successful security program using only free tools, but my crystal ball is on the fritz today so I can\u2019t see which tool is best for your organization. I wish I could tell you there is a one-stop shop, but there isn\u2019t. You will have to evaluate your situation, do the research and make informed decisions about the best approach for your organization. Here are brief discussions of some of them.\nNIST\nThe National Institute of Standards and Technology (NIST) provides an enormous quantity of information and the gateway to it is available here. NIST\u2019s Framework for Improving Critical Infrastructure Cybersecurity is available here and a new draft was released in January. If you would like to learn more about it, you might want to attend NIST's Cybersecurity Framework Workshop, which will take place May 16 and 17 in Gaithersburg, Md. You can also view a webcast with an overview of the framework. According to NIST, \u201cThe core of the framework was designed to cover the entire breadth of cybersecurity... across cyber, physical, and personnel.\u201d[ii]\nNIST also provides three series of special publications (SP): SP800, which deals with computer security; SP1800, which contains cybersecurity practice guides; and SP500, which covers computer systems technology.\nSP800-53, \u201cSecurity and Privacy Controls for Federal Information Systems and Organizations,\u201d will likely be an essential part of your planning process if you are building upon NIST.\nHIPAA\nIf a division of your public-sector organization provides medical services, it might fit the definition of a covered entity (CE) under the Health Insurance Portability and Accountability Act (HIPAA). If so, that division is required to comply with applicable federal regulations, including the HIPAA Security Rule. The regulation provides a clear, jargon-free framework for developing information security policies and programs. While it won\u2019t address all the requirements for a municipal cybersecurity program, it can help you build a solid foundation for your security programs. I don\u2019t have any official data on HIPAA Security Rule compliance in municipal organizations, but my personal experience is that it is extremely low. Is your CE compliant? If not, why not bring your entire organization up to HIPAA standards?\nI have worked extensively with HIPAA regulations and NIST products for nearly two decades, and I like them a lot. If they are not a good fit for your organization, there are other resources, including the following three.\nISF\nThe Information Security Forum (ISF) publishes the Standard of Good Practice for Information Security, available free to ISF members.\nISO\nThe International Organization for Standardization (also known as the ISO) publishes the ISO\/IEC 27000 family of standards for information security management systems. ISO products are not inexpensive, but in the overall scheme of things, you might find them to be a reasonable investment. Organizations can certify through accredited registrars, which can also be an expensive process.\nISACA\nISACA publishes COBIT5, \u201cthe leading framework for the governance and management of enterprise IT\u201d which provides an integrated information security framework as part of a larger IT governance framework. According to TechTarget security expert Joseph Granneman, \u201cIt is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.\u201d[iii]\nThe role of vendors\nTrusted vendors can be helpful in building your security programs, but over-reliance on vendors for security advice is a suboptimal approach. While they may be knowledgeable about many aspects of your industry, only you and your cross-functional IG team truly understand your business requirements. Their job is to \u201csell you stuff,\u201d but they will generally draw the line at writing policy and taking responsibility for overall information security in your organization. If there is a major breach or some other catastrophic security event in your organization that becomes public, you are the one whose picture will be in the paper.\nSummary: one step at a time\nHere are a few simple steps you can take to improve your cybersecurity infrastructure:\n1. Establish an IG committee and program.\n2. Discover and map your information universe.\n3. Establish an information security framework and security policy.\n4. Develop and implement a cybersecurity plan, based on the above.\n5. Use a cycle of continuous improvement.\nReferences, resources and further reading\n\u201cFour Critical Challenges to State and Local Government Cybersecurity Efforts,\u201d Government Technology, July 17, 2015.\n[i] Information Governance for Executives, by Robert Smallwood, Bacchus Business Books, 2016.\n[ii] Cybersecurity Framework Virtual Events, National Institute of Standards and Technology.\n[iii] \u201cIT Security Frameworks and Standards: Choosing the Right One,\u201d by Joseph Granneman, TechTarget.com, September 2013.