County and municipal cybersecurity solutions
In Part 1, of this two-part series, I discussed the lack of infosec and cybersecurity programs in county and municipal government, as well as obstacles and impediments to establishing those programs. If you don’t have appropriate information security and cybersecurity programs in place in your organization, let’s take a look at some comprehensive approaches that will help you address the problem.
Start with information governance (IG)
What’s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity.
Information security and cybersecurity must be components of an overarching information governance (IG) program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a stand-alone program outside of the context of your organization’s information universe will produce a narrow approach. Do you currently have an IG program?
I can hear some grumbling right now. “Jeff, when do we get to the important stuff?”
IG is the important stuff. There are no silver bullets. There are no miracle pills that will address your information security requirements. No miraculous hardware or software will magically keep your information safe unless you have the right policies in place. There is some real work to do here, and the “P-things” are the most effective tools to pack for your infosec journey. You will develop these from your IG program:
| People | Policies | Processes | Procedures | Protocols
What is information governance?
I like Robert Smallwood’s succinct definition of information governance: “security, control and optimization of information.”[i] In order to develop sound infosec and cybersecurity programs, you must know what you are protecting and why you are protecting it. The purpose of an IG program is to map, understand and manage your entire information universe. The map you create will serve as the foundation for your information security programs.
In a municipal government organization, an IG committee may include representatives of the legal, HR, records management, IT, finance and audit departments, as well as other departments. Let’s say your municipality has a public health clinic, a recorder of deeds, a personnel/payroll department and a sheriff. This means you have medical records, prisoner health records, recorded 911 calls, police reports, mortgage documents, confidential personnel records, payroll records, Social Security numbers and a lot more. The people with special knowledge about the nature and disposition of all of that information must be on your committee.
In some organizations, information and security policy is developed at the whim of the CIO or IT director. Is that IT director an expert in statutory requirements and industry best practices for all of the areas mentioned above? I doubt it. This is why you need a cross-functional team to map the universe and make a comprehensive plan.
Establishing a comprehensive information security program
Once you have begun building your IG foundation and framework, your infosec and cybersecurity requirements will be much clearer. Also, IG, infosec and cybersecurity are not one-time activities. They require a process for continuous improvement, like the PDCA (Plan, Do, Check, Act) or DMAIC (Define, Measure, Analyze, Improve, Control) methods. Get something in place first, and then continue to improve it. Attempting to get it perfect from the start will only result in implementation delays. This job never ends, but it gets much easier once a solid foundation has been built.
Information security management systems (ISMS), frameworks and standards
Once you have a comprehensive understanding of your information universe, develop security policies and programs for implementation and enforcement of those policies.
Use an existing framework. Designing comprehensive information security programs is more complicated than installing firewalls and antivirus software, and there is a great deal to think about.
There are many freely available information security tools in addition to standards and frameworks that require payment or membership in an organization. You can build a successful security program using only free tools, but my crystal ball is on the fritz today so I can’t see which tool is best for your organization. I wish I could tell you there is a one-stop shop, but there isn’t. You will have to evaluate your situation, do the research and make informed decisions about the best approach for your organization. Here are brief discussions of some of them.
The National Institute of Standards and Technology (NIST) provides an enormous quantity of information and the gateway to it is available here. NIST’s Framework for Improving Critical Infrastructure Cybersecurity is available here and a new draft was released in January. If you would like to learn more about it, you might want to attend NIST’s Cybersecurity Framework Workshop, which will take place May 16 and 17 in Gaithersburg, Md. You can also view a webcast with an overview of the framework. According to NIST, “The core of the framework was designed to cover the entire breadth of cybersecurity… across cyber, physical, and personnel.”[ii]
NIST also provides three series of special publications (SP): SP800, which deals with computer security; SP1800, which contains cybersecurity practice guides; and SP500, which covers computer systems technology.
SP800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” will likely be an essential part of your planning process if you are building upon NIST.
If a division of your public-sector organization provides medical services, it might fit the definition of a covered entity (CE) under the Health Insurance Portability and Accountability Act (HIPAA). If so, that division is required to comply with applicable federal regulations, including the HIPAA Security Rule. The regulation provides a clear, jargon-free framework for developing information security policies and programs. While it won’t address all the requirements for a municipal cybersecurity program, it can help you build a solid foundation for your security programs. I don’t have any official data on HIPAA Security Rule compliance in municipal organizations, but my personal experience is that it is extremely low. Is your CE compliant? If not, why not bring your entire organization up to HIPAA standards?
I have worked extensively with HIPAA regulations and NIST products for nearly two decades, and I like them a lot. If they are not a good fit for your organization, there are other resources, including the following three.
The Information Security Forum (ISF) publishes the Standard of Good Practice for Information Security, available free to ISF members.
The International Organization for Standardization (also known as the ISO) publishes the ISO/IEC 27000 family of standards for information security management systems. ISO products are not inexpensive, but in the overall scheme of things, you might find them to be a reasonable investment. Organizations can certify through accredited registrars, which can also be an expensive process.
ISACA publishes COBIT5, “the leading framework for the governance and management of enterprise IT” which provides an integrated information security framework as part of a larger IT governance framework. According to TechTarget security expert Joseph Granneman, “It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.”[iii]
The role of vendors
Trusted vendors can be helpful in building your security programs, but over-reliance on vendors for security advice is a suboptimal approach. While they may be knowledgeable about many aspects of your industry, only you and your cross-functional IG team truly understand your business requirements. Their job is to “sell you stuff,” but they will generally draw the line at writing policy and taking responsibility for overall information security in your organization. If there is a major breach or some other catastrophic security event in your organization that becomes public, you are the one whose picture will be in the paper.
Summary: one step at a time
Here are a few simple steps you can take to improve your cybersecurity infrastructure:
1. Establish an IG committee and program.
2. Discover and map your information universe.
3. Establish an information security framework and security policy.
4. Develop and implement a cybersecurity plan, based on the above.
5. Use a cycle of continuous improvement.
References, resources and further reading
“Four Critical Challenges to State and Local Government Cybersecurity Efforts,” Government Technology, July 17, 2015.
[i] Information Governance for Executives, by Robert Smallwood, Bacchus Business Books, 2016.
[ii] Cybersecurity Framework Virtual Events, National Institute of Standards and Technology.
[iii] “IT Security Frameworks and Standards: Choosing the Right One,” by Joseph Granneman, TechTarget.com, September 2013.