CIOApplications
  • Home
  • Applications
      • 3D Scanning
      • Bioinformatics
      • Blockchain
      • BPM
      • Business Continuity
      • Business Intelligence
      • Collaboration
      • Configuration Management
      • CPQ
      • Container Management
      • CEM
      • Data Platform
      • Data Preparation
      • DMS
      • e-Discovery
      • Employee Engagement
      • EAM
      • Enterprise Communications
      • Enterprise Mobility
      • ERP
      • GIS
      • GRC
      • Human Resource
      • Innovation Management
      • Inventory Management
      • IT Infrastructure
      • IT Service Management
      • IT Services
      • Low Code
      • Managed IT Services
      • Marketing
      • Master Data Management
      • Mobile Application
      • Parking Management
      • Portal Software
      • Procurement
      • Project Management
      • Remote Monitoring
      • Remote Support
      • Sales
      • Software Asset Management
      • Software Testing
      • Supply Chain
      • Task Management
      • Unified Communications
      • Voice Recognition
      • Workflow
  • Verticals
      • Aerospace & Defense
      • Automotive
      • Banking
      • BioTechnology
      • Casino
      • Construction
      • Contact Center
      • E-commerce
      • Education
      • Field Service
      • Fintech
      • Food and Beverages
      • Government
      • Healthcare
      • Insurance
      • Legal
      • Life Sciences
      • Logistics
      • Manufacturing
      • Media and Entertainment
      • Oil & Gas
      • Retail
      • Space Tech
      • Telecom
      • Travel and Hospitality
      • Utilities
  • Technologies
      • API
      • Artificial Intelligence
      • Augmented Reality
      • Big Data
      • Chatbot
      • Cloud
      • Content Delivery Network
      • Cyber Security
      • Data Center
      • DevOps
      • Distributed Technology
      • Drone
      • Enterprise Architecture
      • Enterprise Search
      • Enterprise Startups
      • Graphics
      • HPC
      • IoT
      • Java
      • Load Balancing
      • Machine Learning
      • Machine to Machine
      • Machine Vision and Imaging
      • Nano Tech
      • Predictive Analytics
      • Robotic Process Automation
      • Robotics
      • Security
      • Telematics
      • Testing
      • Video Surveillance
      • Virtual Assistant
      • Wireless
  • Partner Network
      • Adobe
      • Amazon
      • Avaya
      • ESRI Partner
      • IBM
      • Infor Solutions
      • Microsoft
      • Mitel Partners
      • National Instruments
      • NetSuite
      • Nintex
      • Oracle
      • Progress
      • Riverbed
      • Salesforce
      • SAP
      • ServiceNow
      • SiteCore
  • News
  • conferences
  • Newsletter
  • About us
×
news

Subscribe to our Newsletter

Become a member of our mailing list for the latest articles, news, and exclusive insights.

news
news

Enter Your Email Address:

Thank you for subscribing with us. We sent you an email regarding this.

loading
SUBSCRIBE
  • Home
  • Government
Editor's Pick (1 - 4 of 8)
left
The Transformation of Public Sector IT

The Transformation of Public Sector IT
Jonathan Behnke, CIO, City of San Diego

IT Governance Built to Last: The Wisconsin Enterprise Model

IT Governance Built to Last: The Wisconsin Enterprise Model
David Cagigal, CIO, State of Wisconsin

The Highway's Jammed with Broken Heroes on a Last Chance Power Drive

The Highway's Jammed with Broken Heroes on a Last Chance Power Drive
Jonathan Alboum, CIO, The United States Department of Agriculture

Government Agencies: Adapting to the Changing Times

Government Agencies: Adapting to the Changing Times
Mark VanOrden, CIO, Department of Technology Services, State of Utah

Is Your Organization Ready for Drones?

Is Your Organization Ready for Drones?
Dr. Jonathan Reichental, CIO, City of Palo Alto

Can Government Lead Technology Innovation?

Can Government Lead Technology Innovation?
Flint Waters, CIO, State of Wyoming

Embracing Cloud for a promising tomorrow

Embracing Cloud for a promising tomorrow
David Shive, CIO, GSA

Perfecting the Idea of Smart City

Perfecting the Idea of Smart City
Otto Doll, CIO, City of Minneapolis

right

Implementing an Effective Public Sector Cyber Security Program

By Peter Ambs, CIO, City of Albuquerque

Tweet
content-image

Peter Ambs, CIO, City of Albuquerque

It’s not easy being today’s CIO or CISO in a government organization. While budgets shrink, we are tasked with being ever more relevant and innovative all while ensuring we have dependable technology services that provide optimized public services - all online and mobile. Central to this is digital and infrastructure asset protection. Our first priority is to ensure we have deliberately and pragmatically secured digital assets through a comprehensive cyber security program.

Each day we learn of successful cyber-attacks and organizational data breaches. The need to stay vigilant and follow best practice cyber process and policies that mitigate the dynamic threat landscape has never been more important. The ‘new normal’ is cyber security first, ever thing else is secondary. Cyber planning, budgets, resources, and executive sponsorship all have to be in place to make a difference in what boils down to persistent and evolving cyber warfare scenarios.

You are not alone if you inherited an imbroglio of disparate, legacy systems that were not built with security as a primary design criterion. It’s not feasible to immediately forklift and upgrade enterprise, legacy systems and rewire them with cyber defenses. To compound matters, perhaps your network is expansive, flat, and designed with ease of use instead of being partitioned by function and hardened with physical air gaps and micro-segmentation.

Given that we are all just one incident away from being the target of a cyber-attack, whether it’s DDOS, phishing/spear-phishing/ whaling, ransomware, cross-site scripting, remote control execution (RCE), or a data breach event, what can we do?

Begin by assessing where your organization currently is on the Cyber Security program maturity model continuum. For example, you can use the NIST Cybersecurity assessment tool to measure the effectiveness of your Cyber Security program. From there, plan to fill the gaps in the People, Process, and Tools triangle. Plan the remediation roadmap to a mature and robust program that is effective.

Now is always the best time to strengthen and build upon appropriate security measures. Perform that organizational Cyber Security Posture assessment to determine the risk and vulnerability posture. Prioritize the vulnerabilities by impact and create a remediation plan. Shore up your environment.

You cannot wait for an event to occur to determine what to do. Have an incident response plan in place. Practicing good cyber hygiene and being prepared (incident response, vendor SLAs and partnerships in place), is key to asset protection before, during, and after an event.

Disaster Recovery/Business Continuity planning and capabilities go hand-in-hand with your Cyber Security plans. A solid and tested DR plan (with good backup/ restore capabilities) will go a long way in ensuring cyber resiliency in the environment.

I’d like to share the practices and steps to build a ‘reasonable’ local government cyber security program, broken out into People, Process, and Tools.

PEOPLE

Engage with cyber partners for knowledge share. The Multi-State Information Sharing & Analysis Center (MS-ISAC) is a must to partner with. The mission of the MS-ISAC is to improve the overall cybersecurity posture of state, local, tribal, and territorial governments.

It’s not if a cyber event will occur, but when and how significant will it be?


Collaboration and information sharing among members, private sector partners and the U.S. Department of Homeland Security are the keys to success. Additionally, the public/private InfraGard FBI partnership is dedicated to sharing information and intelligence to prevent hostile acts against the US, to include Cyber. Partner with a trusted cyber security firm to provide security posture assessments, pen-testing, application, and port scanning.

Have a CISO and dedicated staff working on Cyber Security around the clock.

Ensure you have a cyber awareness program in place to educate the workforce. Continually test staff and workforce with mock Phishing exercises and awareness training.

PROCESS

Become familiar and use the NIST Cyber Security Framework for Network and Application security. Offense informs defense. By continuous monitoring and proactive measures, you can determine the right amount of defense mechanisms that need to be in place.

Determine need and levels for Cyber Insurance.

Starts with the basics, making sure your data backup and restore capabilities are sound and match the data retention polices for tiered data classifications.

Disaster and Business Continuity plans are current and tested to ensure that fault tolerance and resiliency is built in. Data recovery capability is sound through backups and recovery.

Reduce your attack surface. Collapse networks and build partitions and micro-segments so that viruses, malware, and bad actors cannot traverse your network.

Patch program needs to be automated and monitored to ensure all critical systems are patched to latest versions, end point security included.

Secure configurations are set for firewalls, routers, and switches.

Implement Data at Rest and Data in Transit protection, encrypt sensitive and PII data.

Provide for system hardening by protecting credentials by implementing dual factor authentication.

Understand threat vectors and defenses in place to mitigate.

Threat Vectors:

•Social Engineering the human, phishing, spear-phishing, and whaling emails
•SQL Injection and remote control execution
•Cross-site scripting (XSS) vulnerabilities
•DDOS attacks
•Server vulnerabilities
•Ransomware
•Malware

Defense, Basic Measures:

•Patching, staying current 100% on all patch levels
•Restrict Admin privileges
•Network and application firewalls. Application white listing
•Pen Testing and vulnerability scans
•Dual factor authentication.
•Virus Protection

TOOLS

•Layer with Commercial off the Shelf (COTS) cyber products
•Provide for boundary defense and perimeter filtering by having IDS/IDP in place
•Application White listing in place
•Centralize logging of critical systems and events
•Managed DNS considered
•DDOS scrubbing in place
•Inventory for all devices and software, know your environment and risk posture
•Email and web browser monitoring and filtering
•Virus Protection, end-point and server
•Ensure all software and applications, especially content management software, are fully patched

In closing, Enterprises face cyber threats and attacks every day. It’s not if a cyber breach will occur, but when and how significant the breach will be. A single cyber security breach can materially affect the operational and financial capabilities of any organization or cause a significant service level disruption. Governance and oversight over the cyber security posture of an organization is priority one.

Read Also

Is Your Organization Ready for Drones?

Is Your Organization Ready for Drones?

Dr. Jonathan Reichental, CIO, City of Palo Alto
Can Government Lead Technology Innovation?

Can Government Lead Technology Innovation?

Flint Waters, CIO, State of Wyoming
Embracing Cloud for a promising tomorrow

Embracing Cloud for a promising tomorrow

David Shive, CIO, GSA
Perfecting the Idea of Smart City

Perfecting the Idea of Smart City

Otto Doll, CIO, City of Minneapolis

Government Special

  • Qnap Systems: The NAS And NVR Experts

Featured Vendors

  • Qnap Systems: The NAS and NVR Experts
    Qnap Systems: The NAS and NVR Experts
  • Advanced Systems Development (ASD): Making IT Accessible to Federal Agencies
    Advanced Systems Development (ASD): Making IT Accessible to Federal Agencies
  • IPS Group: Empowering Smart Cities through Intelligent Parking Systems
    IPS Group: Empowering Smart Cities through Intelligent Parking Systems
  • 911Cellular LLC: Delivering Reliable Safety Solution
    911Cellular LLC: Delivering Reliable Safety Solution

Copyright © 2019 CIOApplications. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Use and Privacy Policy |  Sitemap  |  Subscribe

follow on linkedin follow on twitter follow on rss
This content is copyright protected close

However, if you would like to share the information in this article, you may use the link below:

https://government.cioapplications.com/cxoinsights/implementing-an-effective-public-sector-cyber-security-program-nid-1542.html