The intent of designating October as National Cyber Security Awareness month is to engage and educate the public and private sector with the goal of raising awareness of cyber security threats and planning and deployment options to confront these threats. With this goal in mind, PTI continues to be at the forefront of collecting information, facilitating discussion, sharing and raising the awareness of cyber security and national resiliency planning efforts.
PTI shares the following information generated from our State and local membership and from PTI staff to support your cyber security planning and deployment efforts.
Shortly before Super Storm Sandy battered New Jersey in October 2012, the Office of Homeland Security and Preparedness (OHSP) and the Office of Information Technology (OIT) began to evaluate the State's cyber security and emergency preparedness in Information Technology. Sandy put a temporary halt to the assessment, even as it provided an unprecedented, real-world test of how well the State's IT infrastructure, personnel and procedures would perform during a significant natural disaster. Among the lessons learned, Sandy's landfall reinforced the critical need for an accurate and complete assessment of State IT preparedness, and, after the storm, OHSP and OIT resumed the development and data-gathering process with commitment to the goal of creating an assessment tool for measuring State readiness, in the three primary areas of Cyber Security, IT Disaster Recovery and IT Continuity of Operations.
In 2013, the first Cyber Security, DR and Continuity of Operations assessment survey tool was delivered to and answered by the State of New Jersey agencies and departments.
The results were used to create a baseline for future assessment surveys. Significantly, the first assessment tracked where agencies had their lowest scores for Red – Significant Risks and Yellow – Improvement Required. OHSP and OIT used this data to come up with a list of the top 10 risks for Cyber Security.
In light of the headline-grabbing information security breaches in the last year – Target, eBay, Adobe, etc. – Sacramento County is on high alert to protect our valuable information assets. Unfortunately, the silver bullet we are all looking for to prevent these cyber-attacks doesn't exist. Today's cyber criminals are too persistent and adaptable to be turned away by traditional counter measures. Ever changing attack protocols require adaptive, multi-layered "defense-in-depth" strategies.
If you consider a Layered Defense Model consisting of a perimeter, network, host, application, and data, Sacramento County has implemented solutions at each of the layers. We have firewall and intrusion protection systems on the perimeter and intrusion detection systems at the network layer, creating the "hard outer shell" in place now.
Moving inward, we have implemented antivirus and vulnerability scanning systems, providing security at the host layer. Our patch management policy identifies unpatched systems to the Chief Information Security Officer (CISO) which are then held to compliance. Within the next year, we hope to evaluate and implement a host intrusion detection system (HIDS). At the application and data layers, we've implemented web application firewalls (WAF) and have a strong system development life cycle (SDLC). We hope to implement network access control (NAC) and data loss prevention systems in the near future.
Our current projects are the implementation of security information and event management (SIEM), defense against advanced persistent threats (APT), and end user information security training.
Mesa's Security Program has evolved like many others – from basic security to focusing on meeting Payment Card Industry (PCI) compliance as our ecommerce transactions grew to a full fledge formal security program involving many city departments, multiple tools and constant change! As the "bad" guys continue to increase the stakes, Mesa is taking a comprehensive formal program approach to our Cyber defense. From implementing unified threat management to "fake" phishing assessments for measuring employee behavior to policy and risk assessment processes, Mesa will continue to seek to up our game in support of our cyber defense.
Because cyber security concerns are usually handled by Internet-focused industries and IT departments, local governments may not typically consider vulnerabilities of computer systems to unauthorized use or attack.
However, with the increased use of interconnected, Internet-based technology in the energy industry, and with recent attempts to harm energy sector control systems, cyber security is an increasing concern for energy assurance planners.
To mitigate the risk of cyber-attack, it is necessary to harden computer and information systems by making them less vulnerable to external influences. This 15-page LEAP guidance document from PTI outlines cybersecurity standards, practices and concerns relevant to local energy assurance.
This guidance document can be found at this link.
This dynamic and focused discussion examined the critical nature of securing the local government data and infrastructure. Three CIO's from large and small, rural and suburban jurisdictions shared their actionable steps in securing their jurisdiction's data and infrastructure. They also spoke to how large localities can provide services and partner with smaller towns, cities, counties, and even states. They provided action items like self-assessment tools and "take aways" on how you "can begin today no matter where you are in your security process."
David Whicker, CIO, Rockingham County, NC
David Freeman, CIO, Limestone County, AL
Phil Bertolini, Deputy County Executive/CIO, Oakland County, Michigan
Alan Shark, Executive Director, PTI