Assessing cyber readiness—Where to begin?

Cities and counties are about to partake in the nation’s first and largest cybersecurity funding program to help local governments. President Biden’s infrastructure spending bill signed into law in late 2021 focuses on improving cybersecurity by creating a grant program with $1 billion of funding through fiscal year 2025 designed to enhance jurisdictions’ security postures. As we all wait for the final rules, it has become rather clear that there are many public managers and IT leaders still trying to strategize and figure out just where to begin? Aside from the obvious, which is making sure all communications lines are open for any substantive announcements, this is the time to take a good look at the current state of cybersecurity in one’s city or county government. Indeed, what follows are a set of key groupings that can serve as a useful guide to plan ahead and be able to better assess what you have so you can better articulate what you still need.

Taking inventory
A cyber readiness assessment begins with taking a careful inventory of what one has. Afterall, you can’t manage what you don’t know and can’t see. This is called asset management. It is important to maintain an active asset management program that keeps track of all hardware and software a jurisdiction has. What types of hardware are in use, and is it assigned to a particular individual? Records should also indicate when it was purchased and when it is retired. It is also important to know the projected end of life/service date for strategic planning processes. Records should also include what updates and versions have been applied and when.

What types of software applications are in use, and indicate which versions? It would be quite useful to have a good grasp of how many user licenses are active and understand who has access to which.

Having a healthy understanding of what hardware and software systems are actively in use are critical towards understanding what needs to be protected and how.

IT assessment perimeter audit
Just like financial audits, it is becoming at least as important to conduct an IT audit—preferably by an outside expert or company. There are times when even the best IT leaders can benefit from having such a review. The purpose is to examine a governments operation from the outside in. in some cases having a perimeter test (often referred to as simply Pen Test) as part of an overall IT assessment can be helpful in determining specific vulnerabilities by having what amounts to as an ethical hacker seeking ways to penetrate a government operation. By understanding potential and current vulnerabilities this in turn helps IT managers develop plans to strengthen and reinforce their systems.

Identity management and access
A review of ID management and access is the next logical step. ID management looks at password and access control. Does everyone have access to most files and systems? If the answer is mostly yes, it is perhaps time to begin to develop policies and procedures as to who really needs access to and which systems and records. The more that can be removed because they have little need the more secure your system. Because governments process and store sensitive and personally identifiable information, turning to multifactor authentication is becoming a must. Today all financial institutions require multi-factor or two factor authentication. Controlling who has access and what it takes to sign into a system is critical towards better protecting government operations. This includes adhering to policies pertaining to staff who leave organizations. All too often, turning off access to an employee who has left government service, whether the conditions were amicable or not, have carelessly been left in place.

Zero trust policies
While considered a subpart of ID Management, “zero trust” has become an important framework for governing access to government systems. It is interesting to note that when the internet first appeared, it was built for different applications and was designed to be an open and trusted environment. At that time, the internet was used primarily for research institutions and military interests, all enjoying a trusted environment. Today, the internet has grown exponentially, and we have all become painfully aware that there are plenty of bad actors that have malicious and sometimes evil intentions. At the heart of zero trust policies is a revised way of thinking that basically assumes everyone is untrustworthy until proven otherwise. This of course is contrary to the decades of policies that essentially trusted everyone first. This is the time to recognize this shift and change policies accordingly.

Back-up integrity and process improvement data and application recovery
All too often public institutions have been forced to either pay ransomware fees or spend months or years trying to rebuild compromised systems. To this day, there are too many local governments that have poor or inadequate backup procedures and systems. This could encompass a separate article. But suffice to say, that there are best practices that need to be adopted to better protect back-ups of both records and applications. Yes, there is an expense to doing this—but the cost to restore is often dramatically greater and thus this should be an integral part of any cybersecurity mitigation and risk minimization policy.

Mobile device management (MDM) policy and controls
Even before the pandemic, mobile device growth was off the charts. Many local governments have more than 50percent of staff working in a mobile environment. Like asset management it is important to know where all your mobile devices are and who has primary responsibility. MDM policies include making sure that all mobile devices have the latest patched and updated software installed, and if a device is lost or stolen there is a remote kill switch option that can wipe the device remotely. Mobile devices whether they be laptops, cellphones or tablets are extensions of a government’s network. It is critical that all mobile devices are well protected.

Continuous vulnerability monitoring
This used to be one of the most boring jobs in IT. Continuous monitoring used to mean staff would review logs of all network traffic looking for anomalies that were flagged for further review and possible investigation. Today, there are many excellent IT service providers who offer remote monitoring and or software solutions that automate the monitoring process. This would be a perfect time to review current solutions and determine if more is needed. This is just another category that the new federal cyber funds can be used for.

Staff competencies, training and certifications
All too often overlooked is IT certification and training. Now is the time to review all qualifications of current staff and see what certifications staff hold—and, as importantly, when was the last time they were recertified? Today’s systems are changing at a faster pace than ever before and staying up on current and new systems has become more important than ever. There needs to be a greater commitment towards training and certifications if public managers expect their systems to be properly maintained and safeguarded. Government technology has grown in complexity and plays a greater role in daily operations. As our dependency on technology grows so too does the need for better trained individuals.

Cyber awareness training
Given the growth and nature of cybersecurity attacks, cyber awareness training can no longer be a once a year required training segment. Cybersecurity awareness must be a continuous process of learning and sharing and making sure that everyone understands the nature of risks and the potential for human error. There are excellent programs and companies that provide such services.

Conduct continuous tabletop exercises
Like public safety, local governments need to practice their cybersecurity posture by conducting training exercises such a tabletop simulation. Practice is more important than ever as when a cyber-attack occurs there is little time for error and deciding what to do, or how to respond and how to communicate if a system is down.

Each of the above categories can be used one way or another to apply for state or federal assistance by way of a grant. Now is the time to assess what you have and what you will need. Your shopping list may be ready—but what about your rationale?

Dr. Alan R. Shark is the vice president public sector and executive director of the CompTIA Public Technology Institute (PTI) in Washington D.C. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. He is as associate professor for the Schar School of Policy and Government, George Mason University, and is course developer/instructor at Rutgers University Center for Government Services. He is also the host of the popular bi-monthly podcast, CompTIA Sharkbytes. Dr. Shark’s thought leadership activities include keynote speaking, blogging, and as the author/co-author of more than 12 books, including the nationally recognized textbook “Technology and Public Management” as well as “CIO Leadership for Cities and Counties.”