Frequently Asked Questions (FAQ IT Security)

Are cyber security threats increasing?

Yes, threats are increasing exponentially in sophistication, intensity, diversity and volume. Cyber experts report significant escalation in external cyber attacks, especially from criminal organizations and foreign state sponsored activities.

Hacking, malware, ransomware and cyber terrorism are all part of the evolving landscape of threats facing government organizations. Governments at all levels are inherently “open” organizations and this makes their digital assets attractive targets. Government information resources are becoming increasingly more difficult to protect as more processes become digital and citizen services move online. Since the 1990s state and local governments have made progress, but it has been incremental.

Do mobile devices present security risks?

Mobile devices do bring great utility in terms of convenience and allowing individuals to be “online all the time.” Governments have widely deployed mobile devices for accessing resources and greater workforce productivity. However, the use of mobile devices for communicating and for sharing data create inherent security issues and add more points of access to the network. Mobile malware threats are certainly growing and a significant security concern with mobile devices is the loss of the device. Additional risks related to mobile devices are personal devices being used in the workplace and authentication of the user. The National Institute of Standards and Technologies (NIST) publication “Guidelines for Managing the Security of Mobile Devices in the Enterprise” (SP 800-124) outlines a number of items for government organizations should follow.

What are the top five barriers in addressing cyber security?

Even as CISOs better define their roles and become an integral part of state government, they continue to face challenges, particularly in securing the resources they need to combat ever-evolving cybersecurity threats. Four-fifths (80 percent) of respondents say inadequate funding is one of the top barriers to effectively address cybersecurity threats, while more than half (51 percent) cite inadequate availability of cybersecurity professionals (figure 6). Survey evidence suggests that when CISOs develop and document strategies—and get those strategies approved—they can command greater budgets and attract or build staff with the necessary competencies.

How do we fund cyber security?

Cyber security will require funding for creating the necessary capabilities that include tools and training for cyber security. However, cyber security must be “baked into” every project, program and management initiative – and not be an administrative afterthought. Cyber security must be understood as an inherent cost of doing business and must be a component of every budget.

A direct correlation can be seen between having an established strategy and obtaining more full-time equivalents (FTEs) dedicated to cybersecurity, as well as year-over-year budget increases (figure 7). For example, 11 out of 33 states that have an approved strategy reported they have more than 15 FTEs dedicated to cybersecurity, and 16 out of 33 states with an approved strategy reported they had an increase in budget. An approved and proactively communicated strategy can also help CISOs overcome another barrier: “lack of visibility and influence in the enterprise,” an ongoing challenge in the largely federated governance model in state government.

What capabilities are necessary components of a cyber security strategy?

Traditional approaches were focused on preventive and risk-based protective measures. Risk based meaning that the investment in security is a function of the perceived value of the information being protected. Those approaches continue to be necessary aspects of security. However, anymore state government must include two additional capabilities: vigilance and resilience.

Vigilance is continuous monitoring for threats that gives early detection. Resilience is the ability to respond and recover. These capabilities must be continually enhanced to anticipate the growing threat landscape.

Doesn’t everyone already know about cyber security?

People know about cyber security – but they don’t know enough to protect themselves. Most people may even understand the imperative for protecting data and the fact that cyber threats are getting worse. However, effective cyber security is an ongoing maturing capability for not only the government enterprise but for individuals who are employed by or served by state government. This capability must be continually exercised, tested and strengthened through awareness training to not only combat aggressive cyber threats, but also accidental, unintentional cyber events.

What are the core components of a state and local government cyber security program?

NASCIO defined what is termed a “Core IT Security Services” taxonomy which presents twelve necessary service categories.

See the NASCIO report, The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs, 2011 (PDF), available from www.nascio.org/publications.

How can I learn more about cybersecurity?

See the following reports available at www.nascio.org/publications

• Capitals in the Clouds Part IV – Cloud Security: On Mission and Means
• NASCIO Cybersecurity Awareness Resource Guide
• Capitals in the Clouds Part V: Advice from the Trenches on Managing the Risk of Free File Sharing Cloud
• The Heart of the Matter: A Core Services Taxonomy for State IT Security Programs
• Security at the Edge — Protecting Mobile Computing Devices
• Security at the Edge: Protecting Mobile Computing Devices Part II: Policies on the Use of Personally Owned Smartphones in State Government
• Protecting the Realm: Confronting the Realities of State Data at Risk

ISO 27001 (ISO27001) is the international Cyber Security Standard that provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.

See About the Critical Infrastructure Cyber Community C³ Voluntary Program at http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program

Do cloud services create new cyber security issues?

Yes. Cloud services promise to provide flexibility, scalability, measured service and certain cost efficiencies, but also present additional security risks associated with authentication, access and storage of government data. The total economic cost and different security elements of cloud services must be fully understood when evaluating cloud computing in general and the various deployment models (public, private, hybrid, community). Consumer-based cloud services used by government workers present additional risks because they may not offer rigorous security controls.

See the following report that provides more details on this issue: Capitals in the Clouds Part V: Advice from the Trenches on Managing the Risk of Free File Sharing Cloud (PDF, available from NASCIO Publications).

How significant is privacy as a component of cyber security?

Very significant. There has been an unprecedented growth of social media, personal cloud services, and employees utilizing personal devices and third-party applications. This parallels with high profile stories on data breaches and even government accessing citizens’ personal information. The issues cited by state Chief Information Security Officers include unauthorized access to personal information, compliance with state statutes on privacy and managing information sharing with third parties.

The leading privacy concerns can be addressed by state government by aligning operational practices with privacy policy.

What are states doing regarding cyber awareness and training?

Cyber security has consistently been a top concern for state CIOs, topping the list of their priorities for 2015. According to the 2014 Deloitte-NASCIO Cybersecurity Study (PDF), training and awareness is in the top five cyber security initiatives across the states. More information on what states are doing is available in the NASCIO 2014 Cybersecurity Awareness Resource Guide, available at www.nascio.org/publications.

What is the Nationwide Cyber Security Review (NCSR)?

The NCSR, or Nationwide Cyber Security Review, is a voluntary self-assessment survey designed to evaluate cyber security management on the state and local level. Congress directed the Department of Homeland Security (DHS) to assess the cyber security of all levels of government.

In recognition of that need DHS developed the Nationwide Cyber Security Review (NCSR) to identify the level of maturity and risk awareness of State and local government information security programs. The NSCR is currently administered by the MS-ISAC in collaboration with DHS, NASCIO and the National Association of Counties (NACo).

Is there general guidance for helping government officials understand cyber security risks and key action steps?

The National Governors Association released recommendations regarding cyber security that may be helpful, including Act and Adjust: A Call to Action, which recommends:

• Establish a governance and authority structure for cyber security;
• Conduct risk assessments and allocate resources accordingly;
• Implement continuous vulnerability threat monitoring practices;
• Ensure compliance with current security methodologies and business disciplines; and
• Create a culture of risk awareness.

Access the full report at http://www.nga.org/cms/home/nga-center-for-best-practices/center-publications/page-hsps-publications/col2-content/main-content-list/act-and-adjust-a-call-to-action.html

How do I go about finding qualified cyber security professionals to secure networks and data against cyber threats?

The National Initiative for Cybersecurity Education (NICE) developed a Workforce Framework to provide educators, students, employers, employees, training providers and policy makers with a systematic way for organizing the way we think and talk about cyber security work, and what is required of the cyber security workforce. The Workforce Framework is a national resource that categorizes, organizes, and describes cyber security work.

See more information at http://niccs.us-cert.gov/training/national-cybersecurity-workforce-framework

How do I go about organizing a comprehensive approach to cyber security in my organization?

The best place to start may be with the National Institute of Standards and Technologies (NIST) Cybersecurity Framework. The Framework is a guide that leverages current standards, guidelines, and best practices. The Framework provides a common taxonomy and mechanism for organizations to:

• Describe their current cyber security posture;
• Describe their target state for cyber security;
• Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
• Assess progress toward the target state;
• Communicate among internal and external stakeholders about cyber security risk.

More information is available at http://www.nist.gov/cyberframework/

What is continuous diagnostics and mitigation/monitoring (CDM)?

Continuous Diagnostics and Mitigation/Monitoring (CDM) is a methodology that moves away from historical compliance reporting and toward combating threats to the nation’s networks on a real time basis.

The federal government has established a program to provide tools and services that enable Federal and other government entities to utilize CDM to strengthen the security posture of their cyber networks. Federal, state, local, and regional governments, in addition to defense organizations, can benefit from a new blanket purchase agreement (BPA) called Continuous Monitoring as a Service (CMaaS) to strengthen their information technology networks. The CMaaS BPA is managed by the U.S. Department of Homeland Security’s Continuous Diagnostics and Mitigation Program (CDM) and the General Services Administration (GSA).

The goal of the CMaaS BPA and CDM Program is to provide a consistent, government-wide set of continuous diagnostic solutions to enhance defenders’ abilities to identify and mitigate emerging cyber threats through risk-based decision making. For an overview of the CDM program, please visit DHS.gov/cdm.