Writer’s note: As I get close to completing my role as a featured contributor for GovLoop, I was trying to think of a good topic to end on.
Hopefully, this resonates with readers from organizations who have not been able to make the initial jump into something of a formal approach to information security (infosec), or don’t know where to begin.
By no means is this intended to be a comprehensive list. Sure, there are common things that all organizations should do. But the details are and should be different based on each agency.
Unique needs aside, if you start thinking along these lines, you will certainly be headed in the right direction. And for those agencies who are larger or more mature in their infosec journey, this blog might be a good reminder to check that you’re still doing the basics!
Inventory of Agency Services
What does your agency do for the public? This might seem obvious, but depending on the size and complexity of your org, this might be more difficult to articulate than you think.
I used to work for a fairly small town as its IT manager, and a common sentiment amongst management was that small towns have to provide the same type of services that the largest cities in the county do. That is true for the most part – there might be minor differences here or there, but there is an expectation that like government agencies provide like services.
With this said, what are the most important services? Without question, 99% of all orgs say public safety is their top priority. Great. What services are critical to meeting the vision and mission of public safety?
Then, what’s number two?
Not that you have to go through this in priority order, but generally speaking, you want to document which services are critical. Why? Because otherwise, how are you going to decide what to focus your limited resources on that will have the greatest impact to the organization?
NOTE: I highly recommend that you document these priorities associated with functions/departments within the agency. Why? Because I suspect (based on previous experience, by the way) that if you ask department directors what service is most important, they will be inclined to prioritize their own. Conversely, if you got all the directors in a room together to independently rank the services in order of importance, chances are good that no one would have identical responses. By documenting these services, you can:
- Make sure your list is comprehensive (enough for planning purposes, that is).
- Get the blessing from your executive management/elected officials that the list and priorities are accurate.
- Make sure director level/managers, etc. are all on the same page (or at least acknowledge the agreed-upon priorities).
Eat Your InfoSec Vegetables
This may get a bit technical, but I will do my best to keep it intelligible. This is where that list of common things for all orgs comes into play. However, even with each of these, there are priorities to be defined:
- Scanning of vulnerabilities and patching
You have to do this. If you are not, you are a ticking time bomb – or worse, you have already been compromised and maybe don’t know it. (Check this link out to see the average amount of time for a company to detect they have a data breach.)
NOTE: I have never met an org, public or private, that has patched 100% of its systems, applications, network devices, etc. It just doesn’t happen due to the resources it would take to accomplish this.
Assuming this is the case for you, take a look at your services and how you provide them. I won’t go into technical detail about things like, do you have a zero-trust model implemented for your services, etc. But if you can’t patch everything, pick the most critical ones. And if you can’t get to all of those, pick the ones that would directly impact key public services.
NOTE: This is quite oversimplified but the idea is this – scan everything you can to see what risks exist. Once you do, then make an educated decision on what you’re going to patch based on criticality of the service that may be impacted if you don’t patch. Once you do this, then discuss with management what remaining risk there is from unpatched systems and let them decide if they can live the residual risk.
- User account management
Again, you have to do this. All agencies should do things like making sure they don’t give elevated privileges to staff when it isn’t needed. I have seen plenty of orgs make users local administrators on their workstations because it’s easier to support. Sure, technically it is. But if a bad guy gets in with their credentials, it is way easier for them to get further into your environment.
Force users to reset passwords regularly. Now, there are thoughts that if you make passwords longer in length, you don’t have to reset passwords as often. Talk to an infosec professional to discuss the pros and cons, and impact in terms of compliance requirements, e.g., PCI, FERPA, etc.
MFA – multifactor authentication. This is one of the best ways to protect your organization from the impact of having someone’s username and password stolen, whether through a phishing email, credential harvesting website, etc. Even if your employees get tricked into sharing their username and password, unless the bad guy is super sophisticated, chances are they won’t have the ability to fake access to the second factor (e.g., hard token, SMS text to your cell phone, mobile application, etc.) to successfully log into agency services. Unless, they do have access to that second factor, in which case…
- Access control/permissions
This applies to storing files in your local network as well as what is in MS365 or an Amazon Web Service S3 bucket.
Your security is only as good as the controls you put in place. I have been in multiple orgs where sensitive data was stored in folders that everyone had access to. This is potentially even a bigger problem for files stored in the cloud, because many people think that it is the cloud provider’s responsibility. It is not! How is Microsoft expected to know who should have what level of access to your salary spreadsheet?
How often do you validate you have the right permissions? Once a year? Never?!
I will continue this discussion in my next and last post. Thanks for reading and participating!
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.
Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.