, ,

Incident Response – Why Government Should Plan and Practice Its InfoSec Readiness

Writer’s note: Welcome to week 2 of my blog! Thanks to everyone for their comments and kind words from last week. As promised, I am reviewing all the excellent suggestions for topics. Thanks to Dara Gibson for this one. This subject is really multi-faceted, especially beyond first glance. So let’s just dive in!

I won’t spend a lot of time talking about the obvious of incident response planning – the axiom “Measure twice, cut once” and a handful of others come to mind. Between COVID-19 and arguably the most contentious election in modern history, there has been plenty of motivation for incident response (IR) development and planning. If your leadership needs to be convinced of the cyber impact of COVID-19, take a look at this page on pandasecurity.com. With COVID-19-related scams increasing by a factor of 4, as well as other related attacks, information security professionals have been burdened. While this applies to all sectors and not just government, there have been and are plenty of services that are unique to government to be concerned about. The 2020 election cycle was front of mind for me and Maricopa County.

So, from a technical perspective, here are some considerations that might be less obvious as to why focus on IR creation and practice:

1. Quite a few organizations think they are more prepared than they really are.

I don’t know how many times I’ve asked questions like “Do you know how you would respond to ransomware?” and get responses like “We have offsite backups.” While that answer is not a worst-case scenario, this shouldn’t be your go-to move. There are a lot of steps between normal operations and having ransomware make it into your network. What do you do for all those ‘in-between’ steps?

  • By the way, the worst case would be if your backups don’t work and you have to rebuild everything from scratch, get fired and have the stigma of failure associated with you for the rest of your career. That’s not hyperbole, unfortunately…

2. IT people tend not to plan or practice non-technology steps and skills.

The biggest example of overlooked IR planning is communications.

Let’s use the example from above. If ransomware gets into your network, who do you communicate with and when? Don’t look to your engineers for this; they’re focused on solving the problem.

If you are in IT or security leadership, you need to know how you’re going to communicate with your management and council/board, etc.

Additionally, shouldn’t impact to the agency influence how your IR plan is executed? If ransomware got into your public safety 911 system and your computer-aided dispatch (CAD) system no longer worked, wouldn’t your management and elected officials want to know? They should at least know before the media reaches out.

  • Hopefully, you have an IR plan in place and you practice it so you know what to say and who to say it to.

3. Don’t expect your ‘A’ team to be working during an incident.

If IR planning is to prep for the worse, then assume your least experienced and least knowledgeable staff will be responding.

This goes back to assuming too much by way of preparedness. We all have those aces who can do everything off the top of their heads. Documentation? Who needs that?

  • Joking aside, not only does documentation increase the efficacy of your response but the consistency as well.

Of course, the main reason to plan and practice is so you’re good at it when you need to be. However, there are some compelling reasons besides the obvious to be prepared:

1. Agency’s credit rating

Regardless of the level of government, all agencies can issue bonds to raise money. What you may not know is that information security is playing a bigger role in establishing the credit rating for a government agency.

In my last position, I got a call from the chief financial officer (CFO) who had a laundry list of questions about our information security program. One of the top questions the CFO asked was if we had an IR plan and if so, if we practiced it annually. I know this was a new requirement, as I hadn’t been asked those questions in previous years as our CFO was meeting some of the credit rating agencies. At the end of the day, risk plays a role in bond issuance and information security is an important part of sizing up organizational risk.

2. Audits

Every government agency typically goes through some sort of audit; most are required to do so. Every public agency I have worked for has required it. In my last ten years, there have been questions specifically asking if the organization has an IR plan. Sometimes there have been follow-up questions about whether we’ve tested these plans or at least reviewed and updated them annually.

Honestly, while I don’t think regulatory compliance always equals security (perhaps a blog topic for the future), this is one that is relatively easy to do and is always a good idea. At least with local government audits, there have been few specifics about what the IR plan should contain, how to execute testing, etc.

3. Cybersecurity insurance

Most government agencies invest in some sort of cybersecurity insurance. While I question whether actuarial tables exist for cybersecurity insurance, much like questions from rating agencies, insurance carriers often ask if you have an IR plan and if you practice it annually.How much cyber insurance do you have? Ransom cost = N-1 where N = coverage This is an interesting topic unto itself (again, perhaps a future blog topic – leave a comment if this is something you’d like to explore!), but cyber insurance is potentially a double-edged sword to government agencies. Examples include paying the ransom, who makes decisions about the response, etc.

I have asked numerous times: If an organization has an IR plan, infosec strategy, etc., would that translate into a premium saving? I have not personally seen this occur but would love to hear from others if you have.

OK, so this post has run a bit long so we’ll wrap it up here. If you want some additional information about how your agency might create an IR plan, how to test it, etc., leave a comment, hit me up on LinkedIn or email me. Have a great week!

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.

Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.

Leave a Comment

Leave a comment

Leave a Reply