[BreachExchange] 3 Ways State and Local Agencies Can Form a Risk-Based Security Strategy

[Audrey McNeil]

https://statetechmagazine.com/article/2018/03/3-ways-state-
and-local-agencies-can-form-risk-based-security-strategy

State and local governments everywhere are under attack, and there's no
sign that cyberthreats will let up anytime soon. Most recently, ransomware
targeted Connecticut state agencies, infecting 160 machines across 12
agencies.

With tight budgets and small staffs, it can be difficult for agencies to
protect themselves from cyberattacks. But assessing and prioritizing risk
in risk-based security strategies can be one way to help state and local
government IT teams protect their most important systems first.

A risk-based security strategy should be tailored to the unique needs of a
specific department or agency, but there are still many common elements
that exist across organizations.

Organizations considering a risk-based approach should understand these
elements. They should focus on cybersecurity policies, technology solutions
and services designed to help organizations manage cybersecurity risk.

1. Start by Tapping Policy

Policy forms the cornerstone of every information security program. It sets
out the guiding principles for cybersecurity efforts within an agency,
formalizes the leadership support for those efforts and provides a
justification for actions taken in the name of cybersecurity that might
negatively affect other activities of the agency. In an agency, adopting a
risk-based approach to security, policies should spell out the nature of
the risk-based approach and describe how the agency expects to avoid,
mitigate and accept cybersecurity risks.

Fortunately, cybersecurity policy is a well-established field, and agencies
do not need to start writing from a blank slate. Many government agencies
and other organizations publish their cybersecurity policies on the
internet, and organizations are free to peruse them for ideas as they begin
to shape their own policies. The SANS Institute offers a free library of
policy templates that organizations may use as the basis for their own
policy documents.

Agencies or departments may also choose to base their policies on an
established cybersecurity framework, such as the security standards
published by the National Institute for Standards and Technology or the
International Organization for Standardization (ISO). A department wishing
to adopt a standards-based approach to security may benefit from bringing
in a third-party consultant to perform a gap analysis of its existing
controls, identifying areas where there are significant deviations. This
can then be used as the basis for a risk-prioritized approach to applying
new controls that mitigate identified gaps.

2. Seek Out Solutions

Years ago, agencies seeking to formalize their risk management processes
had very little in the way of outside resources to assist them. Over the
past decade, new tools emerged to assist with this work. These range from
comprehensive governance, risk and compliance solutions to specialized
tools designed to assist with risk assessment and mitigation.

GRC solutions help tie together three functions that often exist in
different silos within an organization. Policies are the product of
governance processes, which often occur at the highest levels of an
organization. Risk assessments and mitigation take place either within the
IT function or as part of a dedicated risk management group. Compliance
activities may occur within the legal or regulatory function.

Each of these activities is extremely important to managing the agency’s
overall risk exposure, but it is often difficult for them to share
information. GRC solutions break down these walls by presenting each
function with a function-specific view of important information, but
allowing those views to draw from each other. For example, if internal
auditors seek to determine the effectiveness of a security control at
enforcing a policy objective, a GRC solution can help by linking security
controls (risk management) to policy objectives (governance) and
determining whether they are functioning properly (compliance).

Newer tools seek to dive deeper into risk management by leveraging
artificial intelligence to help evaluate an agency’s risk profile. These
tools can assess an agency’s internet footprint, previous data breaches and
known security risks, and develop an independent risk score that can serve
as a feedback loop for the risk assessment process. Other technologies
deploy agents inside an agency’s IT infrastructure that continuously report
back configuration information. These agents assess deviations from a
security baseline that may represent cybersecurity risks.

3. Outsource Certain Security Services

Many agencies find themselves ill-equipped to provide a full range of
security services internally. They may address this situation by
contracting with vendors who offer security services. For example, managed
security service providers offer clients numerous security operations
center capabilities on a contract basis.

Agencies that are unable to staff their own SOC on a continuous basis can
hire an MSSP to monitor their security infrastructure around the clock for
anomalies. When the MSSP detects suspicious activity, it may either
immediately execute a planned response or escalate the issue to the
organization’s own security team for resolution.

Local governments can also turn to service providers to assist with
assessments of their internal infrastructure. Some MSSPs offer
vulnerability scanning services that constantly monitor client networks for
vulnerable systems and provide a remediation workflow that allows engineers
to monitor the status of issue resolution.

Other MSSPs provide penetration testing capabilities that use trained
ethical hackers to probe an agency’s defenses using the same tools
leveraged by cybercriminals. These attacks provide valuable insight into an
organization’s security posture, allowing them to correct issues that pose
a significant risk of exploitation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180302/b60a2c5f/attachment.html>