Multi-person IT Division. As a large level governmental entity, here are some things you could start with:
Low Level of Complexity
Bad guys are working hard to steal information from you, your office and the citizens of Wyoming. Many of these attempts come to you through your email inbox or while visiting websites. Please remember:
Avoid opening any email or email attachments from unknown or suspicious sources or that look significantly different from email you typically receive from a known associate.
Avoid clicking on any links in websites that appear suspicious.
Do not share your password credentials with anyone or enter them into suspicious websites. Often sites will duplicate the original and look identical. When in doubt, find the original website and log in there instead of using a link sent to you.
You may chose to outsource some portions of your operation which receive or manage sensitive data or personal information. This delegation does not lessen responsibility for implementing appropriate management or protections.
ETS provides security training which re-emphasizes key security concepts to strengthen our staff's knowledge, thereby increasing the security posture of the State of Wyoming. The lessons are short, web-based and take each employee less than 15 minutes to accomplish. A new lesson is provided every other month resulting in 12 trainings over 24 months. The current cost for 10,000 licensed users is approximately $30,000 annually. The State policy 1100-P141 informs on Information Security Awareness and Training.
INFORMATION & AWARENESS
Collaboration and sharing of information is important.
The Multi-State Information Sharing and Analysis Center (MS-ISAC) provides an information sharing portal for registered parties to access cyber threat prevention, protection, response and recovery information for the nation's state, local, tribal and territorial (SLTT) governments. Membership is currently no cost.
The FBI provides an information sharing portal (called InfraGard) for registered parties to receive cyber threat information. Membership is currently no cost and requires a background check. Both could help you be more aware of current threats and able to protect citizen data.
The estimated cost the State of Wyoming invests in this items is $0. The number of estimated resource hours the State of Wyoming invests in this item is 10 hours a month.
PASSWORDS AND ACCESS
We take security of information seriously to protect citizen data by using passwords that are not predictable.
Employees should not share their passwords with anyone (including supervisors).
Often times, passwords can be compromised where you have them written down.
It is always a good idea to use strong passwords. Strong passwords are usually at least 6 or more characters in length and that are a combination of letters, numbers and symbols (@, #, $, %, etc.). Passwords are typically case-sensitive, so a strong password contains letters in both uppercase and lowercase.
The State of Wyoming forces strong passwords based on best practices using our IT policies. There is no cost or hours of effort for this item.
It is always a good idea to review permissions on local devices. Only use the local administrator account when necessary to install or update software.
Estimated Cost - None.
Chances are you may be regulated by data privacy laws and regulations, as well as internal policies. You should ensure that you are familiar with these and ensure they are enforced.
All data should be labeled and easily identifiable.
The State solves for this using IT policies for data classification. The 08100-P131 Policy - Information Classification Policy and the 08100-S131: Information Classification Standard can provide additional information.
Computer screens that are left unlocked and unattended allow for unauthorized access. Manually locking your workstation or leveraging automated screen lock functionality can help deter and prevent unauthorized access.
ETS recommends this and has a supporting IT policy (9400-S176 Automatic Screen Lock Standards for users and agencies to be aware of this simple, yet effective (no cost) solution.
USING AND PROTECTING INFORMATION
Many of us work with sensitive data and must control who has access to this information. The following may help you protect information:
Never leave sensitive data on your desk, in unlocked cabinets or written on whiteboards or paper.
Appropriately destroying sensitive data when no longer needed is a must. This is both for stored and any printed sensitive data.
Disable any accounts for individuals that are no longer employed.
It's not enough to simply tell your staff not to use their work devices for non-work related activities. You can help protect citizen data by developing a written policy and have users sign and acknowledge they have read it. The policy should be designed to with a balance in keeping the user productive and won't become outdated as your office grows.
Review access control lists regularly and make appropriate adjustments.
The State of Wyoming has IT policies and works to promote culture shift through collaboration. The estimated cost the State of Wyoming invests in this items is $0. The number of estimated resource hours the State of Wyoming invests in deactivating unnecessary accounts is 5 hours per month.
Medium Level of Complexity
BACKUP & DISASTER RECOVERY
If a disaster strikes in any form, having a backup is crucial. It is always a good idea to make regular backups of your data and keep copies in a secure offsite location.
Regularly test restoring your data from your backup. Often times there may be issues preventing you from successfully recovering your data. Your testing may shine light on them rather than having them surface during a critical need to restore.
Prepare and regularly test your security incident response plan.
"The State of Wyoming invests 30-35 hours per month validating backups. The current estimated cost of our enterprise backup software and enterprise virtual machine backup software is $600,000.
The State of Wyoming has an internal team that spends at least 40 hours per month working on the security incident response."
Ensure you have appropriate non-disclosure and sharing agreements between all stakeholders are in place.
It is very important to collect only the minimum amount of personal information necessary to achieve your purposes and collect only that which you are authorized.
Be clear with what is being exchanged for access.
The estimated cost the State of Wyoming invests in this items is $0. The number of estimated resource hours the State of Wyoming invests in this item is 6 hours per MOU (Memorandum of Understanding); which also includes a data sharing matrix.
COLLECTION AND INPUT VALIDATION
Special characters and commands can wreak havoc on your database if compromised through forms on your website. Maintaining strict input validation on form fields may help prevent unauthorized access and keep security standards high as you collect data that is entered.
This item is accomplished from the beginning using best practices so there are no additional costs or additional hours associated with this item.
It is a good idea to frequently review employee policies - Employee policies should restrict employees from “unauthorized access” or “exceeding authorized access” of your organization's computer systems.
Have someone from outside your organization attempt to gather sensitive employee or organizational data on a small group of your users (types of computers, printers, IP addresses, home phone numbers, spouse's names of key employees) from an email message.
There is no cost and a minimal amount of hourly effort when each is reviewed individually. Our staff also reviews all policies for security re-recommendations and applicability. The hourly effort for this task was estimated to be at least 40 hours per month.
Collaborate, communicate and share information with partners appropriately.
The State of Wyoming shares IT outages and impacts through a public website. There is no cost for this service. The monthly effort is estimated to be at least 65 hours a month.
You can help protect your company's information on your employee's company-issued mobile devices, preferably with the ability to remote lock and remote wipe lost or stolen devices. Some products come with this functionality built-in.
It is important you configure and lock your devices with security in mind.
Never leave your mobile device unattended in public places.
Many mobile devices come with the ability to enforce passcodes. It is recommended you enable passcodes when available.
The estimated cost the State of Wyoming invests in a Mobile Device Management (MDM) solution is $0 as it is included at no extra cost with our enterprise email contract. The number of estimated resource hours the State of Wyoming invests in this item is 0 hours per month as it is set once and does not need additional monthly changes (outside of the rare occurance of a mobile device needing to be wiped).
Removable media devices can contribute to security breaches coming into or leaving your network. Develop a policy regarding the use of USB drives, external hard disks, thumb drives, external DVD writers, and any writeable media.
Our staff is well aware of the dangers surrounding removable media. We continue to keep simple things like this by utiliizing regular security training and making it part of the IT culture created at the State of Wyoming.
Our staff is well aware of the dangers surrounding removable media. We continue to keep simple things like this by utilizing regular security training and making it part of the IT culture created at the State of Wyoming. The State policy 1100-P141 Information Security Awareness and Training Policy can be referenced on ets.wyo.gov.
RISK ASSESSMENT SERVICES (3rd Party)
It is always a good idea to assess risk level in your office with IT risk assessment services performed annually by a reputable 3rd party. In addition, any vulnerability scanning should identify both network and application layer vulnerabilities, especially when scanning Internet facing systems, such as web applications.
Estimated cost - Depends on scope, typically associated resource, contract or hourly fees
Encryption adds a layer of security and prevents unauthorized access to data. Enable encryption in both stored and data that moves over the network.
The State of Wyoming uses self signed certificates and encryption already built into the hardware of software we utilize at no additional cost. Where appropriate, the use of end point protection and whole disk encryption at a per device fee is utilized. One agency, on nearly 1,000 systems, accomplished endpoint protection for approximately $8,000 annually and invested an estimated 5 hours a month to manage it.
Network segmentation (or splitting critical parts of your network) remains an important strategy to contain attacks. This process helps limit the lateral movement of attackers, can improve performance and overall security.
The State of Wyoming accomplishes this without any additional cost or effort as it is best practice and is accomplished from the initial architecture and configuration.
SET & MAINTAIN INTERNAL STANDARDS
Be cognizant and prepared against the top 10 threats from the Open Web Application Security Project (OWASP).
Our application development team is cognizant of the threats and uses the OWASP top 10 among other tools to be aware of when designing new solutions. Security practices that help insulate new applications from those threats are now a part of best practices that are employed in strong application development.
STANDARDS, PLANS AND POLICIES
It's always a good idea to evaluate existing standards, plans and policies. Ensure all staff have refresher training for these plans and policies.
The State of Wyoming appropriately cites nationally accepted best practice authorities when drafting policies and making recommendations. Key policies are reviewed regularly by employees.
It is always a good idea to identify and disable any unwanted system services or processes that are no longer required.
This item is part of best practice and is completed when new devices/systems are configured and maintained.
SYSTEM UPDATES AND ANTIVIRUS
System updates and antivirus software on your devices can help protect citizen data and keep them running smoothly. It is very important this software and work computers receive regular software and signature updates.
The estimated cost the State of Wyoming invests for antivirus software is $42,000 annually. The number of estimated resource hours the State of Wyoming spends in this item is 48 hours for updates and 112 hours for antivirus a month.
Theft or breach of data by insiders can be costly. Verify the levels outbound access you allow employees to have. Pay careful attention to apply appropriate electronic access to your business critical functions.
The estimated cost the State of Wyoming invests in this item is $100,000. The number of estimated resource hours the State of Wyoming spends in this item is 16 hours a month.
High Level of Complexity
ADDING A SECOND FACTOR FOR AUTHENTICATING
Additional security is always a plus. When possible, leverage a second layer of security to any type of login, requiring extra information or a physical device to log in, in addition to your password.
The estimated cost the State of Wyoming invests in this item is $0 as we use our State provided Google accounts to login the majority of our enterprise applications and it is included at no cost as part of our current email and apps. The number of estimated resource hours the State of Wyoming invests in this item is 0 hours per month.
Crime, weather and emergency situations can impact your productivity in many ways. It is best practice to ensure you have a business continuity plan in the event you are impacted.
The estimated level of effort ETS spends on this task is 12 hours per month.
Work to influence the data and security culture in your office. Develop an environment which can adapt to ever changing threats and that works to promote cybersecurity.
Estimated Cost - None.
Ensure to document your security policies in a knowledge database so that network admins, security staff, and even application teams understand exactly what is going on – as well as the why. This is particularly important when setting up rules to support new applications, because when an application is decommissioned or moved, you’ll want to reverse that rule. But you won’t be able to do so if you don’t know about it.
The State of Wyoming uses our internal governance committee to share pertinent IT information in a public forum with state agency representation. IT policies are discussed and shared frequently in this body.
Conduct appropriate background checks on employees, contractors and vendors in accordance with policy, procedure and any applicable law. Have a well-organized, well-understood, well-maintained, and well-monitored security policy for both insiders and outsiders, and ensure they have refresher training.
Estimated Cost - $1500 annually.
INFORMATION & AWARENESS
Your office may wish to leverage the National Institute of Standards and Technology (NIST) framework as a guideline to evaluate maturity of your cybersecurity.
The State of Wyoming spends no estimated amount for this item. The estimated number of hours involving NIST would vary depending on the amount of policies or projects requiring input.
Disable any unused network ports or protocols.
Firewall rules should be reviewed at least every 6 months.
Estimated Cost - None to $2,000 annually depending on solution(s).
The State of Wyoming invests 16 hours per month disabling unused ports and protocols.
RISK ASSESSMENT SERVICES (3rd Party)
Level of risk is often a key factor in many IT decisions. It is always a good idea to conduct an annual risk assessment on applications and key IT infrastructure (Self and/or 3rd party).
Minimum criteria for an effective risk assessment includes:
Knowing what information security assets you have.
Knowing what value those assets have to the organization.
Knowing what vulnerabilities exist in your assets.
Knowing what threats exist to your assets.
Threats to confidentiality, availability, and integrity must be considered.
Knowing the likelihood that one of the vulnerabilities will be attacked by one of the threats.
Knowing the potential business impact of a successful attack.
Estimated cost - Depends on scope, typically associated resource, contract or hourly fees.
You can never go wrong investing in your staff for professional development. This helps both the employee stay current on the their skillset and benefits you and your customers. A highly trained staff will contribute to successful recruitment, retention and morale of talented employees that will help you protect citizen data.
The estimated cost ETS spent on staff investments for training in the previous fiscal year was $330,000 (not including travel). This included group trainings at our agency and specialized trainings and conference attendance.
As mentioned above, many of us work with sensitive data and must comply with all data compliance mandates. Meeting these requirements can shape some of your security planning, approach, collection and use of data. You could also work towards implementing appropriate Center for Internet Security (CIS) Top 20 Security Controls as you are able. The CIS offers this recommended set of actions that provide specific and actionable ways to stop dangerous cyber attacks.
There is no estimated cost for this item. The estimated number of hours involving referencing the CIS Top 20 Security Controls can vary depending on the amount of policies or projects requiring its input.
Practice makes perfect. Conduct bi-annual mock tabletop exercises to better understand your ability to mitigate and respond to security events or cyberthreats.
The State of Wyoming security team has walked through multiple tabletop scenarios. The monthly hours of effort for a tabletop based on security would now be in the range of 40 hours per exercise (based on 10 participants).