Secure and Protect
The safety and security of state information resources is a fundamental management responsibility of all agencies. Citizens trust the state with their personal information, credit card numbers, and other confidential data with the expectation of protection and privacy.
Security threats, in the form of malicious hacking, viruses, malware, unsecured devices, data breaches, among others, are commonplace today. However, not all risks lie with external threats. Although external threats continue to pose the principle risk in terms of incidents and records disclosed, both accidental and malicious internal threats also endanger state assets.
As the state’s citizen-facing services continue to move to an online service model, it is critical that security and privacy are provided the highest level of attention and visibility within every organization. Beyond traditional services delivered online, the government landscape is also characterized by
- applications and data increasingly shifting to the cloud
- employees spending more time working remotely
- agencies increasingly interacting with citizens on third-party social networks
- a growing use of managed services to deliver technology solutions
Due to continuously changing organizational and service delivery models, the state must advance its security posture. While the number one cause of security problems is people, the number one solution is also people. Effectively managing and responding to security risks requires a careful and deliberative approach that emphasizes the people, processes, and technologies.
As organizations collect more sensitive and financial data online, the costs associated with data theft, fraud, and privacy breaches continue to rise.
- Since 2005, U.S. organizations have publicly reported 3,765 successful security breach incidents, costing more than $156 billion. Hacking was responsible for 48 percent of these security breaches.
- In 2011, the average organizational cost of a data breach is $7.2 million, or an average of $214 per compromised record. Estimates of public sector cybersecurity breaches are somewhat lower at $81 per compromised record, but the state must consider all the recovery expenses resulting from successful cyber attacks, including
- material repair
- labor costs
- lost productivity
- lost business
- reputation costs
- legal and liability costs
Using increasingly available penetration tools and readily shared methods to create denial-of-service and other attacks, hackers (cyber criminals) have gone mainstream. Preventing malicious attacks requires constant vigilance.
Protecting private citizen and business information establishes trust among users of government services allowing for continuing growth of convenient online services. Securing the state’s technology infrastructure prevents damage from malicious or fraudulent activity by protecting the confidentiality, integrity, and availability of computing systems.
Building a Secure Infrastructure
Agencies are responsible for adopting and enforcing internal security policies to protect confidentiality, integrity, and availability of state assets. Agencies must take a proactive and comprehensive approach to security by regularly assessing operations for vulnerabilities and opportunities for risk mitigation. Using a risk-based approach, an agency can protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification.
An agency’s security programs requires a layered approach to appropriately address known vulnerabilities and threats as well as anticipate those yet to be identified. Therefore, requirements of the people, processes, and tools that must be addressed in an agency’s security programs include
- Awareness and Education
- enhance knowledge and skills of IT security professionals through security education, training, certifications, and proactive security management practices
- promote awareness through training and education to ensure all staff are able to perform their cybersecurity responsibilities
- participate in IT security forums, seminars, and conferences
- participate in IT security training and exercises
- participate in collaborative opportunities, such as the statewide computer security incident response and recovery program
- Policy and Process
- review existing policies to ensure conformance with 1 TAC 202 at a minimum
- evaluate federal standards or rules, such as HIPAA, FERPA, and FISMA, to determine applicability to the populations or the assets served by agency programs
- implement data governance and classification
- implement a risk‑based information security strategy to provide a means to mitigate risks, strengthen the positive effects of security activities, and minimize costs
- implement a process to measure conformance to agency security policies and perform self-audit functions to ensure effective controls are in place
- plan and budget for security program costs
- ensure that user access within the agency infrastructure is established on the principle of least privilege
- ensure that security investment is addressed in IT projects by implementing security methodology in systems development tools, practices, and training
- conduct technical security and network vulnerability assessments, including controlled penetration tests, wireless network assessments, and web application vulnerability assessments
- demonstrate due diligence by periodically testing and exercising cybersecurity and disaster recovery plans
- participate in federal and state sponsored cyber attack exercises to evaluate existing policies and procedures in response to security incidents
- leverage DIR’s information sharing, analysis, and response capabilities
- Technology and Tools
- enhance prevention of significant cybersecurity incidents by identifying and hardening critical information infrastructure
- pursue operational, architectural and technical innovations that strengthen security of the network
- develop a base for a shared and distributed security architecture
- increase resilience and system fault tolerance
- increase technical and policy interoperability across devices and platforms
- automate security processes
Implementing a comprehensive strategy is critical to building a secure infrastructure. Agency security strategies should address the roles and responsibilities of all staff within an organization, the policies that govern agency practices, and the enabling technologies.