Data and analytics facilitated by connected technologies are helping to streamline government work and encourage citizen engagement across the country. But with new data comes new territory to protect and secure. And, indeed, there is more data than ever before available to state and local government bodies.
"As more government services have moved from paper to digital, different types of constituent data can be collected and analyzed for the first time," says Richard Kliethermes, acting CIO for the state of Missouri and NASCIO privacy and data protection co-chair. He notes that this new information is coming from various places, particularly from government apps, which can offer session, device user-agent and geolocation information on users. "This additional information can be used to better serve constituents by tailoring their interactions with government, securing their transactions, and to ensure accessibility."
But alongside that, of course, come new security and privacy concerns. And while cybersecurity often takes center stage, particularly in the age of WannaCry, data privacy is inextricably linked to security, says West Virginia Chief Privacy Officer and fellow NASCIO Privacy and Data Protection Co-Chair Sallie Milam.
"Security and privacy are two sides of the same coin and both are essential to maintaining information privacy," says Milam. "While security addresses threats that arise from unauthorized system behavior, privacy manages controls that are a byproduct of authorized processing of personal information. Privacy does not exist in the absence of security."
Milam points out that while a law may require that certain personal information remain confidential, to achieve that requirement means that privacy and security must work together.
Both controls, Milam notes, are essential to maintaining individual privacy.
Moreover, properly understanding the data that a government has available is essential to not only keep data safe from hackers, but also to ensure it's used to its fullest extent in open data programs or for other uses across government bodies. This means classifying citizen data appropriately and actively.
"Unless an organization keeps current with its data classification, as well as its data inventory, it is impossible to identify privacy requirements. As a result, some data may be overprotected and not used or shared as broadly as allowed, and other data may not be protected adequately," Milam says.
So how can governments get a leg up in maintaining a full view of citizen data? A combination of tools and training are key, say the NASCIO privacy and data protection co-chairs.
Tools, Privacy Best Practices Offer a First Line of Data Defense
Government users are some of the worst offenders of clicking on phishing emails, according to a recent State of the Phish 2018 report from Wombat Security Technologies. With a large portion of attacks coming through phishing and social engineering vectors, it's clear that training government workforces is key to stopping an attack that can threaten citizen data before it even starts.
"Security and privacy training is critical to help the workforce understand their role in data protection," says Milam. "The human brain is our best 'technology' to respond to security threats, such as phishing scams and to ensure that data is protected appropriately."
Of course, tools such as data loss prevention technology, are also necessary.
"While we train employees to remove sensitive information from their emails, such as credit card information and Social Security numbers, it is helpful to have technology to ensure that this information is protected, by enforcing our rules," says Milam.
Other tools to help protect citizen data include:
- Database/endpoint/server encryption
- Data loss protection systems
- Advanced malware protection platforms
- Data/application-aware firewalls
- External and internal identity and access management systems
- Multifactor authentication Identity proofing
Kliethermes also recommends automation and orchestration tools "to ensure controls are working and in place within various siloed on-prem and cloud environments."
Having strong incident detection and response capabilities are necessary, as well.
"Endpoint and server vulnerability management, application security testing, geographical disparity between compute and storage sites, and high availability not just within a site, but between sites, are some solid practices to protect data," says Kliethermes.
If all else fails, it's important for government IT teams to have a data breach plan already in place and a team ready to act. In fact, a recent IBM and Ponemon Institute study on the cost of data breaches found that having a fully functioning incident response team in place is the leading factor in reducing breach costs.
"Good preparation includes developing an incident response plan, as well as training your team, such as by a tabletop exercise so that roles are practiced, and threats are better understood," says Milam.