State and local governments everywhere are under attack, and there's no sign that cyberthreats will let up anytime soon. Most recently, ransomware targeted Connecticut state agencies, infecting 160 machines across 12 agencies.
With tight budgets and small staffs, it can be difficult for agencies to protect themselves from cyberattacks. But assessing and prioritizing risk in risk-based security strategies can be one way to help state and local government IT teams protect their most important systems first.
A risk-based security strategy should be tailored to the unique needs of a specific department or agency, but there are still many common elements that exist across organizations.
Organizations considering a risk-based approach should understand these elements. They should focus on cybersecurity policies, technology solutions and services designed to help organizations manage cybersecurity risk.
1. Start by Tapping Policy
Policy forms the cornerstone of every information security program. It sets out the guiding principles for cybersecurity efforts within an agency, formalizes the leadership support for those efforts and provides a justification for actions taken in the name of cybersecurity that might negatively affect other activities of the agency. In an agency, adopting a risk-based approach to security, policies should spell out the nature of the risk-based approach and describe how the agency expects to avoid, mitigate and accept cybersecurity risks.
Fortunately, cybersecurity policy is a well-established field, and agencies do not need to start writing from a blank slate. Many government agencies and other organizations publish their cybersecurity policies on the internet, and organizations are free to peruse them for ideas as they begin to shape their own policies. The SANS Institute offers a free library of policy templates that organizations may use as the basis for their own policy documents.
Agencies or departments may also choose to base their policies on an established cybersecurity framework, such as the security standards published by the National Institute for Standards and Technology or the International Organization for Standardization (ISO). A department wishing to adopt a standards-based approach to security may benefit from bringing in a third-party consultant to perform a gap analysis of its existing controls, identifying areas where there are significant deviations. This can then be used as the basis for a risk-prioritized approach to applying new controls that mitigate identified gaps.
2. Seek Out Solutions
Years ago, agencies seeking to formalize their risk management processes had very little in the way of outside resources to assist them. Over the past decade, new tools emerged to assist with this work. These range from comprehensive governance, risk and compliance solutions to specialized tools designed to assist with risk assessment and mitigation.
GRC solutions help tie together three functions that often exist in different silos within an organization. Policies are the product of governance processes, which often occur at the highest levels of an organization. Risk assessments and mitigation take place either within the IT function or as part of a dedicated risk management group. Compliance activities may occur within the legal or regulatory function.
Each of these activities is extremely important to managing the agency’s overall risk exposure, but it is often difficult for them to share information. GRC solutions break down these walls by presenting each function with a function-specific view of important information, but allowing those views to draw from each other. For example, if internal auditors seek to determine the effectiveness of a security control at enforcing a policy objective, a GRC solution can help by linking security controls (risk management) to policy objectives (governance) and determining whether they are functioning properly (compliance).
Newer tools seek to dive deeper into risk management by leveraging artificial intelligence to help evaluate an agency’s risk profile. These tools can assess an agency’s internet footprint, previous data breaches and known security risks, and develop an independent risk score that can serve as a feedback loop for the risk assessment process. Other technologies deploy agents inside an agency’s IT infrastructure that continuously report back configuration information. These agents assess deviations from a security baseline that may represent cybersecurity risks.
3. Outsource Certain Security Services
Many agencies find themselves ill-equipped to provide a full range of security services internally. They may address this situation by contracting with vendors who offer security services. For example, managed security service providers offer clients numerous security operations center capabilities on a contract basis.
Agencies that are unable to staff their own SOC on a continuous basis can hire an MSSP to monitor their security infrastructure around the clock for anomalies. When the MSSP detects suspicious activity, it may either immediately execute a planned response or escalate the issue to the organization’s own security team for resolution.
Local governments can also turn to service providers to assist with assessments of their internal infrastructure. Some MSSPs offer vulnerability scanning services that constantly monitor client networks for vulnerable systems and provide a remediation workflow that allows engineers to monitor the status of issue resolution.
Other MSSPs provide penetration testing capabilities that use trained ethical hackers to probe an agency’s defenses using the same tools leveraged by cybercriminals. These attacks provide valuable insight into an organization’s security posture, allowing them to correct issues that pose a significant risk of exploitation.
Learn more about taking steps toward a robust risk-based security policy in our white paper "Move to a Risk-Based Security Strategy."