One of the leading cybersecurity organizations available to government technology teams is the Center for Internet Security (CIS). Many people are familiar with the Multi-State Information Sharing and Analysis Center (MS-ISAC), one of CIS’s key contributions. Another vital CIS program is its Top 20 Controls and Resources, a sort of cybersecurity version of Maslow’s “hierarchy of needs” for IT security staff. The 20 controls are organized into three categories: Basic, Foundational and Organizational. This framework provides a terrific starting point and checklist to ensure best practices.
In the Basic category, IT teams should have full vision into all enterprise hardware and software. We’ve witnessed both device and software sprawl over the past decade. We cannot keep our organization safe unless we have a complete inventory and accounting of our hardware and software. Are your technology assets logged, tagged and accurately assigned to staff? Do you utilize a mobile device management solution? Does your team employ a vulnerability scanner to search for weaknesses on at least a weekly basis? Are you leveraging automated software updates and patches where appropriate? Government agencies often lag behind the private sector on timely patching, and it is one of the best ways to harden our defenses.
The Basic category also calls for a review of administrative privileges. Users and accounts with elevated permission levels offer an attractive target for hackers. Too much sharing of credentials and re-using passwords fosters a dangerous situation. Further, does your staff have a standardized, secure configuration for hardware and software systems? Are you running logging on all systems, and do the logs feed into a centralized system for review? Automation and AI can offer substantial improvements for teams already short staffed or underfunded.
The next group of CIS controls is the Foundational category, which includes recommended protections for email, data and network devices. The controls provide guidance on email security, leveraging email security protocols to reduce spoofing and cyberattacks — especially critical these days. The controls also discuss automated port scanning and ensuring ports and protocols are only in use as business needs dictate. Another crucial element in this category is data protection. Does your organization have data governance practices in place? Has staff received appropriate training on HIPAA, CJIS and PCI compliance? These courses are often included with more extensive cybersecurity awareness training programs.
The third group of CIS controls is the Organizational category. In addition to a cybersecurity awareness program, are you actively running simulated phishing tests? Have you considered social engineering and vishing tests? Do you have an incident response plan? Do you know whom to contact the moment you confirm your organization faces a severe attack? We need to work closely with our emergency management partners, as a cyberattack is probably more likely these days than some other traditional hazards.
The overall scope and responsibility of cybersecurity operations can feel overwhelming and never-ending. However, many resources are available at the state, federal and nonprofit levels. Many services are subsidized or even free. There appears to be bipartisan support building in Washington for new funding for state and local cybersecurity needs. Now is a good time for us to collectively lobby our legislators to make this proposed funding a reality.