“There's been great demand for the cybersecurity audits. However, there is a seven-year waiting list for those,” said Scott Woelfle, the SAO’s director of quality assurance and innovation.
Enter the cyber checkup program.
This new offering, launched in June, provides a quicker, simpler way for local governments to get a more broad-strokes assessment of their cyber postures and see where they’re on the right track and where they may need to put more focus. The checkups can be completed in less than a month — often in just two weeks — and can help local governments ensure they’re getting the basics right, so they’re in a stronger position both for now and for when their turn at an audit comes up.
“Going through a full-blown state audit to find out your doors are unlocked and your windows are open would’ve been a waste,” said David Olsen, network administrator for Port Townsend, Wash. His town was the first to pilot the new checkup program.
HERE’S HOW IT WORKS
At the end of the process, the specialist gives the government a report identifying where it is fully, partially or not yet implementing each of 20 cyber safeguards. Those safeguards are based on the Center for Internet Security's (CIS) Critical Security Controls Version 8, a well-respected set of prioritized measures for mitigating the most common cyber attacks. The auditor’s office’s final report also details why each safeguard matters and gives step-by-step information on how to put them into practice, as well as links to further resources, Woelfle said.
Once the local government has reviewed its report, it can meet again with the cyber specialist to get more details and ask questions.
As of June 28, the state auditor’s office had conducted 12 cyber checkups, with more being scheduled, per Woelfle. The program is particularly intended for very small local governments, which may only have one or two people handling IT or which may contract IT services out to a vendor. But larger local governments are also welcome.
PORT TOWNSEND
For Port Townsend's Olsen, the process took about three to four hours, spread over three to four weeks.
“It wasn’t like an intensive penetration test from hell sort of thing. It was a sanity check — ‘do you have your hardware destruction policy?’ or ‘what’s your password policy, is it up to date?’ Things like that,” Olsen said.
Just the act of collecting policies and network documents to send to the specialist served in some cases as a prompt to “update them and clean some stuff up,” Olsen said. The cyber specialist also conducted some tests, including seeing if a remote desktop protocol (RDP) port was open on the firewall and attempting to email an attachment with a non-malicious macro in it, to see if it could get through.
The tests were “not super in depth, but the really low-hanging fruit. When I got done with it, it was like, 'OK, we don’t have anything stupidly open,'” Olsen said.
The final report offered “a guide to what my next options might be,” Olsen said. “… You end up with an attractive package of recommendations. A lot of it is boilerplate, but it’s useful boilerplate, and there is room for specifics to the particular organization.”
The specialist’s report included resources, too, like a sample incident report form and pointed to NIST’s security incident handling guide.
Having gone through the checkup helps the town be confident that it has the basics in place. Knowing this, it can now consider hiring an auditor for a more in-depth cyber audit without worrying that would be money wasted.
JEFFERSON COUNTY LIBRARY DISTRICT
The Jefferson County Library District completed the checkup in about two weeks. It was “very efficient,” said library District Director Tamara Meredith. Filling out the questionnaire took about 30 minutes to an hour to complete, and, later, a call where the auditor’s office walked them through all the details and resources took about two hours, said Daniel Heaton, the library district’s systems and technical services manager.
Libraries face particularly tricky cyber challenges, because they must control for both internal and external risks. For example, staff might accidentally click phishing links or patrons might introduce viruses on USB drives they plug into the public computers.
“Trying to provide public access to Internet and to computers isn’t always in alignment with best security practices,” Heaton said.
The checkup helped outline where the library district could make progress, such as by ensuring multifactor authentication (MFA) is implemented for admins, clarifying policies included in the district’s handbooks and manuals and formalizing its cyber response plans into writing, Heaton said. The checkup also confirmed the importance of an in-progress backups improvement strategy.
“One of the most helpful things that have come out of this is the availability of templates and some working documents as models for us,” Meredith said. “When we went through the checklist, I would say a third of the things we were actually doing and doing well; a third of the things were kind of question marks, because we were kind of doing them but nothing was documented, or we didn’t really have something formalized. So it’s giving us really good questions to ask ourselves around what the work is that we need to be doing now.”
The library aims to later go through the state’s full, in-depth cyber audit, but it could wait years before its turn comes, Meredith said. Doing the checkup first, however, gives it help now and “really is a better starting point … especially for a smaller agency, because it really does focus on bigger areas rather than individual policies and really detail work.” This could put the district in position to take better advantage of the audit later.
SHARING THE FINDINGS
These kinds of programs can also help IT teams engage the rest of their government. Plus, having an outside party voice the importance of some of these cyber measures can add extra weight to the recommendations, as can being able to point to how the measures relate to the CIS controls.
“In some ways, the key benefit for me was creating visibility higher up the management chain,” Olsen said. “Having a sort-of impartial third-party reviewing our basic stuff and saying, ‘OK, this looks OK,’ or ‘You could ramp up your password policy,’ or ‘Are you doing phishing training?’ — stuff like that. It fairly economically and quickly came up with some talking points I could use with management to say, ‘Here we’re doing OK. Here we could be doing better.”
For Meredith, sharing the final report with the board of trustees helped her show them a specific road map of the cyber work ahead.
And Woelfle said, local governments can have a lot of faith in the advice coming from their state auditor’s office. For one, the office is already a familiar face. Plus, the auditor’s office doesn’t set standards or regulations over local governments and isn’t trying to also provide them services, software or hardware: “Therefore, we have a unique ability to provide an independent review for them of their cybersecurity practices and posture.”