E-GOV Security (Part 2–Twenty Critical Cyber Defense Controls to Secure Citizen Data & Maintain Public Trust)

The National Association of State CIO’s (NASCIO) & Deloitte released findings from “The 2010 Deloitte-NASCIO Cybersecurity Studywhich found that State governments are NOT doing enough to secure citizen data and maintain public trust. In fact looking at the details of this study it’s evident that state governments have more personally identifiable information (PII) of citizens than any other organizations.

State governments fund security less than other entities and often CISO’s lack enforcement authority for broad security enforcement throughout the government. The funding problem results in shortage of IT security personnel. The study shows that only 2% of state governments have more than 50 information security FTEs compared to 48.5% for similar sized organizations.

While many state CISO’s at the state have adopted NIST standards for risk assessment, most state governments still do not adhere to enforcement mandates or audit compliance like FISMA (Federal Information Security Management Act) which is enforced at the federal government level. The irony is that adopting better security standards can actually save SLG money on IT procurement and daily management and operations.

According to Gartner's, 2008 "Case Study: Air Force Commodity Councils Take Aim at Mission Effectiveness": The U.S. Air Force adopted new security standards including the Federal Desktop Core Configuration (FDCC) & utilization of a Microsoft support agreement which helped

  • Speed up implementation of critical enterprise wide security standards
  • Save approximately $156 million in hardware costs
  • Enforce enterprise-level cybersecurity policies
  • Timely distribution of software updates & configuration management
  • Save $100+ million in software licenses & other life cycle costs

In all the USAF achieved better security and saved more than $256 million in 4 years by simply implementing stricter security standards and reining in spending for procurements and excessive IT staff by reducing the number of required systems administrators required to manage systems.

SLG needs to first improve security by implementing the Twenty Critical Controls for Effective Cyber Defense. Few SLG agencies have adopted ALL of these safeguards and as a result we are losing the “Cyber War” in state and local government and subject to threats and data loss potential that could dwarf by magnitudes that which was released by Wikileaks.org.

Automation and software can be mapped to the controls as well in order to combat back and gain the tactical advantage in cyberspace while implementing these controls. In an effort to simplify adoption, SANS has mapped a list of generically user-vetted tools here, however there are a number of Microsoft Cloud & On-Premise technologies that map to each of these 20 Critical Controls:

1. Inventory of Authorized and Unauthorized Devices

Inventory of Authorized and Unauthorized Software

2. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

3. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

4. Boundary Defense

5. Maintenance, Monitoring, and Analysis of Security Audit Logs

6. Application Software Security

7. Controlled Use of Administrative Privileges

8. Controlled Access Based on Need to Know

9. Continuous Vulnerability Assessment and Remediation

10. Account Monitoring and Control

11. Malware Defenses

12. Limitation and Control of Network Ports, Protocols, and Services

13. Wireless Device Control

14. Data Loss Prevention

15. Secure Network Engineering

16. Penetration Tests and Red Team Exercises

17. Incident Response Capability

18. Data Recovery Capability

19. Security Skills Assessment and Appropriate Training to Fill Gaps

Microsoft  has solutions, products and technologies that map into each of these weak control  areas identified by the NSA & NIST, and many of them are already licensed by SLG agencies or free  downloads but  many controls still have yet to be deployed.  State and local governments agencies may drastically improve security while saving money by implementing these security controls holistically rather than piecemeal as historically has been the case.

Skip to main content