Laserfiche WebLink
<br />APPENDIX I - CYBER SECURITY GUIDANCE <br /> <br />Government entities at every level must have appropriate policies in place, understand where <br />vulnerabilities exist, weigh the risks involved and make informed decisions on how to spend <br />resources to secure data. Some 10,000 new computer viruses were reported last year, and it now <br />only takes a few minutes to compromise an unprotected computer that is connected to the <br />Internet. The negative impact of a virus or successful cyber attack can be devastating on <br />networks, on the information contained within systems and, just as importantly, on the <br />confidence of those who trust that government is working to increase protection. <br /> <br />Each State and local government entity should develop and execute a comprehensive cyber <br />security plan that demonstrates due diligence in cyber security. The plan must account for <br />factors such as limited staff and resources (and staff turnover); varying size and complexity of <br />the State and local government entities; varying cyber security and technology knowledge base <br />within government; and a wide variance in technology being used. In addition to a <br />comprehensive plan, government must periodically test and exercise this plan, using <br />vulnerability assessments to identify gaps and training needs. <br /> <br />All jurisdictions should ensure that their cyber security plan addresses four main areas: Policy, <br />Training, Technology Deployment, and Vulnerability Assessment. Each of these areas supports <br />the others, and together they meet emerging standards of due diligence in information security. <br />The questions below are designed to identify key issues within each major area at the State level. <br /> <br />Policy: <br /> <br />· Does the State have a cyber security plan in place that sets the vision, goals, and <br />objectives for Statewide cyber security? <br />· Has the State published a clear policy statement on cyber security to support the plan, <br />including "permitted use" policy for all State-owned cyber assets? Has this policy set <br />been made available to jurisdictions within the State so that it can be adapted for their <br />user? <br />. Has the State established a certification/accreditation program for information systems? <br />· Does the State have a designated cyber security office/officer whose primary focus is on <br />protecting the State's cyber infrastructure? <br />. Does the State have established cyber security metrics? Does the State have a <br />mechanism for rating its cyber security alert level? <br />· Does the State maintain a current inventory of cyber assets, including personnel? <br />· Has the State established public, private, or academic partnerships for cyber security <br />collaboration? <br />. Does the State have a capability for internal secure information sharing (Statewide secure <br />portal)? <br />. Does the State have a formal mechanism for information sharing with external partners <br />(including local government)? <br />. Does the State have a cyber operational center that functions 24/7? Does the State have <br />an ad-hoc 24/7 capability if an operational center does not exist? <br />. Does the State have a Statewide Computer Security Incident Response Team? <br /> <br />1-1 <br /> <br />