Personal Security Practices of the CAO



Similar documents
Logging In: Auditing Cybersecurity in an Unsecure World

THE HARTFORD ASSET MANAGEMENT CHOICE sm POLICY NETWORK

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Professional Services Overview

Clavister InSight TM. Protecting Values

University System of Maryland University of Maryland, College Park Division of Information Technology

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

NASCIO 2015 State IT Recognition Awards

PII Compliance Guidelines

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Supplier Security Assessment Questionnaire

SOC & HIPAA Compliance

Client Security Risk Assessment Questionnaire

The Protection Mission a constant endeavor

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Attachment A. Identification of Risks/Cybersecurity Governance

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Information Security Program CHARTER

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Cyber, Security and Privacy Questionnaire

Information security controls. Briefing for clients on Experian information security controls

Hosted Testing and Grading

74% 96 Action Items. Compliance

Payment Card Industry Data Security Standard

PCI Compliance for Cloud Applications

Ecom Infotech. Page 1 of 6

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

ADDENDUM TO STATE OF MARYLAND PURCHASES ISSUED UNDER STATE CONTRACT NO. 060B

Cyber Security. John Leek Chief Strategist

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Projectplace: A Secure Project Collaboration Solution

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Defending Against Data Beaches: Internal Controls for Cybersecurity

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

OCIE CYBERSECURITY INITIATIVE

Critical Controls for Cyber Security.

The STAGEnet Security Model

05.0 Application Development

End-user Security Analytics Strengthens Protection with ArcSight

TRIPWIRE NERC SOLUTION SUITE

Information Technology Branch Access Control Technical Standard

CHIS, Inc. Privacy General Guidelines

Big Data and Security: At the Edge of Prediction

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

A HELPING HAND TO PROTECT YOUR REPUTATION

SECURITY 2.0 LUNCHEON

Cloud Security: Getting It Right

Computer Crime & Security Survey

Analyzing HTTP/HTTPS Traffic Logs

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

SUPPLIER SECURITY STANDARD

INCIDENT RESPONSE CHECKLIST

Keyfort Cloud Services (KCS)

How To Secure Your Store Data With Fortinet

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Incident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software

Cloud Security and Managing Use Risks

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

Security Management. Keeping the IT Security Administrator Busy

F G F O A A N N U A L C O N F E R E N C E

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

STATE OF NEW JERSEY Security Controls Assessment Checklist

RETHINKING CYBER SECURITY Changing the Business Conversation

Information Technology Policy

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

I.T. Security Specialists. Cyber Security Solutions and Services. Caretower Corporate Brochure

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Compliance Guide: PCI DSS

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Network Security Policy

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Cybersecurity: Protecting Your Business. March 11, 2015

Vendor Risk Assessment Questionnaire

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Automate PCI Compliance Monitoring, Investigation & Reporting

Transcription:

Personal Security Practices of the CAO 1. Do you forward your government email to your personal email account? 2. When is the last time you changed your Enterprise password? Within the last 60 days Within the last 90 days Within the past year Within the past two years Never 3. Do you know how your government's current security posture relates to industry best standards such as the NIST Cybersecurity Framework or SANS Critical Security Controls? Page 1

Security Human Resources 4. Does your jurisdiction have a full time employee whose tasking is Information Technology (IT) Security (CISO or CSO)? 5. Does your jurisdiction have a full time employee whose tasking is Cyber Physical Security (CPS)? 6. Does your jurisdiction have a full time employee whose tasking is Records Management (CRMO)? 7. Does your jurisdiction have a full time employee who is tasked with Network Security engineering (Firewall / Network Access Control/Routers/Switches, etc.)? Page 2

8. If you do not have full time IT security employee (ISO, CISO, engineer), who is tasked with IT security? Police Chief CIO Network Engineer Active Directory Administrator Schools Server Administrator Help Desk Technician 9. If you do not have a full time employee tasked with CP security who is tasked with this responsibility? CISO CSO CIO Controls System Engineer 10. How important is it for your jurisdiction to recruit and retain cyber security professionals? Importance rank 1 5 with 5 being very important. 1 2 3 4 5 Page 3

Security Financial Resources 11. What is the per constituent cost of your current IT Security practice (include salaries, network HDWR, SaaS, MSSP, etc.). 12. Do you fund annual IT Security training for the IT Security Staff? 13. What percentage of your annual IT budget is spent for IT Security? 14. Please estimate the amount of IT security spending as a percentage of annual discretionary spending for your government. Example, $7M discretionary spending for 2004 when IT security spending for that year was $100,000 would yield a result equal to.0014% 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 15. Is your IT department funded for annual Third Party IT Security risk assessment? Page 4

16. Does your organization have Data Breach Insurance? 17. If you answered yes to the previous question, what is the coverage value: $100,00 or Less $100,00 $500,000 $500,000 $1,000,000 $1,000,000 $5,000,000 $5,000,000 $10,000,000 $10,000,000 or more Question does not apply to me 18. Would your jurisdiction participate in a State Grant Program that would provide a onetime match 'new' IT/CP investments up to a maximum of $250,000 for your jurisdiction if you had to commit to sustaining that infrastructure for five years? Do not wish to answer Page 5

Security Best Practices 19. Are your Anti virus End Point Security updates current? (within two weeks of issuance) 20. Are the security updates on your Operating Systems current and up to date? (within two weeks of issuance) 21. Select which IT security capabilities are currently available with your Enterprise Network Data Base Encryption (SSNs, PII, etc.) Data encryption at rest Dual factor Authentication VPN/TLS transmissions Automated data retention and disposition Date Loss Prevention Application Firewall Mobile Device Management Email Encryption Web Security Appliance Network Access Control with Device Remote Access Posture Assessment Intrusion Detection Security Incident Event Manager Page 6

22. How do you proactively detect and analyze invalid user access and/or anomalies in applications and network traffic? SIEM IDS IPS 23. Has your government moved retention obligated records to the CLOUD? 24. If yes to the previous questions, is your government using the Government Grade CLOUD service or something less secure? 25. Do you require your IT/CP security personnel to provision never expire passwords for select individuals (agency heads, elected officials, etc.). 26. Has your government eliminated the use of Social Security Numbers as employee tracking numbers? Plan to remove in the next year Plan to remove in the next five years Page 7

27. Does your jurisdiction Procurement Office utilize contract language that requires vendors and contractors to confirm the use of Cyber Security Best Practices with regard to storing or handling government sensitive data? Do not wish to respond 28. Does your government Procurement Office utilize contract language that holds the vendor or contractor liable for data breach and or data corruption due to neglect and failure to sustain Cyber Security Best Practices in their operations? 29. Does the Treasurer and Commissioner of Revenue in your jurisdiction store Constituent Personal Identifiable Information (credit card / bank account/ SSN) in clear text (not encrypted)? 30. Does your new employee orientation include employee awareness training for IT/CP Security? 31. Does your new employee orientation include employee awareness training for Records Management? Page 8

32. Do you know if Operational Technologies for Cyber Physical Systems are in place within your jurisdiction (traffic light controls, water pumping controls, fire suppressant controls, etc)? 33. Do you have Cyber Physical Systems (SCADA, HVAC, etc.) secured in your jurisdiction? Page 9

Security Organization 34. Do you have a centralized or de centralized IT and Security organization? Centralized Decentralized 35. Does your IT Security organization have access to senior management for Risk notification etc? 36. Does your IT Security organization have authority to mitigate risks against your Enterprise without prior authorization from senior management if malicious activity is detected? 37. Does your IT Security organization have compliance authority in your Enterprise Network without senior management approval? Page 10

Security Policy, Processes and Training 38. Please select what policies your organization has in place: IT Security Acceptable Use Policy for employees and contractors Architecture Review Process System Development Life Cycle Records/Data retention Policy GPS tracking of smart phone policy GPS vehicle tracking policy BYOD Policy HIPAA compliance Policy 39. Do all employees receive annual IT Security training (online or classroom training)? 40. Do all employees receive annual Records Management training (online or classroom training)? 41. Does your government maintain an internal web presence where employee can go to learn about Cyber Security Best Practices, Threats, Risk, etc.? 42. Does your organization have a data retention and classification policy? Page 11

43. Do you believe your jurisdiction is compliant with State and Federal data retention policy? Page 12

Public School System IT Security 44. Is your jurisdiction's IT department also responsible for School Systems or are they separate entities? 45. Do your schools and government share the same computer Domain? N/A 46. Does your School System have an IT employee who reports to the jurisdiction CISO? 47. What would you estimate is the average timer per incident to remediate malware or botnet for your School System? 4 hours 24 hours 48 hours 72 hours Over a week 48. Does your School System provide after hours and/or weekend coverage in the event of a Cyber incident? Page 13

49. Does the School System in your jurisdiction have annual IT Security audits and is your government aware of the results of those audits? 50. Would you support a Governor's executive order that requires Publicly Funded Schools to follow Cyber Security Guidelines and Best Practices provided by the State Secretary of Technology or would you prefer to have those guidelines provided by your local jurisdiction's Chief Information Security Officer (CISO)? from State Technology Secretary from jurisdiction CISO Do no wish to disclose Page 14

Public Safety and IT Forensics 51. Does your jurisdiction have an established Police Dept Information Technology Forensics (PDITF) dept. or team? 52. If your jurisdiction does have an PDITF, do employee rotations apply those positions? N/A 53. Would you support excluding PDITF positions from employee rotations to promote better skill retention and development in support of improved effectiveness? Page 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information