The CIO wanted a series of gap analyses against the NIST CyberSecurity Framework (NIST CSF), technical testing, resulting in a risk assessment of every department and their infrastructure CI Security consultants jumped in and assessed seven of the State’s departments over a period of 18 months.
The consultants conducted in-depth facilitated discussions and interviews identified many vulnerabilities and weaknesses and found something all too common: There were numerous cases in which the State thought its departments were handling security issues and the departments thought the State was handling the issues. With that knowledge, the State improved communication and processes to address the problems.
The State also required a vulnerability assessment as a part of the risk assessment, which showed significant risks. Those risks were tied directly into the risk assessment methodology. The CI Security team looked closer and found an immature vulnerability management program. Immediately after getting the information, the State improved the program, reduced their vulnerabilities by 80%, and addressed US Government regulatory oversight requirements.
In order to meet standards of due diligence, the State asked CI Security to take a close look at the Department of Health and the state hospital system and found that these State entities were missing key policies required by HIPAA. They also were not doing an adequate job of managing their vendors (called “Business Associates” in HIPAA) or training their employees with materials relevant to cybersecurity risks. CI Security assisted the Department of Health and Hospital System in becoming HIPAA compliant, improving their contract language to better adhere to HIPAA rules, and kickstart their annual security awareness training.
In tandem with internal training, local governments should consider outsourcing their hosting and security efforts to minimize the footprint of a potential cyber threat.
They are more compliant and much better protected today because of the work they did to improve their security posture.
Executive VP of Professional Services at Critical Insight