Cybersecurity Risk Assessment and Mitigation
| Cybersecurity Risk Assessment and Mitigation | |
|---|---|
| |
 Protected data; Happier people in your Smart City and Community. | |
| Team Organizations | Cybertrust America Global Cyber Alliance (ISC)2 Silicon Valley Chapter EP3 Foundation Silicon Valley Cybersecurity Alliance Sightline Security |
| Team Leaders | Lan Jenson |
| Participating Municipalities | San Mateo CA Orange County CA San Jose CA |
| Status | Implemented |
| Document | None |
Description
Empower municipalities with cybersecurity risk assessment methodology and resources to enable timely understanding of their risk levels and appropriate mitigation against cyberrisks.
The risk assessment methodology is adapted from NIST Cybersecurity Framework with a Technical Risk Rating component and an Expert Assessment. The daunting resource shortage is addressed by a unique volunteer matching mechanism based on public-private partnerships.
Challenges
Municipalities are increasingly under attacks from cyberthreats from nation states and financially motivated criminals. Most of local government CIOs consider cybersecurity a top priority in 2018.
Municipalities are understaffed and often lack the required expertise to initiate a cohesive strategy, plan and mitigation against cyberthreats.
Solutions
The proposed solution addresses some of the biggest challenges by:
- establishing a NIST-standard risk management methodology
- identifying funding models for public institutions applicable
- providing free security rating technology
- providing free technologies to defend against most common vulnerabilities (email-validating DMARC and privacy preserving and secure DNS solution)
- matching experts to implement solutions pro bono or at cost
Major Requirements
Develop and assemble project team (completed)
Create scope and requirements, project plan (completed)
Develop system architecture (completed)
Create application development team (completed)
Identify a pilot program; design and roll out pilot (pilots identified)
Gain stakeholder support and buy-in from the community
Run pilot for three months
Summarize best practices and lessons learned and publish if applicable
Identify and engage next project sites
Performance Targets
| Key Performance Indicators (KPIs) | Measurement Methods |
|---|---|
|
Cybersecurity rating of a municipality (against baseline) Number of data breaches in public safety domains such as law enforcement, fire and emergency medical Services, schools, transportation |
Measurement of cybersecurity ratings of included entities in a municipality, compared to baseline Measurement of data breach count over 6 months period, compared to baseline |
Standards, Replicability, Scalability, and Sustainability
Uses the widely adopted NIST Cybersecurity Framework (NIST CSF)
Cybersecurity and Privacy
The web based applications used to provide near real time cybersecurity ratings to member municipalities and to match volunteers with member municipalities will be secured using SSL Certificates employing Extended Validation.
Impacts
Reducing economic losses of governments and smaller businesses to cybercrime and fostering economic diversity of all businesses
Improving quality of life for municipality officials and residents thanks to reduced cybercrime and privacy concerns
Fostering a culture of security by shrinking the skills gap in cybersecurity and privacy
Demonstration/Deployment
Web-based application to give technical cybersecurity ratings near real-time available in member municipalities;
Web-based platform to match volunteers with member municipalities real needs;
Tried and proven risk assessment methodology and mitigation from pilot projects in member municipalities.