Cybersecurity Risk Assessment and Mitigation: Difference between revisions
en>Ocadmin No edit summary |
No edit summary |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{ActionCluster | {{ActionCluster | ||
|image=ActionClusterImage.png | |||
|team=Cybertrust America, Global Cyber Alliance, (ISC)2 Silicon Valley Chapter, EP3 Foundation, Silicon Valley Cybersecurity Alliance, Sightline Security | |||
|leader=Lan Jenson | |||
|imagecaption=Protected data; Happier people in your Smart City and Community. | |||
|municipalities=San Mateo CA, Orange County CA, San Jose CA | |||
|status=Implemented | |||
|website=https://drive.google.com/open?id=1CUHh-1IWhbLBrHDFak_LDMEUS3fmxyVZ Tech Jam Presentation]; [https://docs.google.com/document/d/1JR9nwfa6AShDtNaMNz-LVwOA52kZbXuA5n_QUZXOsNQ/ Project worksheet | |||
|description=Empower municipalities with cybersecurity risk assessment methodology and resources to enable timely understanding of their risk levels and appropriate mitigation against cyberrisks. | |||
The risk assessment methodology is adapted from NIST Cybersecurity Framework with a Technical Risk Rating component and an Expert Assessment. The daunting resource shortage is addressed by a unique volunteer matching mechanism based on public-private partnerships. | |||
|challenges=Municipalities are increasingly under attacks from cyberthreats from nation states and financially motivated criminals. Most of local government CIOs consider cybersecurity a top priority in 2018. | |||
The risk assessment methodology is adapted from NIST Cybersecurity Framework with a Technical Risk Rating component and an Expert Assessment. The daunting resource shortage is addressed by a unique volunteer matching mechanism based on public-private partnerships. | |||
| challenges | |||
Municipalities are understaffed and often lack the required expertise to initiate a cohesive strategy, plan and mitigation against cyberthreats. | Municipalities are understaffed and often lack the required expertise to initiate a cohesive strategy, plan and mitigation against cyberthreats. | ||
|solutions=The proposed solution addresses some of the biggest challenges by: | |||
| solutions | |||
* establishing a NIST-standard risk management methodology | * establishing a NIST-standard risk management methodology | ||
* identifying funding models for public institutions applicable | * identifying funding models for public institutions applicable | ||
* providing free security rating technology | * providing free security rating technology | ||
* providing free technologies to defend against most common vulnerabilities (email-validating DMARC and privacy preserving and secure DNS solution) | * providing free technologies to defend against most common vulnerabilities (email-validating DMARC and privacy preserving and secure DNS solution) | ||
* matching experts to implement solutions pro bono or at cost | * matching experts to implement solutions pro bono or at cost | ||
|requirements=Develop and assemble project team (completed) | |||
| requirements | |||
Create scope and requirements, project plan (completed) | Create scope and requirements, project plan (completed) | ||
| Line 68: | Line 38: | ||
Identify and engage next project sites | Identify and engage next project sites | ||
|kpi=Cybersecurity rating of a municipality (against baseline) | |||
| kpi | |||
Number of data breaches in public safety domains such as law enforcement, fire and emergency medical Services, schools, transportation | Number of data breaches in public safety domains such as law enforcement, fire and emergency medical Services, schools, transportation | ||
|measurement=Measurement of cybersecurity ratings of included entities in a municipality, compared to baseline | |||
| measurement | |||
Measurement of data breach count over 6 months period, compared to baseline | Measurement of data breach count over 6 months period, compared to baseline | ||
|standards=Uses the widely adopted NIST Cybersecurity Framework (NIST CSF) | |||
|cybersecurity=The web based applications used to provide near real time cybersecurity ratings to member municipalities and to match volunteers with member municipalities will be secured using SSL Certificates employing Extended Validation. | |||
|impacts=Reducing economic losses of governments and smaller businesses to cybercrime and fostering economic diversity of all businesses | |||
| standards | |||
| cybersecurity | |||
| impacts | |||
Improving quality of life for municipality officials and residents thanks to reduced cybercrime and privacy concerns | Improving quality of life for municipality officials and residents thanks to reduced cybercrime and privacy concerns | ||
Fostering a culture of security by shrinking the skills gap in cybersecurity and privacy | Fostering a culture of security by shrinking the skills gap in cybersecurity and privacy | ||
|demonstration=Web-based application to give technical cybersecurity ratings near real-time available in member municipalities; | |||
| demonstration | |||
Web-based platform to match volunteers with member municipalities real needs; | Web-based platform to match volunteers with member municipalities real needs; | ||
Tried and proven risk assessment methodology and mitigation from pilot projects in member municipalities. | Tried and proven risk assessment methodology and mitigation from pilot projects in member municipalities. | ||
|chapter=Cybersecurity and Privacy Risk Management | |||
|supercluster=Cybersecurity and Privacy, Wireless | |||
|year=2018 | |||
|title=Cyber Resilience Planning (formerly Cybersecurity Risk Assessment and Mitigation) | |||
|email=lan@adaptablesecurity.org | |||
|replicability=Standardized processes are not unique to city or region and can be replicated and scaled up in multiple cities/communities. The solution is planned to be replicated in 2 more cities in the US. | |||
The system will have its own business model to create sustainable revenue stream. | |||
}} | }} | ||
Latest revision as of 22:32, January 24, 2023
| Cybersecurity Risk Assessment and Mitigation | |
|---|---|
| |
 Protected data; Happier people in your Smart City and Community. | |
| Team Organizations | Cybertrust America Global Cyber Alliance (ISC)2 Silicon Valley Chapter EP3 Foundation Silicon Valley Cybersecurity Alliance Sightline Security |
| Team Leaders | Lan Jenson |
| Participating Municipalities | San Mateo CA Orange County CA San Jose CA |
| Status | Implemented |
| Document | None |
Description
Empower municipalities with cybersecurity risk assessment methodology and resources to enable timely understanding of their risk levels and appropriate mitigation against cyberrisks.
The risk assessment methodology is adapted from NIST Cybersecurity Framework with a Technical Risk Rating component and an Expert Assessment. The daunting resource shortage is addressed by a unique volunteer matching mechanism based on public-private partnerships.
Challenges
Municipalities are increasingly under attacks from cyberthreats from nation states and financially motivated criminals. Most of local government CIOs consider cybersecurity a top priority in 2018.
Municipalities are understaffed and often lack the required expertise to initiate a cohesive strategy, plan and mitigation against cyberthreats.
Solutions
The proposed solution addresses some of the biggest challenges by:
- establishing a NIST-standard risk management methodology
- identifying funding models for public institutions applicable
- providing free security rating technology
- providing free technologies to defend against most common vulnerabilities (email-validating DMARC and privacy preserving and secure DNS solution)
- matching experts to implement solutions pro bono or at cost
Major Requirements
Develop and assemble project team (completed)
Create scope and requirements, project plan (completed)
Develop system architecture (completed)
Create application development team (completed)
Identify a pilot program; design and roll out pilot (pilots identified)
Gain stakeholder support and buy-in from the community
Run pilot for three months
Summarize best practices and lessons learned and publish if applicable
Identify and engage next project sites
Performance Targets
| Key Performance Indicators (KPIs) | Measurement Methods |
|---|---|
|
Cybersecurity rating of a municipality (against baseline) Number of data breaches in public safety domains such as law enforcement, fire and emergency medical Services, schools, transportation |
Measurement of cybersecurity ratings of included entities in a municipality, compared to baseline Measurement of data breach count over 6 months period, compared to baseline |
Standards, Replicability, Scalability, and Sustainability
Uses the widely adopted NIST Cybersecurity Framework (NIST CSF)
Cybersecurity and Privacy
The web based applications used to provide near real time cybersecurity ratings to member municipalities and to match volunteers with member municipalities will be secured using SSL Certificates employing Extended Validation.
Impacts
Reducing economic losses of governments and smaller businesses to cybercrime and fostering economic diversity of all businesses
Improving quality of life for municipality officials and residents thanks to reduced cybercrime and privacy concerns
Fostering a culture of security by shrinking the skills gap in cybersecurity and privacy
Demonstration/Deployment
Web-based application to give technical cybersecurity ratings near real-time available in member municipalities;
Web-based platform to match volunteers with member municipalities real needs;
Tried and proven risk assessment methodology and mitigation from pilot projects in member municipalities.