Cybersecurity Risk Assessment and Mitigation

From OpenCommons
Revision as of 22:32, January 24, 2023 by Pinfold (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Cybersecurity Risk Assessment and Mitigation
GCTC logo 344x80.png
Protected data; Happier people in your Smart City and Community.
Team Organizations Cybertrust America
Global Cyber Alliance
(ISC)2 Silicon Valley Chapter
EP3 Foundation
Silicon Valley Cybersecurity Alliance
Sightline Security
Team Leaders Lan Jenson
Participating Municipalities San Mateo CA
Orange County CA
San Jose CA
Status Implemented
Document None


Empower municipalities with cybersecurity risk assessment methodology and resources to enable timely understanding of their risk levels and appropriate mitigation against cyberrisks.

The risk assessment methodology is adapted from NIST Cybersecurity Framework with a Technical Risk Rating component and an Expert Assessment. The daunting resource shortage is addressed by a unique volunteer matching mechanism based on public-private partnerships.


Municipalities are increasingly under attacks from cyberthreats from nation states and financially motivated criminals. Most of local government CIOs consider cybersecurity a top priority in 2018.

Municipalities are understaffed and often lack the required expertise to initiate a cohesive strategy, plan and mitigation against cyberthreats.


The proposed solution addresses some of the biggest challenges by:

  • establishing a NIST-standard risk management methodology
  • identifying funding models for public institutions applicable
  • providing free security rating technology
  • providing free technologies to defend against most common vulnerabilities (email-validating DMARC and privacy preserving and secure DNS solution)
  • matching experts to implement solutions pro bono or at cost

Major Requirements

Develop and assemble project team (completed)

Create scope and requirements, project plan (completed)

Develop system architecture (completed)

Create application development team (completed)

Identify a pilot program; design and roll out pilot (pilots identified)

Gain stakeholder support and buy-in from the community

Run pilot for three months

Summarize best practices and lessons learned and publish if applicable

Identify and engage next project sites

Performance Targets

Key Performance Indicators (KPIs) Measurement Methods

Cybersecurity rating of a municipality (against baseline)

Number of data breaches in public safety domains such as law enforcement, fire and emergency medical Services, schools, transportation

Measurement of cybersecurity ratings of included entities in a municipality, compared to baseline

Measurement of data breach count over 6 months period, compared to baseline

Standards, Replicability, Scalability, and Sustainability

Uses the widely adopted NIST Cybersecurity Framework (NIST CSF)

Cybersecurity and Privacy

The web based applications used to provide near real time cybersecurity ratings to member municipalities and to match volunteers with member municipalities will be secured using SSL Certificates employing Extended Validation.


Reducing economic losses of governments and smaller businesses to cybercrime and fostering economic diversity of all businesses

Improving quality of life for municipality officials and residents thanks to reduced cybercrime and privacy concerns

Fostering a culture of security by shrinking the skills gap in cybersecurity and privacy


Web-based application to give technical cybersecurity ratings near real-time available in member municipalities;

Web-based platform to match volunteers with member municipalities real needs;

Tried and proven risk assessment methodology and mitigation from pilot projects in member municipalities.