Cybersecurity Risk Assessment and Mitigation

From GCTC Action Cluster Catalog
Jump to: navigation, search
Cybersecurity Risk Assessment and Mitigation
GCTC logo 344x80.png
ActionClusterImage.png
Protected data; Happier people in your Smart City and Community.
Team Members Adaptable Security Corp, Global Cyber Alliance, (ISC)2 Silicon Valley Chapter, EP3 Foundation, Silicon Valley Cybersecurity Alliance, Sightline Security Corp
Point of Contact Lan Jenson [1]
Participating Municipalities San Mateo County, CA USA; Orange County, CA USA; San Jose, CA USA
Status Implementation
Website
Download Tech Jam Presentation; Project worksheet

Description

Empower municipalities with cybersecurity risk assessment methodology and resources to enable timely understanding of their risk levels and appropriate mitigation against cyberrisks.


The risk assessment methodology is adapted from NIST Cybersecurity Framework with a Technical Risk Rating component and an Expert Assessment. The daunting resource shortage is addressed by a unique volunteer matching mechanism based on public-private partnerships.

Challenges

Municipalities are increasingly under attacks from cyberthreats from nation states and financially motivated criminals. Most of local government CIOs consider cybersecurity a top priority in 2018.

Municipalities are understaffed and often lack the required expertise to initiate a cohesive strategy, plan and mitigation against cyberthreats.

Solutions

The proposed solution addresses some of the biggest challenges by:

  • establishing a NIST-standard risk management methodology
  • identifying funding models for public institutions applicable
  • providing free security rating technology
  • providing free technologies to defend against most common vulnerabilities (email-validating DMARC and privacy preserving and secure DNS solution)
  • matching experts to implement solutions pro bono or at cost

Major Requirements

Develop and assemble project team (completed)

Create scope and requirements, project plan (completed)

Develop system architecture (completed)

Create application development team (completed)

Identify a pilot program; design and roll out pilot (pilots identified)


Gain stakeholder support and buy-in from the community

Run pilot for three months

Summarize best practices and lessons learned and publish if applicable

Identify and engage next project sites

Performance Targets

Key Performance Indicators (KPIs) Measurement Methods

Cybersecurity rating of a municipality (against baseline)

Number of data breaches in public safety domains such as law enforcement, fire and emergency medical Services, schools, transportation

Measurement of cybersecurity ratings of included entities in a municipality, compared to baseline

Measurement of data breach count over 6 months period, compared to baseline

Standards, Replicability, Scalability, and Sustainability

Uses the widely adopted NIST Cybersecurity Framework (NIST CSF)

Cybersecurity and Privacy

The web based applications used to provide near real time cybersecurity ratings to member municipalities and to match volunteers with member municipalities will be secured using SSL Certificates employing Extended Validation.

Impacts

Reducing economic losses of governments and smaller businesses to cybercrime and fostering economic diversity of all businesses

Improving quality of life for municipality officials and residents thanks to reduced cybercrime and privacy concerns

Fostering a culture of security by shrinking the skills gap in cybersecurity and privacy

Demonstration/Deployment

Web-based application to give technical cybersecurity ratings near real-time available in member municipalities;

Web-based platform to match volunteers with member municipalities real needs;

Tried and proven risk assessment methodology and mitigation from pilot projects in member municipalities.