Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by
In New York State, Governor Andrew Cuomo’s Countywide Shared Services Initiative “requires counties to assemble local governments to find efficiencies for real, recurring taxpayer savings… by coordinating and eliminating duplicative services and propose coordinated services to enhance purchasing power.”[i] New York is currently offering substantial financial incentives to municipal organizations that “create savings.”
According to a 2013 study[ii], about 8 percent of municipalities participate in IT shared services programs. Considering the financial incentives, I suspect that the percentage has increased significantly since that time.
In theory, shared services agreements among municipal entities appear to be a great deal for everyone involved, and especially for taxpayers. In reality? I am not only skeptical; I have seen the negative consequences of such agreements in the form of low-quality IT services that cost far more than similar services delivered by commercial vendors.
One possible scenario
A common scenario for shared IT services might take the form in which a county IT department becomes a service provider for cities, towns and villages in its jurisdiction. This may include email, infrastructure services, help desk services, software, printing of tax bills, break/fix services, hardware procurement and much more.
In this type of scenario, the county’s management may view such a deal as an opportunity to turn their IT operation from a cost center to a profit center. However, the differences in performance and productivity between the private and public sectors can be stark. Running a successful commercial IT services business is a tough, highly competitive undertaking that requires excellent management skills and continuous improvement.
For many municipal managers and elected officials, the one-time financial incentive may blind them to the necessity of examining the long-term consequences of such an arrangement. In other words, they will want to build the airplane in the air and the basis for the deal may be something that is not much more than a handshake deal, devoid of reality and details.
Get it right!
It is possible for a municipal shared services agreement to be successful, but success won’t be accidental. If you are involved in negotiating such an agreement, I provide the following suggestions to ensure that you make the best deal possible.
Use rigorous procurement methodology
A shared services agreement should be treated exactly the same as a deal with a commercial vendor. A few examples of documentation required for the evaluation should include the following:
- Service level requirements. This is a document that precisely defines your requirements. Before entering into any service agreements with outside agencies, your organization should thoroughly understand and document your business needs, goals and objectives.
- Service level agreement. This agreement is an essential part of any professional services contract. It defines requirements, responsibilities and accountability and includes financial penalties if the provider fails to meet agreed-upon service level targets.
- Catalog of services. What is the universe of services offered by your service provider? How much does each service cost, and when are such services available? How do you obtain services not covered in the agreement?
- PSA (professional services automation) system. An automated, auditable system for tracking incidents is a requirement for managed service providers. The system should be configured to send alerts to management and executives when the provider fails to meet agreed-upon service levels. Daily or weekly status reports should be available to the customer.
The agreement framework
Will this be a simple agreement using an MOU (memorandum of understanding) or some sort of BPA (business partnership agreement)? Regardless of the format recommended by your attorney, a clear exit path must be part of the agreement in case the relationship doesn’t work out. Agreements with commercial vendors always spell out how the relationship may be dissolved, but I have seen municipal shared services agreements that have no such escape clauses for the “customer.” Make sure you can get out of the deal if it isn’t working out.
Comingle infrastructure resources carefully
A significant risk of a shared services deal is that IT infrastructure built between the parties may become intertwined to an extent that may be difficult and expensive to unravel. Clear boundaries should be established that will allow the parties to simply unplug if the deal doesn’t work out. Also, who owns infrastructure and data? How do you get your data back once the relationship is dissolved?
Information security, governance and policy
Whose governance policies will apply? Acceptable use policies, security policies, regulatory compliance policies and personnel policies as well as organizational culture should all be considered. How will sanctions for policy violations be addressed between agencies?
Is the provider using best practices for ITSM (information technology service management) and ISMS (information security management systems). Are they in ITIL or ISO 20000 shop? How will security be managed? Do they follow any generally accepted frameworks for information security?
Who will define quality standards? In the commercial world, the customer determines quality. In the public sector, the provider often defines quality — the DMV being a perfect example. What recourse do you have if the provider fails to meet quality standards? With a commercial vendor, you simply terminate the deal. In a shared services scenario, terminating the deal may require political capital that is not available. These arrangements present the real risk that you could be stuck with a bad deal for years or even decades.
These are only a few examples of the processes required to evaluate and negotiate a successful shared services agreement.
The great advantage of democratic local government is that citizens have the ability to address poor municipal management through the democratic process. If we’re not happy with the decisions and actions of management, city council or a county commission, we can simply vote them out of office. The problem with the trend toward regionalization of government functions and services is that we lose that ability to control it through elections. Don’t lose your ability to control your information technology operations by making a bad shared services deal.
References and endnotes
“Shared Services Among New York’s Local Governments,” research brief, Office of the New York State Comptroller, Division of Local Government and School Accountability, November 2009
[ii] “Shared services in New York State: A Reform That Works,” George Homsy, Bingxi Quian, Yang Wang and Mildred Warner, August 2013.
This article first appeared on CIO.com at http://www.cio.com/article/3196248/leadership-management/municipal-shared-services-agreements-for-information-technology.html
© Copyright Jeffrey Morgan, 2017
Because Mother Nature is so stingy when she doles out the gene for common sense, frameworks and standards for IT governance had to be invented.
Recently, I heard about an incident in which a municipal IT director was planning and executing significant changes to a department’s critical infrastructure without informing the customer — the department personnel. After being confronted, he insisted that he wasn’t required to inform the stakeholders because it was routine and he didn’t need departmental approval. Huh! To make matters worse, the changes involved significant risks that were far beyond the understanding of that IT director and his staff.
This behavior is appalling on many levels, but it is representative of the service provided by many municipal IT managers who believe IT is a dictatorial, rather than collaborative, profession. A few of the things this scenario tells us about the organization include the following:
1. The organization isn’t using a framework for IT governance and IT Service Management (ITSM).
2. Executive oversight of IT is inadequate.
3. The organization lacks a risk management program with change-control policies and procedures.
I will address the first two items below, and we can address item No. 3 in a subsequent article, so don’t forget to check back.
Sacred cows and your executive legacy
Municipal IT operations tend to be monopolies, and the customer service they provide is all too often in keeping with what one would expect from any monopoly. There is no good reason for this state of affairs, and you can fix it with relative ease. Enabling deplorable IT services doesn’t have to be one of your executive legacies.
Municipal IT often operates on a charge-back model, where customers (internal departments) are forced pay a flat annual fee or an hourly rate for IT services. The customers are unable to pursue competitive services from external vendors that may provide considerably better quality at a significantly lower cost. In the bubble of government IT, market forces never apply the pressure required to initiate change, and the IT department remains a sacred cow trapped in outmoded thinking and ancient processes.
Solutions, tools and techniques
In previous articles[i], I have discussed several management tools, techniques and processes that will significantly improve IT performance and customer service in your organization. Here, I will add one more concept: the RACI (Responsible, Accountable, Consulted and Informed) model.
The RACI model is an excellent tool for clarifying roles and responsibilities within a process. Using RACI can increase transparency and address the lack of oversight, so that all the players clearly understand their roles in the grand scheme. Let’s take a look at an example of how it might be used to identify appropriate roles for the operation and maintenance of a county clerk’s software application.
Although your matrix may be different, what won’t be different is that multiple stakeholders are involved. If there are a significant number of public users of the system, such as attorneys and title researchers, you might want to add them to the matrix as well.
While the RACI model is an important component of frameworks and standards such as COBIT, ITIL and ISO 20000, undertaking a full implementation of any of these programs isn’t necessary to make significant performance improvements to your IT operations and customer service.
Don’t count on common sense as a reliable management tool; use IT governance instead.
For further reading
“How to Design a Successful RACI Project Plan,” by Bob Kantor, CIO.com, May 22, 2012
[i] “Improving IT Customer Service with Service Level Agreements (SLA),” by Jeffrey Morgan, e-volve Information Technology Services
“What Is the Biggest Threat to Internal IT Departments?” by Jeffrey Morgan, CIO.com, Oct. 3, 2016
“High Crimes and Misdemeanors of CIOs,” by Jeffrey Morgan, CIO.com, Oct. 17, 2016
“Improving IT Customer Service, Part 2: Using a PSA System,” by Jeffrey Morgan, e-volve Information Technology Services
This article was first published on CIO.com at http://www.cio.com/article/3195073/leadership-management/county-municipal-it-customer-service-and-the-raci-model.html
© Copyright Jeffrey Morgan, 2017by
What’s your municipal organization’s most valuable asset?
The correct answer is information, but you wouldn’t know it by observing the casual, haphazard manner in which information is managed in many county and municipal operations. Information is often the least valued and least understood asset in local government organizations.
Tangible assets such as buildings and equipment are insured and can be replaced with relative ease. If your data vanishes, you may never be able to replace it. A breach of confidential information can never be made right and your organization’s reputation will be tarnished for years to come. Litigation that results from poor information management can cripple your organization, and the cost of discovery alone often forces organizations to settle.
The core problem
Does your municipal organization have a formal information governance (IG) program?
Most municipal entities don’t have IG programs and consequently lack institutional, enterprisewide understanding of their information assets. The root of the problem is a dearth of leadership in information management that starts with senior executives and elected officials. In many cases, there are departmental managers who do understand their own information universes, but those individuals rarely carry enough clout to influence the decision-making processes at the enterprise level.
“Jeff, hold the phone! We already have a records management program and a CIO. We’re on top of this.”
Information governance isn’t records management, although records management is a subset of IG. Robert Smallwood provides an excellent definition of information governance: “Security, control and optimization of information.”[i] He takes it a step further and writes “Information governance is policy-based control of information to meet all legal, regulatory, risk, and business demands.”[ii] These two statements sound simple, but if you ponder their meanings a bit, they have enormous implications not only for information management in your organization, but for the way in which your entire organization is managed.
The role of the municipal CIO
In my experience, municipal IT operations are often poorly aligned with the business divisions they support and silos are an endemic problem in such organizations. I don’t want to paint with too broad a brush because there are plenty of CIOs who do understand their organizations’ business and information requirements. However, in municipal government, such people are rare.
While the title chief information officer implies a deep understanding of information, many municipal CIOs function more as technology directors and sometimes they more closely resemble purchasing managers or other roles. Since there is no universal definition of a CIO’s role, it is not reasonable to expect that they all come to their job with a clear understanding of information governance. Moreover, municipalities can have several dozen lines of business, each with its own set of complex regulatory requirements, so asking your CIO to be a Master of the Universe may be asking too much.
The solution: What IG can do for your organization
If you don’t have an IG program, I encourage you to start one. I am talking about creating an ecumenical view of your organization’s information assets and aligning that view with your business requirements at every level of your organization. Establishing such a program will allow you to build a superstructure that includes the following:
- Enterprise information management and strategic planning: auditing, risk management, records retention, metadata standardization, storage, FOIA, defensible deletion, eradication of silos and more.
- Enterprise information security (infosec) and cybersecurity: Develop policies, processes and procedures for security that are aligned with your organization’s risks and requirements. Create a culture of security in your organization. Vastly decrease security risks.
- IT service management (ITSM): Improve IT services by aligning them with the organization’s business requirements as determined by the IG committee. IT governance is often treated in county and municipal government as if it is somehow separate, but IT may be more productive if it is treated as a component of an overarching information governance program.
The IG committee
I am not a proponent of management by committee, but in a county or municipal setting with many lines of business, an information governance committee is appropriate not only to oversee information policies and procedures, but to provide guidance and oversight for IT operations as well. The makeup of your municipal IG committee will resemble the following:
- An executive sponsor: Preferably the county executive, city manager or similar role.
- An elected official: A county commissioner, city council member, etc. The primary governing board must be key part of IG team.
- The municipal attorney.
- A human resources official.
- An IT professional.
- A risk management specialist.
- A records management staffer.
- Representatives from other key departments, potentially including law enforcement, corrections, nursing home services, public health, mental health, social services the county recorder, etc.
References and resources
Following are links to some resources for more information about developing an IG program.
ARMA International, a not-for-profit association for professionals specializing in governing information as a strategic asset.
Information Governance Initiative, a forum for information governance professionals.
AIIM, a nonprofit membership organization for information professionals.
Institute for Information Governance, a provider of training in the fields of information governance and electronic records management.
EDRM, a provider of resources related to e-discovery and information governance. Part of the Duke Law Center for Judicial Studies.
“Defining the Differences Between Information Governance, IT Governance and Data Governance,” by Robert Smallwood, Aug. 18, 2014. Retrieved April 17, 2017, from the AIIM website.
Information Governance for Executives, by Robert Smallwood. Bacchus Business Books, 2016.
[i] Smallwood, Robert. Information Governance for Executives, 2016
[ii] Smallwood, Robert. “Defining the Differences Between Information Governance, IT Governance and Data Governance,” 2014
This article first appeared on CIO.com at http://www.cio.com/article/3192530/security/information-governance-for-counties-and-municipalities.html
© Copyright Jeffrey Morgan, 2017by
Download my current catalog of services in pdf! http://e-volvellc.com/cos.pdfby
Free Whitepaper download for County/Municipal executives.by
Over the course of the last year, both Macys stores within a reasonable drive closed. No doubt, those closings will seal the fate of the malls for which they were anchor stores.
I am getting a little tired of reading the business obituaries of Macys that claim Amazon is somehow to blame for their decline. It is easy for me to understand what happened to them and it has nothing to do with Amazon.
Macys committed suicide.
I remember buying a beautiful pair of 100% wool, Italian import navy dress trousers from them in the late 1990s. My Italian tailor loved them. As soon as I drop the 15 pounds I put on this winter, I will wear them again.
As a customer of Macy’s for decades, I don’t need to study financial statements and demographic trends to understand what happened. I have watched the slow, relentless decline of the quality of their merchandise for the last two decades. Since I bought those Italian pants nearly twenty years ago, I haven’t bought much from them and certainly not men’s clothing. They went from carrying excellent products to cheap, low quality “designer” products, manufactured in Chinese or other Asian sweatshops. Fit is a problem as well. Their men’s clothing all seemed to be designed for twenty-somethings who drink skinny soy lattes and have never seen the inside of a gym.
These days, I get suits and wool trousers from my haberdasher – H. Strauss. I can still purchase quality products there and they are often made in the United States. I buy underwear from Brooks Brothers because they fit nicely and last forever. I used to swear by their shirts too, but the fabric doesn’t seem to be of the same quality as it used to be and the selection is much smaller. Fortunately, my haberdasher does custom shirts for just a little bit more than I can buy them off the rack at Brooks Brothers.
Don’t blame the decline of Macys on Amazon. They did themselves in by abandoning quality.
© Copyright Jeffrey Morgan, 2017by
Are you a covered entity?
Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.
How do you know if you have or are a CE? If some department or division within your organization is a healthcare provider, a health plan or a healthcare clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), healthcare clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.
Are you in compliance?
If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.
In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?
I suspect what often happens is that executives look at something like information security policy requirements and say:
This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.
What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.
Trust but verify
There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.
Extend HIPAA to your enterprise
If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that that level while also getting compliant with federal law.
Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted, good practices.
Develop your policy with the HIPAA Security Rule
There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.
The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).
The security standards in HIPAA are broken down into three sections, each of which has multiple layers and sub components:
- Administrative Safeguards (9 components)
- Physical Safeguards (4 components)
- Technical Safeguards (5 components)
These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.
Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.
These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.
1. Find out where your organization stands in terms of information security policies and procedures.
2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?
3. Meet with your IG committee to discuss your findings.
4. If you don’t have an IG committee — start one!
5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.
6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintain continuous improvement.
7. Begin building a culture of security in your organization.
We’ll continue the discussion next week, so check back then.
This article first appeared in cio.com at http://www.cio.com/article/3188667/governance/hipaa-as-an-umbrella-for-countymunicipal-cybersecurity.html
© Copyright Jeffrey Morgan, 2017by
The cybersecurity risk to local government
Weak or nonexistent cybersecurity programs represent a massive organizational risk to county and municipal government agencies in the United States. County and municipal executives are often unaware of these risks because they assume that their IT Director, CIO, or an external vendor is managing security and addressing the risks. It is rare that such an assumption is correct.
While the Ponemon Institute[i] found that “federal organizations have a stronger cybersecurity posture than state and local organizations,” the Brookings Institute[ii] concluded that “the vast majority of public agencies lack a clear cybersecurity plan.” Much of the available research is based on small samples and I believe that these studies may understate the scope of the problem. Based on my 23 years of working with public sector organizations, I can state with confidence that most lack any cybersecurity plans at all.
Your job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive, assume high-level responsibility for cybersecurity oversight. You don’t need to know the technical details, but you must know whether or not the appropriate frameworks, infrastructure, policies and procedures are in place and working correctly.
The need for information security is as old as civilization and possibly as old as life on earth. Information Security (Infosec) was invented to protect the first secret – whenever and whatever that was. Infosec is not solely a human artifact — my Great Dane always felt the need to maintain security concerning the location of his favorite bones and dead woodchucks. Techniques, methods and models for protecting information haven’t changed all that much and the methods of cybersecurity are largely based on models for protecting physical information.
Information Security refers to the discipline and processes to protect the confidentiality, integrity and availability of all your information regardless of form. Cybersecurity is a subset of information security and applies to digital data. In this article, I may use them interchangeably even though they are not, but counties and municipalities need an Infosec plan that includes cybersecurity.
Municipal data – a pot of gold
County and municipal networks are treasure chests overflowing with priceless gems. Mortgage documents, deeds, births, deaths, ugly divorces, medical records, social security numbers, and military discharge documents are among the many types of publicly accessible documents that may contain PII (Personally Identifiable Information), PHI (Protected Health Information), or other sensitive information. Constituents turn over all this information naively assuming that you are doing everything in your power to protect it from theft and misuse. Are you a worthy steward of this treasure?
Root causes and obstacles
Let’s discuss eight of many root causes of failure to establish appropriate information security programs in local government organizations. Subsequently, we’ll move on to a methodical, practical approach you can initiate immediately to improve your cybersecurity posture.
“A lack of skilled personnel is a challenge at both federal and state and local organizations.”[iii] One problem is that many public sector IT Directors and CIO’s don’t have the knowledge, training and background to plan and deliver acceptable, standard’s based comprehensive information security programs. They are often unaware of widely accepted standards, guidelines and frameworks that are readily available, so cybersecurity planning is often amateur and homebrewed. Moreover, HR and hiring managers often don’t understand the required skills[iv] and look for the wrong people.
The largest municipal agencies may employ a CISO (Chief Information Security Officer) but the vast majority of public sector organizations do not have a dedicated information security executive and staff, nor should they necessarily require one.
IT staff members are rarely trained in or even familiar with relevant statutory compliance requirements. I have come to expect a deer in the headlights look from public sector CIO’s and IT staff when inquiring about security policies, privacy policies and other matters of security and compliance. Questions about HIPAA Security Rule compliance, for instance, are almost always met with “What’s that?”
A jumble of regulations
Municipal organizations may have dozens of departments, divisions, or lines of business with varying regulatory requirements from numerous federal and state agencies. Municipal governments do a lot. They may be involved in building bridges, managing traffic signals, providing water, waste, electric and sewer services, supervising elections and recording deeds while providing physical and mental health services and dental care.
A typical County government may have to comply with regulations like HIPAA[v] (Health Insurance Portability and Accountability Act) and 42 CFR[vi] while also complying with policies from CJIS[vii] (Criminal Justice Information Systems) in addition to compliance with state regulations from organizations such as an Office of Mental Health, or Department of Health. Additional requirements for records management from State Archives agencies add to those complexities and often contradict other regulatory requirements.
Departments with vastly different information security and regulatory compliance requirements often coexist on a shared network where the security posture is designed for the lowest common denominator rather than for the highest. Often, municipal IT staff members don’t have clearly defined policies and procedures for reviewing information such as security logs and system events. Even if they do record these events, their stance is usually reactive rather than proactive.
Silos and turf wars
Counties and municipalities may have highly distributed management structures which function as silos rather than as a cohesive team. In some states, the silos may be a “feature” of constitutional government where elected officials manage some departments and may not be accountable to central executives. One result of this is that a county executive, and consequently County IT, may not have global control of IT and information security because other elected officials choose not to cooperate. Some real world examples I have seen include:
- County Judges and their staff members refuse to sign and abide by acceptable use policies.
- County Sheriffs refusing to cooperate with an IT security audit claiming their security policy and processes are “secret.”
- Social Services commissioners unilaterally declaring that HIPAA regulations don’t apply to their operations.
Silos in organizations create massive gaps in security management. When multiple parties are responsible for security, no one is responsible.
Most security problems are internal
90% of breaches occur because of an internal mistake[viii] and 60% of breaches are a result of internal attacks[ix]. Unfortunately, county and municipal information security programs often treat outside threats as 100% of the problem rather than focusing on more probable internal threats.
Insufficient budget is often used as an excuse for low quality IT services and lack of security in public sector organizations. It’s usually a red herring. In my experience, there is no correlation between budget and quality in the public sector. I have seen small, low-budget organizations build excellent security programs and have also seen large organizations with eight-figure tech budgets fail to establish even the most elementary components of an information security program. A cybersecurity program will cost money, but it doesn’t have to bust your budget.
In local government, critical management positions are often filled based on political considerations rather than quality of candidates. Expertise in information security should be a major component in your CIO’s toolkit.
Tech versus strategic thinking
If you think in terms of technology, stop it! I am always a little suspicious of industry professionals who fall in love with a particular technology. Technology is rapidly replaced or superseded so think strategically instead. There is no such thing as a technology problem; there are only business problems. Identify and solve for the business problem and the appropriate technical solution will reveal itself.
Start with Information Governance (IG)
What’s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity.
Information Security and cybersecurity must be components of your overarching Information Governance (IG) Program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a standalone program outside of the context of your organization’s information universe will produce a narrow approach. Do you currently have an IG program?
I can hear some grumbling right now. “Jeff, when do we get to the important stuff?”
IG is the important stuff. There are no silver bullets. There are no miracle pills that will address your information security requirements. No miraculous hardware or software will magically keep your information safe unless you have the right policies in place. There is some real work to do here and the P-things are the most effective tools to pack for your InfoSec journey. You will develop these from your IG Program:
Policies Processes Procedures
What is information governance?
I like Robert Smallwood’s succinct definition of Information Governance: “security, control and optimization of information.“[x] In order to develop sound InfoSec and cybersecurity programs, you must know what you are protecting and why you are protecting it. The purpose of the IG program is to map, understand and manage your entire information universe. The map you create will serve as the foundation for your information security programs.
In a municipal government organization, an IG committee may include legal, HR, records management, IT, finance, and auditors, as well as other departments. Let’s say your municipality has a public health clinic, recorder of deeds, personnel/payroll and a sheriff. This means you have medical records, prisoner health records, recorded 911 calls, police reports, mortgage documents, confidential personnel records, payroll records, social security numbers and a lot more. The people with special knowledge about the nature and disposition of all this information must be on your committee.
In some organizations, information and security policy is developed at the whim of the CIO or IT Director. Is that IT Director expert in statutory requirements and industry best practices for all the areas mentioned above? I doubt it. This is why you need a cross-functional team to map the universe and make a comprehensive plan.
Establishing a comprehensive information security program
Once you have begun building your IG foundation and framework, your Infosec and cybersecurity requirements will be much clearer. Also, IG, Infosec, and Cybersecurity are not one-time activities. They require a process for continuous improvement like PDCA (Plan, Do, Check, Act) or DMAIC (Define, Measure, Analyze, Improve, Control). Get something in place first, and then continue to improve it. Attempting to get it perfect from the start will only result in implementation delays. This job never ends but it gets much easier once a solid foundation has been built.
Information Security Management Systems (ISMS), Frameworks and Standards
Once you have a comprehensive understanding of your information universe, develop security policies and programs for implementation and enforcement of those policies.
Use an existing framework. Designing comprehensive information security programs is more complicated than installing firewalls and anti-virus software and there is a great deal to think about.
There are many freely available information security tools in addition to standards and frameworks that require payment or membership in an organization. You can build a successful security program using only free tools, but my crystal ball is on the fritz today so I can’t see which tool is best for your organization. I wish I could tell you there is a one-stop shop, but there isn’t. You will have to evaluate your situation, do the research and make informed decisions about the best approach for your organization. Following is a brief discussion of some of them.
The National Institute of Standards and Technology (NIST) provides an enormous quantity of information and the gateway to it is available here. NIST’s Framework for Improving Critical Infrastructure Cybersecurity is available here and a new draft was release in January of 2017. Their Cybersecurity Framework Workshop starts on May 16, 2017 in Gaithersburg, MD if you would like to attend and learn more about it. You can also view a webcast with an overview of the Framework. In their words, “The core of the framework was designed to cover the entire breadth of cybersecurity . . . across cyber, physical, and personnel.“[xi]
NIST also provides three Special Publication (SP) series: SP800 deals with Computer Security, SP1800 contains Cybersecurity Practice Guides, and SP500 covers Computer Systems Technology.
SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations will likely be an essential part of your planning process if you are building upon NIST.
If a division of your public sector organization provides clinical services, it might fit the definition of a covered entity (CE). If so, that division is required to comply with applicable federal regulations including the HIPAA Security Rule. The regulation provides a clear, jargon-free framework for developing information security policies and programs. While it won’t address all the requirements for a municipal cybersecurity program, it can help you build a solid foundation for your security programs. I don’t have any official data on HIPAA Security Rule compliance in municipal organizations, but my personal experience is that it is extremely low. Is your CE compliant? If not, why not bring your entire organization up to HIPAA standards?
I have worked extensively with HIPAA regulations and NIST products for nearly 2 decades and I like them a lot. If they are not a good fit for your organization, there are other resources, including the following three.
The Information Security Forum (ISF) publishes the Standard of Good Practice for Information Security, available free to ISF members.
The International Organization for Standardization (ISO) publishes the ISO/IEC 27000 family of standards for Information security management systems. ISO products are not inexpensive, but in the overall scheme of things you might find them to be a reasonable investment. Organizations can certify through accredited registrars, which can also be an expensive process.
ISACA publishes COBIT5, “the leading framework for the governance and management of enterprise IT” which provides an integrated information security framework as part of a larger IT governance framework. According to Joseph Granneman, “It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.”[xii]
The role of vendors
Trusted vendors can be helpful in building your programs, but overreliance on vendors for security advice is a suboptimal approach. While they may be knowledgeable about many aspects of your industry, only you and your cross-functional IG team truly understand your business requirements. Their job is to “sell you stuff” but they will generally draw the line at writing policy and taking responsibility for overall information security in your organization. If there is a major breach or some other catastrophic security event in your organization that becomes public, you are the one whose picture will be in the paper.
Summary – one step at a time
Take a few simple steps to improving your cybersecurity infrastructure:
- Establish an IG committee and program.
- Discover and map your information universe.
- Establish an information security framework and security policy.
- Develop and implement your cybersecurity plan, based on the above.
- Use a cycle of continuous improvement.
This article first appeared in two parts in my CIO.COM column at:
A continuation of the subject appeared in:
References, Resources and Further Reading
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
The need for greater focus on the cybersecurity challenges facing small and midsize businesses. Commissioner Luis A. Aguilar, October 19, 2015. US Securities and Exchange Commission.
How state governments are addressing cybersecurity. Brookings Institution. Gregory Dawson and Kevin C. Desouza. March 2015.
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
Human error is to blame for most breaches. Cybersecuritytrend.com.
[i] The state of cybersecurity in local, state and federal government. Ponemon Institute. October 2015.
[ii] The vast majority of the government lacks clear cybersecurity plans. Brookings Institution. February 3, 2015. Kevin C. Desouza and Kena Fedorschak.
[ix] The biggest cybersecurity threats are inside your company. Harvard Business Review. Marc van Zadelhoff. September 19, 2016.
[xii] IT security frameworks and standards: Choosing the right one. Joseph Granneman, Techtarget.com. September 2013.
If you found this information useful, or would like to discuss cybersecurity in your organization in more detail, please feel free to e-mail me at email@example.com. I would be glad to discuss your situation.
This article first appeared in cio.com at http://www.cio.com/article/3184618/government-use-of-it/county-and-municipal-cybersecurity-part-1.html
© Copyright Jeffrey Morgan, 2017by
Data, facts and interpretation
Are managers and employees on your team comfortable with absolute truth and honesty? Are your organizational processes and management decisions transparent? Can you and your team discuss data, facts and interpretation without anyone’s hair catching on fire? I am not talking about ad hominem attacks, although members of an organization may take the presentation of facts personally. I am talking about the ability to rationally and objectively discuss subjects such as performance, weaknesses and failure in order to find solutions.
Will you shoot the messenger?
Naked Truth and Brutal Honesty are my two most valued employees. Clients sometimes ask for them by name, but they accompany me on every engagement regardless of whether or not they were invited. Don’t worry — there is no extra charge for them.
Over the years, one or two clients have not appreciated their input and we’ve all been summarily dismissed. Oh, well. Who needs those kinds of clients, anyway? Honesty and truth are essential components of the “whole package” comprising personal integrity. If you are willing to mold the truth for a fee, you lack the critical firmware package that also includes ethics and morality.
We worry about artificial intelligence, and we should. If A.I. eventually turns out to be made of the same malleable moral and ethical clay as the natural intelligence possessed by humans, we’ll be in big trouble when A.I. finally breaks out of its nursery. Sometimes, it’s not even a matter of ethics or morality. We often can’t recognize truth when it’s flashing furiously right in front of our eyes. Why should we expect better of machines?
Can facts be offensive?
One time I offended one member of a group by calling them all troglodytes because of their antiquated and inefficient business processes. I said it in an affable, humorous sort of way, but it was on the West Coast! What can I say?
However, I have often had hard pushback from organizational management when presenting straight facts such as, “Your organization lacks statutorily required privacy and security policies including X, Y and Z.” You can put a copy of the law right in front of them and they will still engage in virulent refutation.
You can’t handle the truth
In the consulting business, one is often asked to provide assessments. Most of us try to keep it real, but let’s face it — bogus assessments didn’t disappear when Arthur Andersen LLP was buried in 2002. Smashing through the granite wall of denial that is a cultural characteristic of many organizations can be a Herculean task, and sometimes one has to accept failure when the wall proves to be impenetrable. Observing the nature of denial is both fascinating and frustrating, and it is sad to watch otherwise intelligent people explode in an angry burst of denial when you attempt show them that 2+2=4.
One wonders why organizations so often contract assessments and then completely reject not only the conclusions but the facts. Arthur Andersen the person (1885-1947) lived by motto “Think straight, talk straight,” but such behavior is not a part of the culture of most organizations I have encountered. When it came to audits, Andersen believed that the “responsibility was to investors, not their clients’ management.” Had his company continued to embrace that philosophy after his death, it would likely still be in business.
Honesty and transparency are essential foundations of sound management. At investment management firm Bridgewater Associates, for instance, brutal honesty is a workplace requirement. Sadly, in most organizations, the pursuit of truth is neither familiar nor welcome. Bridgewater is governed by a set of “Principles” compiled by founder Ray Dalio. In an online presentation of the principles, Dalio instructs the reader, “When digesting each principle, please… ask yourself: Is it true?” Truth is always the best starting point.
Is it true?
My best teachers and professors all taught me to relentlessly ask that question about everything. I recall one graduate seminar where we went through some pretty lengthy scholarly works dissecting every sentence. It was a brutal exercise. What I learned is that a great deal of what was considered to be definitive and scholarly was questionable or sometimes just flat out wrong once it was closely examined.
Consensus is not proof
The traps of lazy thinking, false assumptions and groupthink are permanently set and perfectly positioned to capture us. In spite of decades of training, I still have to consciously avoid being snared by them. Conventional Wisdom and Consensus have no place in business, science or public policy but they often control and dominate the conversation.
In 1980, the consensus among physicians was that “stress and lifestyle factors were the major causes of peptic ulcer disease.” Barry J. Marshall and Robin Warren discovered in 1982 that the actual cause was Helicobacter pylori. They were initially ridiculed, but were awarded a Nobel Prize for their discovery in 2005. There is an extensive history of ideas that bucked consensus. When consensus rather than fact is presented as evidence, we should be skeptical and demand proof.
Equivocation, rationalization and justification seem to be acceptable management tools in too many private- and public-sector entities. Honesty shouldn’t be considered “brutal,” and it is only thought to be so because we so rarely encounter it in its natural form. Introducing honesty and naked truth to your organization might be a great goal for 2017.
This article first appeared on cio.com at http://www.cio.com/article/3162094/leadership-management/is-naked-truth-part-of-your-business-model.html
© Copyright Jeffrey Morgan, 2017by