In a technology driven world, cybersecurity concerns affecting governmental agencies are constantly evolving. These concerns can significantly complicate oversight of risks by those charged with governance over these agencies. As a result, those charged with governance need to maintain continual knowledge regarding cyber issues and management’s plan for allocating resources with respect to the preparedness in response to cyber risks. Such knowledge enables those charged with governance to assess the decisions put forth by management needed in critical areas.
There are both general and specific cybersecurity issues that should be addressed by management and those charged with governance when considering mitigation of cybersecurity risk for their governmental agency. The areas of cybersecurity issues include, but are not limited to, cyber risk strategy, risk profile, cyber maturity, metrics, cyber incident management and resilience, and continuing education.
Management and those charged with governance should establish a plan for mitigating cybersecurity risk for their governmental agency. The following represent procedures, by cybersecurity area, that can be used as a starting point for establishing this plan and can serve as guidance to those charged with governance in their discussions and oversight of management’s plans for addressing potential cyber risks:
General
- Identify potential cyber threats to the governmental agency.
- Individuals and groups responsible for oversight should strive to remain adequately up to speed on cybersecurity issues impacting the governmental agency and should have the skill sets necessary to adequately address these issues.
- Define the roles and responsibilities of both management AND those charged with governance with respect to cybersecurity procedures.
- Identify regulatory compliance requirements pertaining to cybersecurity for the governmental agency
Overall Cybersecurity Strategy
- Determine the role of those charged with governance for oversight of the cybersecurity strategy.
- Define the key elements of the governmental agency’s cybersecurity strategy.
- Ensure that the governmental agency’s cybersecurity preparedness receives the appropriate level of time and attention from management and those charged with governance.
- Incorporate the cybersecurity process into the governmental agency’s policies and procedures.
- Routinely assess ways that management and those charged with governance can improve the governmental agency’s cybersecurity strategy
Risk Assessment: Risk Profile
- Determine whether or not the governmental agency is a direct target of cyber-attacks.
- Analyze the results of the cybersecurity assessment of the governmental agency with respect to its overall risk profile.
- Identify highest areas of inherent risk pertaining to cybersecurity.
- Ensure that management is updating the governmental agency’s inherent risk profile to reflect changes in activities, services, and products.
Risk Assessment: Cyber Maturity
Oversight
- Define those accountable for assessing and managing the risks posed by changes to technology and ensure that those individuals are empowered to carry out those responsibilities.
- Determine whether or not the inherent risk profile and cybersecurity maturity levels meet management’s risk management expectations, and if there is misalignment, propose plans to bring them into alignment.
Cybersecurity Controls
- Determine whether or not the governmental agency’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels.
- Define the ongoing practice for gathering, monitoring, analyzing, and reporting risks.
- Determine the effectiveness of governmental agency’s risk management activities and controls identified in the assessment.
- Consider whether or not there are more efficient or effective means for achieving or improving the governmental agency’s risk management and control objectives.
Threat Intelligence and Collaboration
- Establish a process for gathering and validating inherent risk profile and cybersecurity maturity information.
External Dependency Management
- Identify third parties that the governmental agency relies on to support critical activities.
- Determine and document the process to oversee third parties and understand their inherent risks and cybersecurity maturity.
Cybersecurity Metrics
- Determine how those charged with governance should obtain IT metric information.
- Define who should deliver IT metrics.
- Define elements of IT metrics and the format in which it should be presented.
- Ensure that the information invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated.
Cyber Incident Management & Resilience
- Determine how management validates the type and volume of cyber-attacks.
- Determine whether or not the governmental agency has a comprehensive cyber breach response and recovery plan and, if it does not, discuss procedures to implement one.
- Determine how the governmental agency’s incident response and recovery plan fit into the overall cybersecurity strategy.
Cybersecurity Education
- Define ways those charged with governance remain current on cybersecurity developments in the market and the regulatory environment.
The governmental agency’s cybersecurity strategies should be perpetually changing consistent with the ever-changing environment of the technology world. If your governmental agency needs assistance in establishing, implementing, or updating your cybersecurity plan, please contact Patrick Bowman or your BMSS professional at (205) 982-5500 or visit our website, bmss.com.
Written by Jenny Gray, CPA