A State CIO began reviewing his State’s compliance and information security posture and committed to elevating security across all departments statewide.
The CIO wanted a series of gap analyses against the NIST Cybersecurity Framework (NIST CSF), technical testing, resulting in a risk assessment of every department and their infrastructure Critical Insight consultants jumped in and assessed seven of the State’s departments over a period of 18 months.
The consultants conducted in-depth facilitated discussions and interviews identified many vulnerabilities and weaknesses and found something all too common: There were numerous cases in which the State thought its departments were handling security issues and the departments thought the State was handling the issues. With that knowledge, the State improved communication and processes to address the problems.
The State also required a vulnerability assessment as a part of the risk assessment, which showed significant risks. Those risks were tied directly into the risk assessment methodology. The Critical Insight team looked closer and found an immature vulnerability management program. Immediately after getting the information, the State improved the program, reduced their vulnerabilities by 80%, and addressed US Government regulatory oversight requirements.
In order to meet standards of due diligence, the State asked Critical Insight to take a close look at the Department of Health and the state hospital system and found that these State entities were missing key policies required by HIPAA. They also were not doing an adequate job of managing their vendors (called “Business Associates” in HIPAA) or training their employees with materials relevant to cybersecurity risks. Critical Insight assisted the Department of Health and Hospital System in becoming HIPAA compliant, improving their contract language to better adhere to HIPAA rules, and kickstarting their annual security awareness training.
In tandem with internal training, local governments should consider outsourcing hosting and security efforts to minimize the footprint of a potential cyberthreat.
EVP, Critical Insight