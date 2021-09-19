



When I travel the country (in a recent de facto way), I often get questions like this from public and private sector leaders: where are state and local governments and what in other parts of the country. Is it new, innovative and effective that you can go to learn what is going on? Do cybersecurity and technology case studies, stories, and examples stand out along with indicators of meaningful business outcomes? Methodologies that can be used to ensure that people, processes, and technology aspects are taken into account when implementing a disruptive enterprise Wide range of cyber projects? Where can I find clear numerical return on investment (ROI) data for these expensive technology initiatives? Where can I get new ideas that work for my government? There are many answers to these questions, but one of the most permanent solutions is from the United States Chief Information Officers Association (NASCIO). Who is NASCIO and how can it help? Two years ago, I wrote this blog earlier. NASCIO’s 50th Anniversary Ceremony at the Annual Conference in Wisconsin. Here is an excerpt:

NASCIO continues to provide collective opinion on Congressional testimony, state procurement initiatives, cybersecurity and more for the 2020s. The NASCIO Awards website is a treasure trove of great projects (borrowing old terms) ready for other states and local governments to implement to enhance their services. Note: I’ve written many times about the NASCIO Awards on how to blog the NASCIO community and on the post-meeting overview blog on govtech.com. It’s an understatement to say that government and private sector CxOs can get great value from NASCIO’s best practice white papers and award websites.

This blog provides additional information about the value propositions NASCIO has provided for over 50 years and the benefits offered. 2021CYBERBEST PRACTICES LIBRARY However, the focus of this blog is the current NASCIO Cybersecurity Awards. Here is a list of applications for the 2021 Cybersecurity Awards.

While we encourage you to read all of these award website submissions from many different states, a recent NASCIO press release announced three 2021 cybersecurity finalists.

We strongly recommend that you read these three award-winning submissions. This is an excerpt from the executive summary of each state’s project. Visit the full article for more information on the project and the results obtained.

Minnesota: State governments are not usually recognized as merchants, but ongoing system modernization efforts mean more digital government financial transactions will take place using debit and credit cards. .. It increases the risk of our vulnerabilities. Merchants are the primary target of financial fraud, making it easy for criminals to steal and use personal consumer financial information from payment card trading and processing systems. When a merchant is affected by a security breach, it also affects consumers. According to PrivacyRights.org, more than 11,733,087,704 records, including sensitive information, have been compromised since 2005.

Minnesota IT Services’ commitment to protecting our state is an important tactical priority for 1) better protection of applications and citizen data, and 2) maturation of risk management and communication.

Minnesota is a major participant in payment card transactions, so Minnesota must use standard security procedures and technologies to prevent the theft of cardholder data.

To meet the goals of the MNIT 2020 Tactical Plan Secure the State, the project has established a new Payment Card Industry (PCI) program to monitor state compliance and protect the Cardholder Data Environment (CDE). The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all entities that accept, process, store, or send credit card information remain secure. PCI DSS compliance helps mitigate these vulnerabilities and protect cardholder data. It also helps minimize the potential impact of breach of cardholder information.

The project included the development and implementation of a new MNIT PCI program, including new processes, personnel, and technologies for assessing, managing, and reporting PCI compliance. The program includes a team of PCI expertise to assist agencies.

Merchants-based vulnerabilities can appear almost anywhere in the card processing ecosystem, including point-of-sale devices. Mobile device, personal computer or server. Wireless hotspots; web shopping applications; paper-based storage systems. Sending cardholder data to a service provider and connecting to remote access. The vulnerability could also extend to systems operated by service providers and acquirers, which are financial institutions that initiate and maintain relationships with merchants that accept payment cards.

North Carolina: Cyber ​​incidents are of increasing concern to North Carolina states, regions, and academic institutions. Each year, attacks in the form of ransomware, data breaches and blackmail are increasing significantly, with devastating impacts on the state’s critical infrastructure. This trend will continue and is projected to prevail over the next few years.

From 2016 to 2019, the North Carolina municipal, community college, and public school system reported 17 ransomware attacks of varying degrees to the North Carolina Department of Information Technology. In 2020 alone, NCDIT received the same number of reports. Of the 34 attacks since 2016, city or county government agencies have reported 31.

We know there is no way around all attacks, but North Carolina has taken a state-wide approach to cybersecurity to prevent and prepare for incidents and to take entities in the event of an incident. We support this. There are three main components to this approach: 1. Data sharing by NC Information Sharing Analysis Center (NC-ISAC) 2. Establishment of NC Joint Cyber ​​Security Task Force and 3. Implementation of mandatory incident reporting.

Information sharing and collaboration are critical to combating cybercrime. All levels of government need to communicate with each other to prevent and mitigate the effects of cybersecurity incidents. Cyber ​​attacks are evolving and becoming more sophisticated. It’s an all-hands-on-deck approach to fight it. We cannot silo to collect information. Information sharing is the key to preventing the occurrence of cyber attacks and mitigating the impact of such attacks.

Whether to prevent events by providing surveillance tools through North Carolina’s comprehensive and collaborative approach, and whether to provide training and tabletop exercises to actually bring boots to the ground in the event of an incident. Please, we were able to provide support to all 100 counties. The North Carolina Government’s cybersecurity community has become a large team that supports each other and shares knowledge and experience.

Ohio: The Ohio Digital Experience (ODX) was the first iteration of Ohio’s ongoing commitment to becoming a leader in the areas of digital identity, security, privacy, and intuitive user experience. The goal was built on the Ohio Identity System (OH | ID) and renamed.

Beginning in January 2020, as the world became aware of the global epidemic, we began working on the third iteration of the extension OH | IDNEXT, which brings many new self-service tools and user account services. Notable among them:

Audience Manager is a self-service tool for government agencies to manage role-based access control for web-based applications. With a secure application programming interface (API) that allows agency applications to interact with AudienceManager and focus on automation, agencies provision both course and finegrain permissions within their applications just in time. I can do it. Within the Citizen Portal, users have three levels, including Basic (account creation and email verification), Intermediate (verified by third-party ID), and Advanced (link to a valid state-issued ID card). You can choose to complete the identity guarantee. Submitted to Ohio Public Security Bureau Automotive Bureau).[最近のアクティビティ]The tab shows the geographic location of your login within the last 12 months and whether it was successful. Users can also report suspicious activity.[デバイス]The tab shows the device used for each login attempt (desktop, mobile, etc.) and the device activity for recent logins. Users can name or hide the listed devices. Of all the tools and account services of OH | ID NEXT, AudienceManager has proven to be the most innovative. Audience Manager provides institutions with the ability to manage application roles and access at the appropriate level within the organization. Users who are granted access to an application create one of two different audience types, course grain or fine grain access, and grant ownership, membership, and (optionally) authorization for access to each federated application. You can manage it.

These audiences are queried by the application through the user token or API interface, and if the user is properly authenticated, they will only get approved content. All actions are logged back to the central repository. The Central Repository provides full audit and compliance capabilities that meet or exceed the National Institute of Standards and Technology and other federal, state, and accessibility regulations and standards.

Citizens and state workforces are also empowered to manage the security surrounding their accounts. Changes to your account will be notified through your confirmed email address. All login attempts and devices are listed, allowing you to quickly report suspicious activity without the user having to go to another screen. Agency applications for civilian or state employees can use security controls appropriately to further protect against malicious activity from malicious attackers and to protect the sensitive features of integrated applications. You can also request multi-factor authentication (MFA).

Final Thought As the former state of Michigan’s CSO, CTO, and CISO, these awards are a major issue for individual states, and the awards offer the right to be proud. Our Michigan team has always been proud of its award-winning projects, which have been recognized nationally (and even internationally) as best practices.

The top 2021 award-winning projects will be unveiled at the award dinner in Seattle in October during the NASCIO Annual Conference.

But regret and admiration aside, the NASCIO Awards Library provides others with an amazing treasure trove of projects in so many technologies and business categories, including cybersecurity.

I urge federal, state, and local governments to read these submissions before embarking on major new strategic initiatives on the same or similar topics. It’s a good idea to call a few times to offer a better project (within time and budget) by saving money and time and ultimately learning from others who have gone before you. To do.

