Most municipalities differ from private sector organizations, however, in that they have one thing in common: the need to prioritize their data in order to meet privacy and security obligations.
during a Online Cyber Security Panel in this month technical gta At the conference, speakers from the municipal sector made it clear that doing this is no different from the way profit-making firms do it.
“It is critical that information security teams spend time with business leaders to understand questions such as how long it would take to retrieve all of our engineering drawings, how much our productivity would be lost if the ERP system was unavailable for a week. Caste?” said Brent Capp, IT Security and Risk Officer City of Newmarket, Ont.
“Using this information we can start to tell a story about how important an asset is, what it’s worth from a service delivery perspective.”
It starts with collaboration with the city clerk’s office, along with business owners and data custodians who can help identify data based on its classification, agreed Manesh Agnihotri, interim CISO. city of toronto, Then, he said, based on the data classification, Infosec leaders can look at the security infrastructure and everything around it that supports keeping that data secure.
“So the first step is to have that discussion, to identify what is the critical data in the organization, where is it located, and how do we protect it?”
This prompted moderator Richard Freeman, Ricoh, Canadian portfolio manager for enterprise workflow solutions, to ask how municipalities can balance the security needs of users — internal and taxpayers — with the need to protect data.
Kush Sharma, Director of Municipal Modernization and Partnership Municipal Information Security Association of Ontarioreported that 92 percent of respondents to a recent poll of members said municipalities should focus first on critical infrastructure — such as water systems, public transit, solid waste and voting systems — which they called traditional IT.
“What you don’t want is a water system breach. If Microsoft Office 365 and your documents get messed up, or maybe you can’t process some financial statements, that can be fixed. But there are life-safety issues if your water system goes bad. If we can try to balance the resources we have as municipalities and focus on critical infrastructure components….that’s a good It’ll be the beginning.”
Getting information is key, the panelists said. Capp said the IT business systems analyst and records management team would help with lesser-known areas where personally identifiable information is stored. They are experts in collaborating with different business units and know where some data is stored “informally”.
“Sometimes you’ll find that people are storing PII somewhere because it’s convenient and helps them get from point A to point B faster. The more we understand these temporary or alternate use cases, the easier it is for business units to work and improve the security posture,” he said.
The panel also touched on cyber insurance. Roland Chan, CISO et Toronto Metropolitan Universitysaid that because rates depend on what organizations are doing to protect themselves, their organization makes departments aware of the importance of good cyber security practices.
Sharma cautioned that many municipalities will not be able to qualify for insurance based on the increased cyber controls being demanded by insurers. Even if they do, insurers may declare that the cyber incident is excluded from coverage because it is part of an ‘action of war’.
He advised that any municipalities smaller than the city may have to look at self-insurance, or grouping with other municipalities to self-fund themselves.
“Organizations have to understand that insurance is not cyber containment,” Agnihotri said. “It’s part of your healing, it’s part of your recovery. So what’s going on now is how fast can we improve and mature our security posture.
Finally, when asked for suggestions on improving cyber security awareness of employees, Sharma urged infosec leaders to stop thinking of themselves as technocrats. “We need leadership to better translate and communicate that we are an important business function within the organization,” he said.
