Keeping you Running Part I

Experiences in Helping Local Governments Develop Cyber

Security and Continuity Plans and Procedures

Stan France & Mary Ball

stan@co.schoharie.ny.us

Outline

• Background

• Grant

• Process

• Experiences

• Recommendations

Background

• Rural county of 32,000 population

• Board of Supervisors

• 16 towns

• 6 villages

• County Data Processing department provides services without charge to towns and villages

Local Reasons for Addressing

• Corrupted machines– Lost information– Lost work time– Effort required by County to support and

remedy

• Physical threat experience– Courthouse fuel oil spill– Planning for potential dam break

Broader Reasons for Addressing

• CSCIC coordination– Local Government Cyber Security Committee

• Non-Technical Guide

• Additional resources

– Alert distribution

– Problem reporting

• Overall records retention

• Incorporating into County emergency planning

• Model for replication

The Grant

• State Archives Local Government Records Improvement Fund $50k

• Provided for– Consultants to evaluate cyber security protection

strategies

– Acquisition and installation of protection software

– Development of model policies and procedures

– Consultant to work with municipal staff

– Creation of an internet based back-up application

Establish Initial Contact

• Five minute presentation to municipal board– Get motion to participate– Leave folder with Guide, model policies, data

gathering forms– Identify an initial contact person

Initial Work with Municipal Offices

• Review purpose• Identify continuity functions• Identify workflows and resources needed

– Forms– Paper documents– Hardware– Software– Skills

Follow Up Work with Municipal Offices

• Consolidate needs and develop plans

• Provide training in use of Internet backup

• Review model policies and establish local versions to recommend to municipal board

• Install protective software and train on use

Project Consolidation Process

• Calculate number of backup machines, printers, faxes, desks, phones, etc. needed

• Identify coordinated alternate sites

• Track machine protection reports

• Integrate with County emergency plans

Project Experiences

• Project Handout Development• Board Meetings• Initial Staff Meetings• Plan Development• Follow up • Software installation• Backup site • Training

Project Handouts

• Power point (5 pages on project details)• Local Government Cyber Security: Getting

Started Guide• Model policies, plans, and procedures

– Business Continuity Policy– Business Continuity Plan and Procedures– Cyber Security Policy– Acceptable Use Policy (Internet Use)

Board Meetings

• Presentation to the Board of Supervisors – 22 Towns and Villages– 6 to 9 members on each board

• Project handout given to each board member

• Presentation took about 5 minutes

• Question and answer period

• Motion to Participate

Commonly Asked Questions from the Board

• Cost or future cost to the municipality

• Internet connections (dial up issues)

• Backup site– Server location– Security of stored information

• Software protection

Initial Meeting with StaffPlan Development

• Reviewed workflow

• Categorized work functions– Significant, Essential, and Non-essential

• Identified office requirements– Hardware, software, equipment, forms, etc.

• Documented purchasing and replacement information

• Reviewed current backup methods

• Discussed files and documents for back-up site

• Establish temporary work location(s)

Discovery Process Follow Up

• Continuity Issues– Backup usually stored on premises – Physical storage desperately needed

• Make more forms available on-line to public

• Dial up issues for rural areas• Discussed improvements

– Continuity and cyber security– Other County programs used by municipalities

Protective Software

• MacAfee software

• Easy on-line installation

• Scan computers for possible threats or virus

• In-house monitoring

• AVG on Windows 98

Backup Site

• On-line Access

• User name and password log-in

• Ability to “Add” – Not a working folder– Stored for emergency restoration

• Zip program– User friendly, easy to use

Training

• Cyber security– Recognizing threats and reporting

• Protective software

• Backup site– Access the site– Zip files and send to server– Develop backup schedule

Recommendations

• It’s not rocket science

• Develop the support base before going for formal approval

• Know what information to gather before starting gathering

• Come to Part II this afternoon