Upload
may-henry
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Keeping you Running Part I
Experiences in Helping Local Governments Develop Cyber
Security and Continuity Plans and Procedures
Stan France & Mary Ball
Outline
• Background
• Grant
• Process
• Experiences
• Recommendations
Background
• Rural county of 32,000 population
• Board of Supervisors
• 16 towns
• 6 villages
• County Data Processing department provides services without charge to towns and villages
Local Reasons for Addressing
• Corrupted machines– Lost information– Lost work time– Effort required by County to support and
remedy
• Physical threat experience– Courthouse fuel oil spill– Planning for potential dam break
Broader Reasons for Addressing
• CSCIC coordination– Local Government Cyber Security Committee
• Non-Technical Guide
• Additional resources
– Alert distribution
– Problem reporting
• Overall records retention
• Incorporating into County emergency planning
• Model for replication
The Grant
• State Archives Local Government Records Improvement Fund $50k
• Provided for– Consultants to evaluate cyber security protection
strategies
– Acquisition and installation of protection software
– Development of model policies and procedures
– Consultant to work with municipal staff
– Creation of an internet based back-up application
Establish Initial Contact
• Five minute presentation to municipal board– Get motion to participate– Leave folder with Guide, model policies, data
gathering forms– Identify an initial contact person
Initial Work with Municipal Offices
• Review purpose• Identify continuity functions• Identify workflows and resources needed
– Forms– Paper documents– Hardware– Software– Skills
Follow Up Work with Municipal Offices
• Consolidate needs and develop plans
• Provide training in use of Internet backup
• Review model policies and establish local versions to recommend to municipal board
• Install protective software and train on use
Project Consolidation Process
• Calculate number of backup machines, printers, faxes, desks, phones, etc. needed
• Identify coordinated alternate sites
• Track machine protection reports
• Integrate with County emergency plans
Project Experiences
• Project Handout Development• Board Meetings• Initial Staff Meetings• Plan Development• Follow up • Software installation• Backup site • Training
Project Handouts
• Power point (5 pages on project details)• Local Government Cyber Security: Getting
Started Guide• Model policies, plans, and procedures
– Business Continuity Policy– Business Continuity Plan and Procedures– Cyber Security Policy– Acceptable Use Policy (Internet Use)
Board Meetings
• Presentation to the Board of Supervisors – 22 Towns and Villages– 6 to 9 members on each board
• Project handout given to each board member
• Presentation took about 5 minutes
• Question and answer period
• Motion to Participate
Commonly Asked Questions from the Board
• Cost or future cost to the municipality
• Internet connections (dial up issues)
• Backup site– Server location– Security of stored information
• Software protection
Initial Meeting with StaffPlan Development
• Reviewed workflow
• Categorized work functions– Significant, Essential, and Non-essential
• Identified office requirements– Hardware, software, equipment, forms, etc.
• Documented purchasing and replacement information
• Reviewed current backup methods
• Discussed files and documents for back-up site
• Establish temporary work location(s)
Discovery Process Follow Up
• Continuity Issues– Backup usually stored on premises – Physical storage desperately needed
• Make more forms available on-line to public
• Dial up issues for rural areas• Discussed improvements
– Continuity and cyber security– Other County programs used by municipalities
Protective Software
• MacAfee software
• Easy on-line installation
• Scan computers for possible threats or virus
• In-house monitoring
• AVG on Windows 98
Backup Site
• On-line Access
• User name and password log-in
• Ability to “Add” – Not a working folder– Stored for emergency restoration
• Zip program– User friendly, easy to use
Training
• Cyber security– Recognizing threats and reporting
• Protective software
• Backup site– Access the site– Zip files and send to server– Develop backup schedule
Recommendations
• It’s not rocket science
• Develop the support base before going for formal approval
• Know what information to gather before starting gathering
• Come to Part II this afternoon