Security Breach Response Plan for Local Governments

Lena Eisenstein
Cybersecurity experts say that it's not if local governments will experience a security breach or ransomware event, it's when it will happen. The risk of a cybersecurity incident, and its potential effects, is a hot topic across the nation.

In the government realm, local governments rely somewhat on federal and state assistance for a natural disaster, but that won't help them when dealing with a data breach or ransomware issue.

In addition to feeling prepared, there are many benefits for local governments in planning a security breach response plan. Enough other governments and corporations have experienced breaches that we now have the basic components for a security breach response plan.

Does Our Local Government Really Need a Security Breach Response Plan?

Cyber attackers have hit all levels of government, including federal agencies, state agencies and local governments. Local governments may be even more at risk than federal or state governments because larger governments have bigger budgets and greater access to IT staff. Hackers often find that it's easier to attack and permeate the low-hanging fruit of local government where cyber defenses may be weaker.

While hackers are prevalent and present great risk, government data risks often also come about because of human error. Local governments should be concerned about lost hard drives, misconfigured databases, theft of electronic devices, and mistakes that allow leaks of personal information and other sensitive data.

Picking up the pieces after a security breach is costly. Local governments may have to absorb the cost of free identity theft and credit-monitoring services for affected individuals. Perhaps what is worse is that a security breach increases the community's concern over how their taxes are being spent and will likely decrease the trust between government workers and the public.

Developing a security breach response plan will also help local governments understand their system dependencies, identify critical personnel for crisis management duties, and plan for alternate channels of operation.

Forming Your Local Government Security Breach Response Plan

The National Institute of Standards and Technology (NIST) developed the following five functions of the NIST cybersecurity network:
  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover
Build a strong security breach response plan for your local government with these key tips

NIST selected these five functions because they determined that these components are the pillars of a comprehensive and successful cybersecurity program:

Step #1 Identify

The first step in a security breach response program is to identify the many ways that the local government could be affected if a group or individual successfully hacked into their systems. It's important to look at the following areas:
  • Systems
  • People
  • Assets
  • Data
  • Capabilities

The identification step allows local governments to prioritize their efforts while aligning them with their risk management strategies.

This step requires identifying the physical and software assets that will form the basis for an asset management program. Local governments will also need to identify the business environment they support and their role in supporting it, as well as the effect on supply chains. Identifying the cybersecurity policies that the local government has already established, along with the legal and regulatory requirements for cybersecurity, is another important activity. Risk management is an essential area in the identification step. Local governments need an identified risk management strategy that includes identifying risk tolerances, asset vulnerabilities, internal threats, external threats and risk response activities.

Step #2 Protect

The second step of a security breach response plan ensures that the local government will be able to ensure critical infrastructure services by protecting physical and remote access to information that local governments retain. Protecting information entails creating training and awareness of local government staff on their roles in cybersecurity.

By aligning data security practices to the government's risk strategy, it protects access to information and keeps it confidential. Also included in this step is to implement information protection processes and procedures to manage and maintain information systems and assets. Processes that are designed to protect the government's information should include remote maintenance.

Local governments need to ensure that activities in the protection step are consistent with the government's organizational policies, procedures and agreements.

Step #3 Detect

The reason for the detection step is to identify the occurrence of a security breach event at the earliest opportunity. This step requires having systems in place to identify anomalies and unusual events and to understand their potential impact. Local governments need to have a process in place to continuously monitor cybersecurity events and verify how effective their protective measures are.

Step #4 Respond

The fourth step of a security breach plan is designed for local governments to have an established plan to respond appropriately to a cybersecurity incident in a timely manner. Responding quickly and completely will minimize damage and keep employees and the community informed. One of the most important activities involved in this step is managing communications with law enforcement and the public, which requires a detailed plan.

A good response plan includes forensic analysis, impact analysis and mitigation activities to limit the impact of the breach and to resolve it.

Local governments can continually improve this step by staying current with emerging breaches that affect other governments and learning from any lessons gained from the detection step.

Step #5 Recover

The final step in a security breach response plan is recovery. Local governments will need to identify and implement activities to restore damage or other issues caused by a security breach. Activities should be designed to restore the government's operations to normalcy at the earliest opportunity, which will reduce the overall impact of the breach.

Local governments can learn much about how to improve recovery strategies by reviewing existing strategies and taking note of how other affected governments respond to breaches. The recovery step is also the time to implement the communications plans that the government identified in Step #4, the Response step.

Once the security breach response plan has been formed, it's important for local governments to remain current with new developments and to review their plans at least annually to ensure they're effective. The five-step plan is the most viable way to ensure that local governments are doing their due diligence in protecting their communities from a security breach.