-
- a
- acceptable use policies (AUPs) 116–117, 123, 135
- designing 117
- and remote access 122
- ARPANET 24
- artificial intelligence (AI) 145, 217, 219
- and automation 217, 219
- definition 219
- facial recognition 214–215
- in law enforcement 214–215
- regulation 215
- and social engineering 145, 219
- use against hackers 146, 205
- use by hackers 145, 219
- Atlanta, GA, ransomware attacks 3, 7–8, 31
- automation technologies 216–217
- Baltimore, MD, ransomware attacks 3, 9–10, 121, 189, 229
- IT system 10
- leadership 42
- bitcoin, as ransom currency 8, 9, 29, 203
- Black Frog 61–62
- Boston, MA 80
- Breithaupt, Jim 87
- bring-your-own-device (BYOD) 209–210
- bulk electric systems 173–174
- Buszta, Ken 87
-
- c
- California
- local government cybersecurity 115
- state security legislation 177, 178
- Census Bureau estimates 2, 232n1
- Census of Governments (2017) 2
- Center for Digital Government, Digital Counties Survey 202
- change (configuration) management policies (CMPs) 123–124, 160
- Chicago, IL 80
- chief information officers (CIOs) 4, 38, 58, 79
- chief information security officers (CISO) 60, 127, 128
- city administrations 4, 29, 78
- city chief information security officers (CISOs) 127, 128, 129
- City of San Diego 202
- cloud, the 201–203
- Coalition of City CISOs 79–80, 195
- Collier County, FL 145
- Colonial Pipeline, cyberattack on 30, 203, 214
- Colorado Privacy Act (CPA) 178–180, 215
- Colorado state security legislation 178–180
- Commission on Information Technology (COIT), San Francisco 126, 129, 131, 132
- Commonwealth of Massachusetts 116
- cybersecurity policy 132–139
- computer hardware 18, 19
- cybersecurity 99
- disposal of 119
- inventories 156
- obsolescence 216
- operating systems 218
- physical corruption 19
- on personal devices 18
- replacing 156
- verification 159
- vulnerability 33, 34
- computing, management of 86–87
- Computing Technology Industry Association 57–58
- Conference of Mayors 29
- Coveware 207
- COVID-19 pandemic 6, 18, 31
- and teleworking 35–36
- unemployment claims 219
- Criminal Justice Information Services (CJIS) 171–173
- cryptocurrencies, as ransom currencies 8, 9, 29, 203, 207
- Cuckoo’s Egg, The (1989) 19
- cyberattackers, types of 31–32, 59, 70–71
- cyberattacks 1–3
- attribution 197
- case studies 7–10
- costs of 5, 8, 57, 61–62
- definitions 68
- detection 22–23, 161, 193–194
- effects of 7–8, 9
- and elections 5, 146
- forensic services 94
- frequency 1, 27–28, 68–70
- and home working 204
- and human error see human error, in cybersecurity incidents
- increase 69–70
- kits 203, 207
- motives for 32, 70, 71, 144
- by national governments 5, 32
- and negligence 8, 32
- organizational ignorance 27–28, 68–70
- perpetrators see cybercriminals
- targets 67
- types see cybersecurity attacks, types of
- cybercriminals 3, 5, 203–204
- apprehension of 204
- hacking kits 203
- increase in number 203
- methods 5, 29–31, 144–145, 204
- motivation 6, 29–30, 32, 70, 71, 144, 203
- state-sanctioned 5, 28, 144, 146, 197
- targets 1, 2–3, 145
- Cyber Incident Notification Act 181
- cyber insurance see cybersecurity insurance
- cyber negotiation frameworks 12, 48, 53–54
- cybersecurity, organizational 18–19, 37–38
- auditing 19, 94, 131, 192
- authentication see authentication
- and business environment 157
- CIA triad 20
- confidentiality 18, 19, 135
- culture 42–43, 76, 125, 231–232
- definitions 17–19
- dimensions 20
- economic modelling 54–55
- and governance 157
- and hardware see computer hardware
- and insider attacks 32
- IT departments see IT departments
- principles 18–20, 20
- responsibility for 38, 88–89, 232
- safeguards 20, 22
- and size of organization 50
- systems see cybersecurity systems
- Zero Trust approach 212–213
- see also chief information security officers (CISO), role of; cybersecurity administration
- cybersecurity administration 37–41, 88
- cybersecurity advocates 147
- cybersecurity attacks see cyberattacks
- cybersecurity attacks, types of 5–6, 28–31
- cybersecurity cube 20–21, 20
- Cybersecurity Enhancement Act (2014) 152
- Cybersecurity Infrastructure and Security Agency (CISA) 17–18, 90, 206, 217
- assistance to local governments 195, 121
- training exercises 198
- cybersecurity insurance 39–40, 58, 89–91, 196–197
- benefits 196, 197
- as best practice 197
- exemptions 196–197
- and ransomware attacks 197
- and risk management 90
- cybersecurity leadership 101–103
- cybersecurity literature 11–12, 47–63, 86
- case studies 48
- economics-based 48, 54
- frameworks 48, 53–54
- paucity of 7, 47, 63, 85
- peer-reviewed 11–12, 47, 48
- professional 55, 56
- recommendations 50, 54–55, 92–93
- smart cities 48
- see also cybersecurity surveys
- cybersecurity malpractice 8, 69, 96, 203, 230
- cybersecurity partnerships 194, 195–196
- cybersecurity policies, 95, 96–99, 113–139, 194
- acceptable use see acceptable use policies (AUPs)
- best practice 116, 205, 230–231
- bring-your-own-device 36, 122
- business continuity 121, 135
- centralized 113
- change management 123–124
- compliance 115, 117, 129, 131, 133, 136
- continuous improvement 125, 139, 192
- design and development 113–115
- disaster recovery 121–122, 130–131, 135
- email use 122–123
- essential 116–117
- examples 115–116, 126–139
- exceptions 58, 134–135
- implementation 115
- importance of 96
- incident handling 98, 120–121, 136
- information security see information security policies
- internet use 35, 36–37
- legal review of 115
- media and communications 123, 162
- remote access 122–123, 210
- reporting violations 134, 147
- and size of organization 114–115
- stakeholders 113–114
- templates 116
- vulnerability and patch management 124–125
- see also privacy policies, local government
- cybersecurity staff 147, 205–206
- cybersecurity surveys 35, 36, 39–40, 56–59, 72, 204, 210
- annual/biennial 56, 57–59
- Caruson et al. (2012) 11, 48, 49–50
- Deloitte see Deloitte surveys
- Hatcher et al. (2020) 11, 48–49, 50, 67, 81, 89
- ICMA see ICMA surveys
- MeriTalk 202, 203
- methodology 77–81
- MacManus et al. (2012) 11, 48, 50
- cybersecurity systems 1–2, 42–43, 115
- artificial intelligence 146, 206, 214–215
- attacks on see cybersecurity attacks
- automation 216–217
- back-up 40, 121, 124
- barriers to effectiveness 73–75
- complexity 5, 6
- confidence in 72–73
- costs 8, 73
- and critical infrastructure 22, 152, 215–216
- and culture 42–43
- defense in depth model see defense in depth model of cybersecurity
- designing 113–114
- and email 34, 122–123
- federal guidelines for 75
- see also NIST Cybersecurity Framework
- firewalls see firewalls
- formal/informal 68, 69
- funding 74–75, 76, 190–191, 229
- hardware see computer hardware
- and human error see human error, in cybersecurity incidents
- incident logging 68–69, 136
- insurance 8, 9
- inventories of 188
- investment in 10, 104–105, 230
- leadership buy-in see cybersecurity leadership
- literature review 47–63
- maintenance 156, 158, 160
- management see cybersecurity administration
- negligence 8
- see also cybersecurity malpractice
- NIST see NIST Cybersecurity Framework
- obsolescence 218
- officials see cybersecurity staff
- outsourcing 88–89, 90, 106, 182, 218
- see also cybersecurity partnerships
- preparedness 70–72
- priorities 57–58, 74
- research on see cybersecurity research
- responsibility for 88–89, 103
- staffing see cybersecurity staff
- third-party vendors 114, 158
- tools 91, 92, 107–108
- vulnerability see cybersecurity vulnerabilities
- Cybersecurity Ventures 5
- cybersecurity vulnerabilities 3, 7–8, 9, 32–38
- artificial intelligence 145
- categories 33
- definitions 33
- human see human error, in cybersecurity incidents
- machine learning 145–146, 216
- management see vulnerability management
- operating systems 10, 33, 205, 209, 216, 218
- personal devices 36–37
- see also bring-your-own-device (BYOD) policies
- social engineering see social engineering
- software supply chain 218
- teleworking 35–36, 210–211
- third party 59–60, 136, 158
- Zero Day 22, 23, 30, 31
- Cyberseek 205
- cyberterrorists 32
-
- d
- Dallas, TX 80
- data, electronic 18–19
- authentication see authentication
- availability 18, 19–20
- back-up see back-ups
- corruption 19
- definition of 18
- encryption see data encryption
- integrity 18, 19, 146, 159
- PII see personally identifiable information (PII)
- privacy see data privacy
- security see data security
- states 18, 24
- storage 19, 51, 119, 168, 215
- see also cloud, the
- data protection legislation 179–180
- data security 156–157, 159
- Dedrick, Jason 86
- defense in depth model of cybersecurity 115, 211–212
- adaptability 212
- categories 211
- military origins 211
- Deloitte surveys 89
- with NASCIO (2020) 37–38, 58–59, 89–90
- departmental information security officers (DISOs) 126, 129
- Department of Health and Human Services (HSS) 31
- Department of Homeland Security 206
- Detroit, MI 80
- disaster recovery/business continuity (DRBC) policies 121–122, 130–131
- disinformation campaigns 5, 31, 146
- Distributed Denial of Services (DDS) attacks 6, 31
- Durham, NC, cyberattack 5
- emergency (911) systems 9, 114, 214
- Emisoft 61
- Endless Frontier Act 181–182
- Equifax 34
- Ernst and Young Global Ltd (EY) 59
- European Union
- AI regulation 215
- data protection 180–181, 215
- European Union General Data Protection Regulation (GDPR) 180–181, 215
- applicability to US local governments 181
- EU citizen privacy rights 180
-
- f
- facial recognition software 19, 145, 214, 215, 220
- Fairfax County, VA 80
- Falco, Gregory 53
- Family Educational Rights and Privacy Act (FERPA, 1974) 170–171
- FBI
- cybersecurity investigations 214
- information sharing 194
- federal cybersecurity policies 75, 114, 168–172
- Federal Information Security Modernization Act (FISMA, 2006) 170
- firewalls 107, 120, 194, 211
-
- g
- Gartner Cybersecurity 37–38, 191
- Grimes, Roger 204
-
- h
- Healthcare Information Technology for Economic and Clinic Health (HITECH, 2009) 168
- Health Insurance Portability and Accountability Act (HIPAA, 1996) 168, 178
- home schooling 18
- home working, during COVID-19 pandemic 6, 18, 35–36, 122, 204
- human error, in cybersecurity incidents 41, 143–146, 147–148
- accountability 147–148
- and social engineering 29, 59, 144–145
-
- i
- IBM 22, 60, 62
- Center for the Business of Government 60–61
- Ibrahim, Ahmed 54
- ICMA survey results
- adequateness of technology 191
- barriers to cybersecurity 37, 73
- cybersecurity awareness 101, 102, 103
- cybersecurity effectiveness 96, 98, 99–100
- cybersecurity insurance 90, 91
- cybersecurity investment 38, 104–105
- cybersecurity management 69
- cybersecurity policies 95, 96, 97–98
- cybersecurity staffing 190
- cybersecurity testing 92
- cybersecurity tools 92
- cybersecurity training 93, 94–95
- frequency of breaches 28
- frequency of cyberattacks 1, 68, 69, 70
- leadership support 102, 103–104
- local government preparedness 72, 100–101
- location of responsibility for cybersecurity 38, 88, 90, 104
- logging of attacks 68
- respondent rating 100, 101, 102
- types of cyberattackers 32, 71
- use of forensic services 94
- ICMA surveys, vii–viii 59, 67–68
- compared 37, 42, 69–70, 75–76, 89, 97, 98, 103–104
- respondents 1, 68, 78, 88, 89, 94
- results see ICMA survey results
- 2016 see ICMA survey (2016)
- 2020 see ICMA survey (2020)
- ICMA survey (2016) 67, 69–70, 74, 85, 91, 104–105, 143
- conclusions and recommendations 75–76, 204, 229, 230
- methodology 76–77
- response rate 67, 81
- revision 68
- survey questions 68–73, 88, 89, 90, 91–92, 94–95, 96, 100, 103, 189
- identity and access management (IAM) policies 119, 120, 123, 159
- Illinois 59
- incident handling processes
- information security policies 117–120
- information sharing 194–196, 214
- Information Sharing Analysis Centers (ISACs) 194–195
- regional 195
- information technology (IT) systems 2, 17, 34, 40, 58, 99
- as critical infrastructure 2, 22
- data see data, electronic
- and the internet see Internet of Things (IoT)
- reliance on 2
- Internal Revenue Service (IRS) 170
- International Association of Privacy Professionals (IAPP) 178
- International City/County Management Association (ICMA) 67–68, 76
- internet, as computer network 18
- and government services 24
- history of 24
- Internet of Things (IoT) 5–6, 51–52, 207–208
- and COVID-19 pandemic 6
- cybersecurity risks 36–37, 208
- future of 208
- and networks 18
- scale of use 6, 207–208
- security standards 52
- and smart cities 51–52
-
- j
- Joint Terrorism Task Forces (JTTFs) 195
- JP Morgan Chase 34
-
- k
- Kansas 59
- Kaseya cyberattack 28, 30, 217
- Kentucky 59
- Kesan, Jay P. 54
- King, John Leslie 86–87
- Kraemer, Kenneth 86–87
- K-12 education 117, 206
-
- l
- legacy technology 216, 218–219
- Li, Zhen 54–55
- Liao, Qi 54–55
- Lin, Herb 9
- local government cybersecurity
- local government officials 187, 189
- responsibility for cybersecurity 189
- local governments 2–4, 6
- budgets 4, 37, 38, 54, 105, 190–191
- cities see city administrations
- compared with private sector 3–4
- and educational institutions 171
- elected/appointed officials see local government officials
- email systems 34, 122–123
- federation 39
- leadership 42, 87
- media relations 123
- number of 2
- online see e-government
- physical security 52–53, 136, 211
- policies 119–120, 123
- political decision-making 4, 8
- professionally managed 87
- as public entities 3–4
- representative organizations 116
- services 2, 3–4
- structure 4
- Lookout 209
- Los Angeles, CA 80
-
- m
- machine learning (ML) 219–220
- Maine 215
- Malaysia 52
- malware 28–29
- and back-ups 40
- ransomware 7, 9, 29, 206–207
- Russian 5
- McAfee 62–63
- McCumber, John 20–21
- media and communications policies 123, 162, 164
- Memphis, TN 80
- MeriTalk survey (2021) 202, 203
- Merko, Mark 87
- Michigan 59
- Microsoft 365, 203
- Mirai Botnet 6
- Mondelez International 196–197
- Montgomery, Mark 104
- Moschovitis, Chris 32, 33
- Multi-State Information Sharing and Analysis Center (MS-ISAC) 195, 214
- municipal demography 2, 232n1
- Municipal Research and Services Center 210
-
- n
- Naples, FL 145
- Nashville, TN 80
- National Conference of State Legislature (NCSL) 174
- National Cybersecurity and Communications Integration Center (CCIA) 195
- National Security Agency (NSA) 211
- National Survey of Local Government Cybersecurity Programs (2020) 58
- negotiation theory 53
- NERC Critical Information Protection Standards 173–174, 175–176
- networks 18, 114
- network segmentation 218
- New Orleans, cyberattack on 5
- New York State Department of Financial Services (NYDFS) 197
- next generation firewalls (NGFW) 91, 92, 107
- NIST Cybersecurity Framework 21–23, 127, 152–156
- NIST framework functions 21–23
- NIST Risk Management Framework 22, 116, 128, 188
- Norris, Donald F. 49, 60
- North American Electrical Reliability Corporation (NERC) 173
- North Dakota 59
- Norton Security 41, 208
- NotPetya cyberattack 197
-
- o
- Office Space (1999) 19
- Oklahoma 59
- Oldsmar, FL 205
- operating systems 218
- Payment Card Industry Data Security Standard 168–169
- personally identifiable information (PII) 3, 50, 170–171, 178–179
- and data breaches 3, 70, 71, 144, 176
- destruction and retention 178–179
- protection 178–179
- physical security 52–53, 136, 211
- Presidential Executive Orders 181, 213
- President’s Commission on Critical Infrastructure 32
- PRISM model of local government 60–61, 64n1
- and NIST Cybersecurity Framework 61
- privacy see data privacy
- privacy policies, local government 24, 119
- public policy papers 27
- Public Technology Institute (PTI) 57–58
-
- r
- ransomware attacks 3, 9, 29, 207, 214
- Atlanta, GA 3, 7–8, 31
- Baltimore, MD 9–10, 121, 189
- Colonial Pipeline 203
- during COVID-19 pandemic 188
- Hall, GA 146
- literature on 61–62
- profitability 29–30, 203, 207
- recovery from 71–72, 214
- sector vulnerability 61
- surveys 57, 60
- tracking 62
- Red Teaming 195–196, 198
- remote access policies 122–123, 176
- Robbinhood ransomware 9
- Robotic Process Automation (RPA) 217
- Russia
- government-sponsored cyberattacks 5, 146, 197
- hackers 28
- interference in US elections 5, 146
-
- s
- SamSam ransomware 7
- San Francisco, CA 80
- cybersecurity policy 126–131
- Seattle, WA 80
- security breach notification laws 176–177, 214
- security information and event management (SIEM) 217
- security orchestration, automation, and response (SOAR) 217
- Security Scorecard 59
- Shelby County, TN 144
- 60 Minutes documentary (CBS) 31, 208
- smart cities 5–6, 48, 50–52
- security implications 51, 54–55
-
- t
- tabletop exercises 198
- tax collection 188
- tax information 188
- Tax Information Security Guidelines 170
- teleworking 35–36, 210–211
- threat actors see cyberattackers
- Threats-Vulnerability-Assets Worksheets 34
- traffic light protocols (TLPs) 118–119, 118
-
- v
- Verizon Data Breach Investigations Reports (DBIRs) 59, 68
- Virginia state security legislation 178
- virtual private networks (VPNs) 91, 92, 107, 135
- Vitunskaite, Morta 52
- vulnerabilities management 33–35, 91–93, 137
- actions 92–93, 95
- anomalies 158, 161
- back-up and restore 40
- BYOD policies 36, 122
- continuous monitoring 22, 61, 158, 161
- cyber-hygiene see cyber-hygiene
- decommissioning 144, 148n1
- exercises 94, 198
- internet usage policies 35, 36–37
- inventory of information assets 34
- passwords see password security
- risk assessment 93
- social media policies 35
- software patches 34, 99, 121, 124–125, 156, 205
- and teleworking 36
- threat identification 34
- see also cybersecurity administration; cybersecurity policies; risk management
- vulnerability and patch management policies 96, 97, 98, 121, 124–125
-
- w
- Washington Post 205–206
- Wood, Charles Cresson 87
-
- z
- Zero Day vulnerability 22, 23, 30, 31
- Zero Trust approach to cybersecurity 212–213
- Zhang, Linfeng 54
- Zurich American Insurance 197
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.