Nationwide Cyber Security Review reveals low awareness of risks by state and local governments
A 2011 survey of state and local government cybersecurity practices by the Homeland Security Department finds that a majority have adopted some control framework or methodology, but that overall there exists a low awareness of the full risks.
The National Cyber Security Division within DHS surveyed 162 state, territorial and city governments on 12 control areas for an appraisal dubbed the Nationwide Cyber Security Review. FierceGovernmentIT obtained survey results (.pdf) through the Freedom of Information Act. The division classified responses into three rough categories--"ah hoc" being the worst, "documentation" showing that policies, and possibly procedures and standards, have been put on paper, and "risk awareness" indicating at least some risk measurement and use by management of risk metrics to control cybersecurity implementation.
Only a minority of surveyed governments reported ad hoc activity for basic measures such as anti-virus protection and physical and logical access controls, but fewer were able to report robust activity for measures such as risk management and audit trails.
Average results can hide wide disparities between readiness at the state versus local level, DHS analysis of the results acknowledges. Local governments were overall 13 percent less aware of risks than state governments, the division says. In a specific example, local governments were 27 percent more likely than states to have shown ad hoc incident management controls than states, with only 14 percent of states reporting ad hoc measures but 50 percent of local government so reporting.
- download the Nationwide Cyber Security Review results (.pdf)