NC IT Roadmap - Security NC IT Roadmap: Security NC IT Roadmap Technology Foundations Broadband Security Cloud Technologies Identity & Access Management Data & Analytics Applications Digital Transformation We want to become a model state for cybersecurity and we want to keep working for the private sector to strengthen our cybersecurity efforts. Government has a lot of information. We need to keep it safe and people rely on us to do it. -Governor Cooper As we move away from paper and in-person processes to real-time, online service delivery, securing the citizens’ data is paramount. Security must remain a critical element embedded in all projects and processes as we adopt new technologies that enhance our citizens’ interactions with state and local government. Citizens expect to engage with government in the same ways they engage with the rest of the world – real-time, where they are, and on multiple platforms. They want transparent government with services that are easy to access, and confidence that their data is being used responsibly and managed safely. There are three primary security concerns generated by these expectations: Privacy: Residents of North Carolina have an expectation that the data they provide through various interactions with the state, will be secured and remain private. Privacy enables trust, and trust enables speed and efficiency. To be efficient in our duties, data sharing and analytics becomes a critical aspect of our business model. Residents expect seamless interactions with a single identity, that leverages data while maintaining and protecting their individual privacy. Security: The use of internet of things (IOT) continues to become more prevalent in our lives and more importantly, in our state infrastructure. More and more, we see IOT devices being weaponized to disrupt operations. We must adapt to this changing landscape and be able to secure any and all devices regardless of location or type, that will be deployed on critical infrastructure and State networks or that transmit, store or process state and federal data. We must also focus on enterprise visibility and resiliency that will support the identification, detection, protection, response and recovery of critical infrastructure. User Awareness and training: We need to be agile in the development and deployment of security solutions to manage the shifting threat landscape. This requires a nimble and educated supporting staff across all IT disciplines. It also requires that we educate all state employees to ensure they are good stewards of the data we have been entrusted to protect. To adequately improve and implement privacy and security policies and appropriately secure endpoints, the State’s IT security professionals need visibility into the state’s data, regardless of where that data resides. To manage the state’s long-term security needs, we will leverage the NIST Cybersecurity Framework (CSF) to ensure a standard approach to Identify, Detect, Protect, Respond and Recover from any and all cyber events that may impact the confidentiality, integrity and availability of resident’s data or result in loss of life. Identify Modernize State Laws: We need to modernize our laws to effectively meet the legal and regulatory requirements brought on by the changing threat landscape. It is critical for the state that we ensure that we align our laws and standardize the state’s approach to cybersecurity with our federal partners, local government and private sector industries to enable information sharing and for the protection of Department of Homeland Security (DHS) designated critical infrastructure and mission critical systems within the state of North Carolina. Develop a Statewide Privacy Program: The need for privacy continues to dominate the IT and legal landscape. We need to ensure that privacy is raised to an appropriate level of importance to address the needs of our residents. We will need resources with expertise to address privacy concerns, data sharing methodologies for the protections from unauthorized disclosures. The establishment of a statewide privacy program will cascade across all state agencies and standardize the approach for the management of data across the agencies. Detect Expand the Continuous Monitoring Program (CMP) to Local Government: The risk to residents' data does not reside only at the state level. Many state agency systems have interconnections within local counties, municipalities, and cities. We can no longer approach cyber in a silo. It is our responsibility to partner with local government to implement solutions that will provide visibility and protection, while fostering information sharing. These elements are critical to a holistic cyber program for the state, enabling the incident response and recovery activities supporting the Statewide Cyber Disruption Plan. Implementing continuous monitoring programs will enable local governments to more effectively identify, track, and remediate security threats. Protect Broaden the View of Cybersecurity within the State: Cybersecurity is not the sole responsibility of IT security professionals. In the digital age, every employee is a cyber employee, and every employee has a role in maintaining the security of the state’s data. To ensure that citizens’ privacy and data are managed securely, we need to properly train the entire cyber workforce on security risks, threats and vulnerabilities. We must shift our views on where security is managed and embed security down to the end-user level. This requires a strategic cyber training plan that is adaptable to the changing threat landscape and effective in addressing relevant security knowledge gaps. We will leverage frameworks such as the NIST National Institute for Cybersecurity Education (NICE) framework in our cyber training plan. To meet the demands for security professionals to assist in securing the environment, it is crucial that we revamp state hiring practices and leverage internship and apprenticeship opportunities. The current shortage of trained security professionals creates a risk for the state. To establish a pipeline for the future, we will need to look past traditional IT roles to identify those who have strong critical thinking, team player and problem-solving abilities. These attributes lay a solid foundation for adaptability within cyber and IT roles within state government. Offering training and mentoring opportunities within State government for veterans and those external to IT will better position the state to meet the demands of the future. Establish a Roadmap for a Development/Security Operations Environment (DevSecOps): Application vulnerabilities continue to be the low hanging fruit leveraged by malicious actors. Resource shortages have facilitated poor development practices resulting in insecure application development and shadow IT activities. We must establish processes and procedures to ensure that state agency application development follows a standard, repeatable, and secure lifecycle development management process. This process will enable the business to ensure that applications in use are developed in a collaborative, secure, and cost-effective manner that will improve the overall quality and performance of our systems. Respond Develop a Statewide Cyber Disruption Plan and Exercise: To ensure we are prepared to respond to a significant cyber incident, we must have a formalized and holistic response plan that establishes a repeatable process and leverages industry best practices. The plan must address public and private critical infrastructure that could create impact to state resources and/or cause loss of life. Additionally, the plan must be exercised periodically to ensure that it is relevant to the threats being experienced and all impacted stakeholders are familiarized to their specific roles and responsibilities for the protection of the residents of North Carolina. Recover Build a Resilient Infrastructure: A key element to the establishment of an incident response plan is the availability of resources to support recovery aspects. We need to focus on ensuring systems identified as mission critical, critical infrastructure, or statewide critical all have the appropriate level of resiliency implemented for the rapid recovery or sustainment of operations in the event of a significant cyber incident.