This document discusses the importance of managing technology risks for municipal governments. It identifies six categories of technology risk: cybersecurity, financial, operational, legal, reputational, and societal. Cybersecurity risks like data breaches and network intrusions are discussed in depth. The document emphasizes that developing technological proficiency requires strong governance, planning, cyber hygiene practices, and technical competency. It provides a five-stage model for assessing an organization's maturity in managing technology risks and recommends that all organizations start prioritizing technological proficiency.
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Managing Cyber and Five Other Technology Risks
1. MANAGING CYBER AND FIVE OTHER
TECHNOLOGY RISKS
WHAT MUNICIPAL OFFICIALS AND
SENIOR EXECUTIVES NEED TO KNOW
CRITICAL ISSUES FOR THE FISCAL
HEALTH OF NEW ENGLAND CITIES
AND TOWNS
APRIL 8 ,2016
Presented By Marc Pfeiffer, Principal
Investigator and Assistant Director,
Bloustein Local Government Research
Center, Rutgers University
2. THE TECHNOLOGY MANAGEMENT
OPPORTUNITY:
• Integrating new technologies into a
government environment that includes:
• Cost/tax/fee pressures
• Citizen expectations
• Political dynamics that work against against
long-term planning
• “We can defer that purchase for another
year, can’t we?”
3. KEY TECHNOLOGY MANAGEMENT CHALLENGES
• Determining what we need, want, can afford; when and
how we get it, how to manage it
• Understanding that “technology” is more than
“information technology”, but also includes operational
and communications technologies; and they all have risks
to manage
• Understanding the risks; and that technology risks go
beyond cyber-security; that it includes the other risks that
need to be reckoned with
• Knowing that managing technology and their risks is a not
journey with a destination; it is an ongoing and evolving
activity
6. 1. CYBER SECURITY
• Banking incursions – electronic funds transfer
• Data/PII breach/theft
• Network breach/use as a remote host
• Access to networked control systems
• Credit card security
• Cyber extortion – DDOS, Cryptolocker/ransomware
• Website/Social Media Security
7. TYPES OF THREATS – SO FAR
Targeted Attacks
• Local government agencies are not usually specifically
targeted, but you might be targeted by someone
disgruntled or if something goes wrong
Mass Attacks
• This stems from successful email phishing and its cousins,
and social engineering attacks
Your Humans:
• Clicking on the wrong link/opening the wrong file
Bottom line: bad guys try to manipulate people into
divulging personal or business information or tricking them
into schemes to defraud
9. THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access to
IT resources
10. THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access to
IT resources
4. Financial – costs of responses to breaches and
operational failure
11. THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access to
IT resources
4. Financial – costs of responses to breaches and
operational failure
5. Reputational risks
12. THE OTHER TECHNOLOGY RISKS
3. Operational: failure of government to operate;
services delivery failure from loss of access to
IT resources
4. Financial – costs of responses to breaches and
operational failure
5. Reputational risks
6. Society driven risks
14. A TECHNOLOGICALLY
PROFICIENT ORGANIZATION
…Understands the links between its business
processes and its technology
…Understands its technology needs
…Is assured that the technology will work when it
needs to, including routine and emergency
situations
…Is capable of protecting itself against
compromise, including protecting and responding
to cyber threats
15. DEVELOPING TECHNOLOGICAL PROFICIENCY
To the extent one is weaker than the other, they are all weaker.
ProficiencyGovernance
Planning
Cyber
Hygiene
Technical
Competency
16. GOVERNANCE
Governing boards cannot
ignore technology or delegate key elements
• Reputational and financial risks cannot be
delegated
• Governing body and chief executive must be
engaged
• Includes technology managers, fiscal staff,
public safety, operational representation; can
include responsible citizens.
17. GOVERNANCE
Management needs to set the tone from the top, down:
• Understands technology as an enterprise-wide risk
management issue
• Create a technology governance process
• Has adequate access to technology expertise
• Develop risk management processes
• Adopts technology policies
• Establish a technology planning process
• Ensure reports to elected officials are meaningful
18. PLANNING
Determines how you spend technology resources
Key elements of the plan:
• Matches organizational goals to technology goals
• Assessment of technology assets, services, resources (hardware,
software, networks, contractors, facilities, people)
• Identify priorities of changes in technology solutions and activities
• Assess and address technology risks
• Define the information security management framework
• Address “make or buy” decisions
• Assign plan execution responsibilities to appropriate staff and tie
plan to organization budget
• Use a practical time horizon: No more than 3 years and review
annually (or more often )
20. BECAUSE…
The bulk of successful attacks come because
an employee clicked on something they
shouldn’t have, so…
• Train (and retrain) your humans
• Consider intrusion testing
• Have informed employee policies
21. TECHNICAL COMPETENCE
Implement the plan with
technical competency
• Keep Governance updated on activities
• Apply and enforce policies
• Ensure that all tech employees are trained and
contractors are secure
• Keep aware of changing circumstances and
technology, and SHARE information with peers
• Be consistent; do not slack off
29. PUT TECHNOLOGY PROFICIENCY ON
YOUR ORGANIZATIONS AGENDA
You can’t do this overnight; it will always be a work in
progress.
It will likely cost new resources of time, attention, and $$
Remember, proficiency and cybersecurity are an ongoing
process and challenge, NOT a destination! And every
organization is at a different spot on the map
So…
START