The URL can be used to link to this page

2017-043 Information Security Program Date: June 16, 2017 Report No. 2017-043 INFORMAL STAFF REPORT TO MAYOR AND CITY COUNCIL SUBJECT: City of Denton Information Security Strategy EXECUTIVE SUMMARY: ategy. BACKGROUND: Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information can be created, stored, destroyed, processed, transmitted, used, corrupted, lost or stolen. In recent years, major enterprises like Yahoo, Home Depot, Target and Sony experienced information system breaches that required the companies to pay millions of dollars to cover the costs related to the attacks. In the cases of Home Depot and Sony, the intrusion initially occurred via hacked third party vendors and financial gain was the motivation. Data maintained by Privacy Rights Clearinghouse shows that federal and state government agencies publicly disclosed a total of 203 data breaches over the past 5 years. According to a survey conducted by the Texas Association of Governmental Information Technology Managers (TAGITM) in 2017, 41 out of 54 Texas cities have been affected by a malware attack. A malware attack is software that is intended to damage or disable computers and computer systems. In 2015, the City of Denton detected over 55,000,000 threats. Over the past year, this has increased to 138,356,036 threats and 55,606 instances of spyware. On average, we block about 50,000 malicious webpages a month. Additionally, we received over 9,423,368 emails this past year. Out of those, 71% percent were detected as threats. Information technology security controls should preserve the confidentiality, integrity and availability of key information systems, programs, and data. Information Security is not a single technology; rather it is a multi-layered strategy comprised of the people, processes and technology necessary to prevent, detect, document and counter threats to digital and non-digital information. cycle of activity for assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures. The Technology Services Department has been proactive in implementing multiple layers of protection for IT supported technologies. Date: June 16, 2017 Report No. 2017-043 Without a comprehensive security plan and industry best practices in place, even the best systems can be compromised. Multiple security tools, practices and procedures have been implemented during the last several years to protect the systems against unauthorized access and viruses. Some of these include: Secure architecture and design validated by third party Electronic and physical security controls Strong password policies and access controls Controlled use of administrative privilege Proactive monitoring and analysis of logs Annual vulnerability assessments, penetration testing and tabletop exercises Site and hardware redundancy that includes a backup Data Center Incident response plan Business continuity plan Cyber Security Policies Security retainers with companies specializing in information security for rapid response Scheduled patch management Periodic social engineering exercises to staff Various security technologies o Perimeter Security: firewall, Intrusion Detection and Prevention Systems IDS/IPS, demilitarized zone (DMZ) for public facing applications, e-mail scanning (anti-virus) o Network Security: firewall, web proxy, wireless security, enterprise remote access, security information and event systems o Endpoint Security: desktop firewall, anti-virus, patch management, local security policies o Application Security: application testing, code review, database monitoring, o Data Security: drive encryption, data archive, data wiping, data classification, identity access management Additionally, Information Technology staff regularly reviews the US-CERT, SANS, Wired Threat Level, Dark Reading, Dell Secureworks and other resources to maintain current knowledge of cyber security alerts and product vulnerabilities. This information is used to fortify City systems against threats. STAFF CONTACT: Melissa Kraft Chief Technology Officer (940) 349-7823 Melissa.Kraft@cityofdenton.com