Some of the initial steps municipal leaders can take in the direction of cybersecurity preparedness can be quite simple. The best start is a discovery phase to determine what is already in place and where there are gaps. 

Below are two documents with sets of questions to help guide you through this exploratory exercise. After identifying areas that need to be addressed, there are resources and best practices provided to help you develop a plan to move forward.

Each of these documents are also offered as a download so they can be distributed and utilized during meetings with other municipal staff or partners.

Getting Started: Begin Conversations to Assess Cybersecurity Preparedness

Questions for Municipal Leaders to Discuss with Business Process Owners

  • Have we identified our most critical business functions?
    • Have owners of critical business functions met to identify the processes and systems they oversee?
    • Have those business processes been documented?
    • Who is responsible for each business process and system? 
    • Have the critical business processes been prioritized for the health and wellbeing of our citizens and protection of financial resources? 
  • Do we have data backup processes (backups) in place for the most important business systems?
    • Does the backup strategy prioritize critical business processes? 
    • Have we determined the acceptable level of data loss for our critical business processes?
    • Are backups frequent enough to restore from data loss? 
    • Are backups tested regularly to ensure they work? 
    • Is our backup process documented? 
    • Is the backup documentation accessible in the event of an emergency? 
  • Do municipal staff have an understanding of ransomware, how to defend against email fraud, and how to protect themselves online?
    • Does staff have access to training for defending against email fraud and how to protect themselves online? 
    • Is there an internal or external communication process when suspicious activity or emails are identified?
  • Do we know who has access to the data and systems that support critical business functions?
    • Is there a list of internal users who have access to critical business systems?
    • Is there a list of numbers and contact information for vendors and service providers who have access to critical business systems?

For More Information and Considerations for Business Impact Analysis: 

Download Business Impact Analysis
Download Business Process Questions
Municipal Cybersecurity Toolkit
 

Questions for Municipal Leaders to Discuss with Information Technology (IT) Staff or Service Providers

  • Can you help us implement an effective backup strategy that meets the standards/requirements outlined below:
    • A clear definition of what is being backed up and where it is being stored
    • Appropriate backup retention span and frequency
    • Annual testing of successful restore
    • Physical and virtual access to online backups are restricted to authorized personnel only
    • Backups are air-gapped and ransomware resistant
    • Awareness of any Personally Identifiable Information (PII)
    • Use of backup encryption where applicable
    • Backups include not only data but any relevant images, policies etc.
    • Documentation of the backup and restore strategy
  • Can you help us understand, document, and implement appropriate access/permissions to the data and systems of the municipality?
    • Have we minimized the number of employees who have administrative rights to machines?
    • Do we limit access to files, folders and applications only to those for whom it is necessary for their job? 
    • Is there a protocol for removing outdated accounts, especially those with administrative privileges?
    • Have we changed default passwords, especially for accounts with administrative rights?
    • Do we have documentation of our access controls?
Download IT and Service Provider Questions
Municipal Cybersecurity Toolkit