Cybersecurity Policy for Local Governments

Here is a sample high-level cybersecurity policy for a city, district, or county. It is designed to be a high-level statement adopted by city council, supervisors, or board of directors and leave detailed policies and procedure at a lower level. The reason is detailed policy and procedure may need to change regularly and there is no reason to continuingly go back to council or board for detail changes.

It is appropriate for department heads to accept the risks to their operations and mission. This policy creates a collaboration between departments and the IT department to ensure adequate protections. Department heads can ensure that cybersecurity is addressing the risks to their department’s mission and operations.

This policy also adopts the NIST Cybersecurity Framework (CSF) as the basis for the cybersecurity program. References to NIST Risk Management Framework (RMF) are also present allowing the City to use a more mature framework as needed. In addition, it mentions compliance and regulations broadly as those requirements continue to evolve.

Recommendations for Implementation

Customize this template as needed for your organization. For Counties and Districts, you will need to replace the word City/City’s/cities throughout the document. You may also need to job roles and titles to match your current roles and titles.

If your organization has an internal audit function you would need to add requirements for the internal auditor. Likewise, the responsibilities would need to be rearranged if your organization has a cybersecurity function or roles like Chief Information Security Officer (CISO). This policy assumes the organization does not have these functions.

As always, this template policy is given as is with no warranties. It can be used or modified but not resold. I also recommend having your City attorney review the policy.

--- Start Sample/Template policy ---

The City of [your city] Cybersecurity Policy

The City of [your city] (City) is dedicated to building a strong cybersecurity program to support, maintain, and secure critical infrastructure and data. The following policy is intended to maintain and enhance key elements of a citywide cybersecurity program.

Purpose and Scope

The Cybersecurity Policy lays the foundation for the City’s Cybersecurity Program as a whole and articulates executive level support for the effort. The Cybersecurity Policy supports the City’s

Cybersecurity Program established to:

protect City’s critical infrastructure
protect the sensitive information entrusted to the City
continuously improve our ability to detect and respond to cybersecurity events
contain and eradicate compromises, restoring information resources to a secure and operational status
ensure risk management is sufficient and in alignment with City operations and mission
facilitate cybersecurity awareness of risks to City operations and mission
comply with external and regulatory data protection requirements

The requirements identified in this policy apply to all information resources operated by or for the City, its departments, and commissions. Elected officials, employees, consultants, and vendors working on behalf of the City of [your city] are required to comply with this policy.

Policy Statement

The City shall:

assign cybersecurity responsibilities to the Technology Manager to coordinate citywide cybersecurity efforts
adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a methodology to secure information resources
use NIST Special Publications as guidelines for control selection (NIST SP 800-53), risk assessments (NIST SP 800-30), Incident Response (NIST SP 800-61), IT contingency planning (NIST SP 800-34), cybersecurity awareness (NIST SP 800-50), data classification (NIST SP 800-60), and other NIST guidelines as applicable (csrc.nist.gov)
incorporate additional cybersecurity compliance or regulatory controls, such as Payment Card Industry Data Security Standard (PCI DSS)
conduct and update, at least annually, a cybersecurity risk assessment or with major changes to systems

Roles and Responsibilities

The City assigns cybersecurity responsibilities, in order to have an effective and sustainable cybersecurity program.

The Senior Management Team shall:

to the extent possible, adequately support and fund City and Department cybersecurity operations based upon risk to City operations and mission
with the aid of the City attorney, determine the requirements and execute necessary breach disclosures
assess the cybersecurity program with an external auditor/assessor at least once every three years

The Technology Manager shall:

report the City’s cybersecurity status, activities, and risks annually to the Senior Management Team and City Council
work with the department security liaisons to develop and maintain an information classification system and support departments in their data classification efforts
with the aid of department security liaisons, ensure information resources are properly protected through risk treatment strategies that meet the acceptable risk threshold for the category/classification of the information resource
inform the City Manager when there is an event which compromises the confidentiality, integrity, or availability of a system or data involving Personally Identifiable Information (including payment card information), Regulatory Protected Information (such as but not limited to, HIPAA or Social Security Numbers), and/or data that is not considered public as soon as practical
develop and maintain a citywide incident response program capable of addressing major compromises of City information resource
support departments’ implementation of citywide cybersecurity requirements
establish necessary procedures to support the cybersecurity program such as but not limited to, cybersecurity awareness, business continuity, incident response, access control, configuration management, change control, etc.

Department Heads shall:

appoint a security liaison to coordinate cybersecurity efforts with the Technology Manager
promote a culture of cybersecurity awareness and compliance
remind their employees and contractors about the City’s Cybersecurity policies, standards, procedures, guidelines, and best practices
ensure that all systems and the data contained by the department’s systems are protected in accordance with the category/classification of the data and systems.

All City staff shall:

comply with cybersecurity practices, requirements, and acceptable use agreement, and promptly report any incidents to the appropriate official
attend cybersecurity training at least annually
report suspicious activities to their manager
report suspicious emails, abnormal system behavior, or breaches of this policy to the Technology Manager

Exceptions

No exceptions to this policy will be approved.

Authorization

[Your City’s typical wording for policies]

References