Utah Cybersecurity Auditor Report
Utah’s Office of the Legislative Auditor General reviewed cybersecurity practices at state agencies and local government agencies and some educational institutions. The auditor found that “governmental entities across the state need improvement in key areas.” The report makes 11 recommendations, including advising agencies that do not already have a cybersecurity framework to adopt one, such as the Center for Internet Security (CIS) standards.
This was a pretty broad audit, sent to over 600 county, city, town, school districts, colleges, universities, etc. However, only 37% even bothered to respond which seems to say there aren’t many cybersecurity carrots or sticks at the state level that would drive local entities to take cybersecurity seriously – not adopting the CIS framework is a point of evidence. Of the respondents, the numbers for the larger entities (counties and cities) aren’t that far from typical at that level. The smaller entities are likely the same but an across-the-board lack of emphasis on user awareness and education (combined with no minimum standards such as Implementation Group 1 of the Critical Security Controls) means high risk of phishing attacks succeeding.
In 2021, Utah became the second state in the nation to create a legal safe harbor for private sector companies that implement a cybersecurity framework (i.e., NIST CSF, CIS Critical Security Controls). The legislative body followed that up by auditing the cybersecurity practices of state/local government agencies. The CIS critical security controls are referenced because that provide a prioritized set of actions [safeguards] for any entity, public or private, to follow to establish an effective cybersecurity program.
Having a framework which is then mapped to a control standard is key to implementing a consistent risk-based approach to securing systems. NIST and CIS have free frameworks, with a lot of supporting documentation on implementation, that can give you a leg up here.
Read more in
BrightSpotCDN: A Performance Audit of the Cybersecurity in the State of Utah (PDF)
Statescoop: Utah cyber audit finds shortfalls across state