The Ohio Cyber Collaboration Committee
To strengthen cybersecurity in Ohio at the request of Gov. John Kasich, the Ohio National Guard has brought together more than 30 public, private, military and educational organizations to form the Ohio Cyber Collaboration Committee (OC3). The OC3 mission is to provide a collaborative environment to develop a stronger cybersecurity infrastructure and workforce.
OC3 has established four subcommittees to help it achieve its primary goals:
- Charter, Governance & Public Awareness;
- Education & Workforce Development;
- Cyber Range
- Cyber Protection & Preparedness.
The committees are composed of Ohioans with a wide range of cyber and educational expertise dedicated to making Ohio a leader in the public-private partnership approach to cybersecurity.
Risk Assessment (RA) to Cyber Security Framework (CSF) to SB220 Safe Harbor
On August 3, 2018, Ohio Governor Kasich signed SB-220, the Safe Harbor bill into law. The law is designed to protect companies that implements and maintains a program that follows a Cyber Security Framework (CSF).
TechR2 serves on the Ohio Cybersecurity Collaboration Committee (OC3) which is alliance of public, private, military and educational organizations initiative to provide a cooperative environment to develop a stronger cybersecurity infrastructure and workforce.
ISO certified Techr2® has developed an ISO 27001 and 31000 compliant Risk Assessment program that can help Ohio companies implement and maintain a program that follows the NIST Cyber Security Framework (CSF). TechR2 is a high-level manufacturer of data security systems and service providers for data destruction, data wiping and secure data transport.
An Ohio company can join the initiative by attending a working seminar where TechR2 will lead you through the Risk Assessment process and bring you up to date on the regulations that are binding to your organization.
Threat Announcement - 2022 Industry Weaknesses
2022 Across the Industry Findings – Security
- Organizations allow processing of physical data bearing devices outside of the secure datacenter or offsite and out of their control which is in direct violation of federal, state and industry regulations.
- Co-location data centers may allow computer technicians to exit their datacenters without any physical security check which could allow data bear devices (DBDs) to be taken out.
- Enterprise offices have only a fraction of the security that a datacenter has and are vulnerable to compromise.
- Third party sub-contractors do not have the proper information security credentials required by law or industry standards. Sub-contractors utilize weak industry certifications versus undergoing Cyber Security Framework (CSF) certification.
- Third party providers sub-contract the work to another company. The next level providers do not have data security credentials and are not approved by the customer.
- Company datacenters on the whole do not properly contain the DBDs. Most often they are placed in boxes, in desks or on shelves.
- No inventory is completed for IT assets or DBDs, so organizations are unable to determine when a loss occurs or what is missing.
- Security measures for mobile devices may not be in place to protect information from loss.
- Access control and management of user rights is not being implemented and reviewed at intervals.
- Two factor authentication is not being used as an extra layer of security for accessing critical data.
2022 Across the Industry Findings – Management
- No written plan or budget that accounts for storage servers or devices from cradle to grave is in place.
- Organizations lack a budget to perform proper data security. In many cases, non-skilled personnel and unverified software are being used.
- Senior data engineers and security managers are not present to verify critical data interaction.
- Software and hardware are used that do not conform to Cyber Security Framework (CSF) guidelines. Software used does not remove the data, and data files can be found with recovery software.
- Existing policies and procedures are out of date. Compliance and risk managers are ill advised. Independent review for information security compliance with standards is not completed.
- Incident Response responsibilities and procedures are not established and tested regularly.
- Information Security Continuity is not addressed. Policies and procedures are not written, verified, reviewed, and evaluated.
- Datacenter or enterprise facility is missing a Risk Assessment that is approved by the organization’s compliance officer for the location.
2022 Across the Industry Findings – Skill
- OEM manufacturers contracts are not compliant with current NIST and GDPR regulations. Data is sent on equipment to non-compliant OEM manufacturers as part of maintenance contracts. OEMs are using non-compliant sub-contractors.
- There is no tracking of data to within regulation guidelines. Data Bearing Devices (DBDs) are not tracked when removed from the host system. Only a few datacenters nationwide have an accurate and up-to-date inventory of critical data bearing equipment and devices.
- Organizations have existing internal procedures and policies that allow them to bypass US NIST and other industry standards. Critical data procedures are incomplete and are not verified.
- Equipment used for media sanitization does not meet NSA guidelines.
2022 Across the Industry Findings – Training
- Single operators are interacting with data when alone. The organization does not use a verifier as required by current regulations.
- Organizations do not use a verification method to test data bearing devices are sanitized before the equipment leaves the organization’s control.
- There is a lack of training for professionals who interact with data. No certification documents or out of date certifications are on file.
- Inadequate data migration and data eradication techniques are being used. Many organizations use incomplete encryption or factory reset procedures, and the data can be recovered on the DBDs by a professional.
- Machines used in the datacenter or enterprise do not contain UL or CSA certification or validation documentation.
- Individuals with security credentials compromise their certified security training to comply with the organization’s non-compliant policies.
- Information Security Awareness education and training for all employees is not provided or documented.
- Training for reporting and responding to Security Events for all employees is not provided or documented.
- Insider Threat training is not provided or documented.