Security awareness

Security Awareness Checklist for Local Government

September 13, 2018 by Tyra Appleby

Local government is an umbrella term that covers a variety of entities. These entities include jails, courts, police departments, local Social Security offices, social services, public transportation offices, schools, fire and police departments, local utilities/services and more. Local government agencies are what keep states, cities, towns and municipalities running.

This makes them a potential target for cyberattacks. Depending on the agency, it is very likely they will have a lot of Personally-Identifiable Information (PII) stored on their electronic systems. If PII is getting into the wrong hands, it can create the very real potential for identity theft. In order to protect local government assets and local citizens, agencies should always be improving their security.

The following checklist covers several important items for local government security awareness.

The Checklist

1. Determine Rules and Regulations Specific to Your Agency

Government agencies are subject to various rules, regulations and policies. The federal government has implemented rules related to cybersecurity and the ways various types of information should be handled. This includes such information as PII, HIPAA data and so forth.

One of the first things a local government agency should do is determine what types of potentially sensitive information they process and store. They can then determine which regulations they are required to follow and begin the process of implementing the proper processes to ensure that they are compliant.

2. Assess Threats Related to Your Particular Agency

There are multiple agencies that gather threat intelligence. Threat intelligence is used to determine what type of cyberweapons are used to complete cyberattacks. There have been viruses created just to target power grid controllers as well as systems that manage local utilities. Threat intelligence can also help to determine who the potential bad actors are. Having this data is useful in performing a threat assessment.

3. Perform a Threat Assessment

Whether performed by an external group or the internal cybersecurity team, a threat assessment helps to determine vulnerabilities, identify and assess potential threats and help to determine countermeasures.

4. Instill Good Cyber-Hygiene Practices

Government agencies are prone to having limited budgets, meaning they may not be capable of always having the latest and greatest. Even with a limited budget, it is still possible to practice good cyber-hygiene. This includes such precautions as:

  • Enforcing strong passwords
  • Keeping systems properly patched
  • Enforcing least privilege
  • Using up-to-date virus scanning protection

5. Ensure Access to PII or Other Sensitive Data Is Restricted

It is important to protect sensitive information. The practice is actually mandated by both federal and local government laws. Only employees with a need to access sensitive should be allowed to access sensitive data. This could be implemented and enforced by using a role-based system when creating accounts. It is also important to audit when and how this information is gathered.

6. Have Detailed Disaster and Recovery and/or Incident Response Procedures

Bad things happen. It’s important to not only be prepared, but to have a detailed plan on how to recover when it does.

7. Review Current Policies and Procedures At Least Yearly

Threats, vulnerabilities and cyberattack capabilities are always changing. It is important to make sure your policies and procedures are still relevant.

8. Implement Physical Security Controls to Limit Access to Important Assets

Preventing cyberattacks does not just mean implementing technical controls, but physical ones as well. While performing your threat assessment, any potential vulnerabilities in physical security can be identified. This provides the opportunity to implement better physical countermeasures.

Even with the best technical controls implemented on a system, if anyone is allowed physical access to the systems, it can negate any protection and render the system and the information it stores completely vulnerable.

9. Implement and Enforce Employee Cybersecurity Training

People are sometimes considered the weakest link, but it doesn’t have to be the case. Having strong technical controls is helpful, but it is important to train employees on good habits.

10.  Repeat

Do all of the above items again. The cybersecurity threat landscape is always changing, so you will find yourself running checks and making updates over and over again. This may seem tedious or unreasonable, but it’s part of the practice of vigilance. Your employees and fellow citizens will thank you.


Local governments are responsible for the development and enforcement of policies and rules for the municipalities in which they reside. They also provide services to each and every resident within their communities. This means they potentially have access to sensitive and personal information on each and every one of their residents. It also means they could be responsible for such necessities as electricity, water, trash pickup and more.

It is important that they protect both the sensitive information to which they could have access and also keep these municipalities operating smoothly. Ensuring they have strong cybersecurity safeguards in place is a must.

This checklist is just a start. It’s important that these agencies keep up to date with current trends and attacks in cyberspace and work to protect themselves accordingly.

Posted: September 13, 2018
Tyra Appleby
View Profile

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.