By Gerard Laygui, FI$Cal Chief Information Security Officer
As stewards of the state’s financial data, we strive every day to assure the integrity of that data. More than $2 trillion in banking transactions and $363 billion in state spending flow through FI$Cal annually. Nearly 15,000 system users at more than 150 departments use the system. That is an enormous amount of critical data to protect.
As Chief Information Security Officer (CISO) at the Department of FISCal, it is my team’s job to stay on top of the array of threats that could threaten the integrity of our data. In FI$Cal’s Enterprise Security Services Office (ESSO), we are focused on risk identification and mitigation. There is a strong emphasis on working with our IT partners to patch vulnerabilities, auditing the IT infrastructure to ensure strong configurations, and doing “Red Team” style penetration testing. We are quite aggressive about all of this.
Some of the items being audited relate to segregation of duties and least privilege. Segregation of duties is about ensuring that key job functions are separated. Splitting up duties that would allow a user to create and approve his or her own purchase order is an example of this segregation. Least privilege is about giving just enough access to users to do their jobs. Both of these are standard methods we employ to keep the system free of issues.
ESSO also audits for key controls to be in place as per state standard. We ensure that our firewalls keep bad traffic out. We also have various devices that examine the data coming into the FI$Cal system. The State of California Telework and Remote Access Security Standard (SIMM 5360-A) is an example of a control that FI$Cal follows. The standard calls for enterprise-strength controls such as antivirus and security updates. ESSO checks that these controls are enforced.
ESSO also provides yearly cybersecurity training for our staff. This is the best way to minimize the risk from phishing attacks. A phishing attack is the most commonly used method to gain unauthorized access to a network. ESSO conducts several phishing exercises per year to measure FI$Cal’s risk to phishing attacks.
October is National Cybersecurity Month, and many state workers have been going through this annual training exercise. Employees are given information and tested not only on how to spot phishing attacks, but also about handling sensitive data, securing devices that store data and other measures to protect data.
Bad actors are taking advantage of the huge increase in telework to launch new kinds of attacks in a bid to access corporate and government systems. Phishing is the easiest way to do this because attackers basically are asking workers to just let them in.
We as defenders have to be right 100 percent of the time, but bad actors only need to be right once.
We operate the Open FI$Cal website to give the public a view into how departments are spending taxpayer funds. So, while confidentiality is important, our bread and butter is the fidelity of the data. We cannot afford to let our data be tampered with. We must be ever vigilant to protect it. Security is everyone’s job.