 Good afternoon and good evening, ladies and gentlemen. It is my great pleasure to present here for the second time at DEF CON voting village. I am Sang-Eun Lee, an IT security specialist at the city of Chicago leading the cybersecurity policy and the compliance programs. Today, I'm here to share thoughts on how to update an information security policy specifically from a local government perspective. Without further ado, I would like to go through my presentation. Today, I will start by exploring what is information security policy and the peculiarities that makes the local government different from other types of organization. Second, I will go through the aims and goals for the revision of the policy from the local government perspective. Third, I will propose the methodology of the revision and the actual application based off of the case study of the city of Chicago. So, what is information security policy? Information security policy is the highest directive of cybersecurity posture to formalize the security and internal control standards to mitigate security risks to comply with applicable external controls and regulations to define how computing and communication assets, systems and resources should be accessed, configured, used and protected, and to monitor activities of organizations personnel should execute to maintain the security of the organization's operating environment. In short, to set up a baseline to maintain soundness of cybersecurity and provide guidance to the relevant stakeholders including the ITSCs and to direct the cybersecurity programs such as risk management, incident response and compliance. So, what to consider as a local government? The local government is a multifunctional service provider to its constituents. With its wide spectrum of functions, the local government engages residents with various administrative measures. In other words, the audience of provider services are the local constituents. At the same time, the local government is technology laggards. The city is very slow in accepting new technology. I might have to tell my boss to get a new laptop, but he's even using like a five-year-old laptop still. So, at the same time, we have very limited financial and human resources specifically in cybersecurity. Now, we city, we're having more than 35,000 people employed. However, our security team is relatively very small compared to our size of the organization. And I believe this is not only the case of Chicago because Chicago is the one of the largest city in the United States. And third is about our static decision-making process in case of public rate documents. We need to go through the mayoral approval and this is not only the case of Chicago. At the same time, if something is approved and implemented, our deliverables are public-facing and open to public. So, multifunction means multiple compliance requirements, larger impact by a cyber incident and also public influence of our documents. And as I just mentioned, we have very slow approvals on new changes and developments regardless of how the cybersecurity landscape is changing rapidly. So, this is the reason why importance of the policies even further emphasized in the local government. So, in order to make our government even more sound in our cybersecurity postures, I would like to deliver the aims for the ISP revision. So, these are the aims for this revision. First, considering the nature of the cybersecurity policy or information security policy, it is a general document, but also it requires to be in detail. So, to cover the wide spectrum of audience and topics, the general employees would consider as a general document that should be followed by every single business that they conduct in every day. At the same time, for the IPFCs, they're being the direct stakeholders who should be taking into consideration in detail. So, in order to satisfy those two, the policy should be a dynamic document and living document. Second, we are approaching the policy that should be communicating with the constituents all the time. So, to actively engage both within the organization and to external public, the document should be a consumable document. Not a stressful document to go through like 50 or 60 or 100 pages, but it should be more consumable and more simplified providing the highest policy statement from the city or from the organization. Third, it should be a document that mentioning about our compliance. So, we have federal local regulations and industry standards that we should be adhered and should be compliant with. And these are the main three aims of the revision for the policy. So, from now on, I will directly go through the methodology. So, make a dynamic document. First, I propose to address the gaps and assure the flexibility. To do so, we first identify the gaps, second, we analyze the current version, whether it's good or bad, or whether it's sufficient or insufficient. Third, we develop a new policy if needed. So, to give an example, by the increased usage of social media for civic engagement by the local governments, the revised version of the social media usage is required for our policy to maintain our cybersecurity posture. However, well, the current version in case of the city is a six year almost six year old document. And that makes our prior version very weak in providing sufficient controls over the social media usage. So that was one example. Second is about making a consumable document that I just mentioned. So, in order to do so, we city is approaching to separate the policy and the process for specifically we are planning to identify which statement is a policy statement and which statement is a which statement is a ticket control. And by doing so, we can develop a separate process documents which are mainly referenced by the relevant stakeholders such as it sees for each policy topic. So, this has a benefit of first, we provide faster way to reference the policy and how to implement the sufficient controls that are required by the policy. Second, by reducing the actual contents of the policy itself. We are expecting that the policy can be more consumable document regardless of what role that you're in within the local government. Third is about alignment. So, we are here to build our new policy and revise our new policy. And we first map the existing policy with the key controls from both top down and bottom up level and I will explain this further very soon. And second, we analyze the composition and structure and determine which which part of controls are underrepresented and which part of controls are overrepresented. And by doing so, we can determine and identify the required policies to need for the improvement. And by doing so, not only by not only just improving the policy, but also we intend to be compliant with any compliance requirements that we are adhering to. So, I believe this is not a sufficient information or sufficient explanation to understand what the aims of the methodology is. So we will present about that direct application. In the case of city of Chicago, our information security and technology policy is, okay, you can check here it is with its release date is 2016 so it's five years old and this last revision was a minor revision just changing some departmental names due to the changes of the traditional structure within the city. So now we are undergoing a process of revising our own policy to maintain the goals and aims that I just mentioned before. So the current policy as is this first it's outdated as I just mentioned the major revision was done in 2016. It's somewhat under focused or overreaching regardless of considering the city's resources. And third, it is mixed up with policy statements and technical controls. The second is about for the second is to go through more about the policy and control. The policy statements are to control controls and policy statements and controls are mixed up, leading variety of readers is difficult to digest. So for those people who understand the technology and people who are directly working with the policy maybe may feel very comfortable with using that policy for their daily guidelines, however, if this document is released into public and it is actually released into public. And the readers may found very difficult to digest. So this is the second point of the second prescription of the not prescription, not prescription but the identification of our current problem. The initial version of the policy or the current version of the policy was built built on the cybersecurity considering the cybersecurity framework and in this date under 53 revision for which is recently revised and also other industry that we are adhering to is also revised after our initial announcement of current version. So in order to maintain in order to be compliant, we need to update this policy. And to what to consider about our current organization is, as I just mentioned, we are very static and slow decision making process organization, and we have very large employees of the organization. These employees are not only like the best workers but also there are people who are responsible for city, city infrastructure services and buildings or like parking enforcement like that. And also we have a police department fire department and those kind of multifunctional business services are offered by the city. And it's a public document and this is this document seems to be very specific addressing very specific issues of the city's information systems and use of information systems in the city business. However, this is a public level document which is open to public. And third, it's about cyber threats. It's rapidly evolving. And we also have expanded use of social media by the city and by the people. And also we have a comprehensive threat with mass impact. So our audience is not only the city employees, not, not only the reason why for us to have a lot of employees in the city. Actually the city, the paralysis of city business or the incident which influences our city business would have major impact over the residents. So this is the current stage of our policy. And at the same time, this is how the policy is structured, especially in the city of Chicago. So we have 15 chapters or 15 policies regarding our information security. And the each policy has a four different levels from chapter, article, clause and item. And if we sum up this number of these items, we have 543 items and this document is over 80 pages. However, this is also mixed up with policy statements and control controls and some of the technical controls are not even valid these days because of the technological progress. And as I mentioned before, it's overreaching regardless of city's personal resources because it may have some statement like the policy requires or the information security office where I'm working for. Is requiring for the system a to maintain this stage of be however that stage of be is already outdated a few years ago. That means our last major revision was 2016. So we need to keep updated and for considering the city's approval structure that is very static and requires a long time to get a finally approved and posted to public. We need to provide a room for flexibility. And that's the one of the reason why we're trying to separate the controls and policy statements. So recalling the methodology from this section, I will start with how to make a dynamic document. So we started from mapping the policy from top top down. So in the left hand side of the table, there are two tables here. The left hand side of the table is the result of mapping the ISTP for each policies within this control families. The right side is the number of the list of this control families. And here the chapter row means that this chap, this chap, like the number of chapter which addresses this control families. We when we are mapping from the top down level. First, we did not allow any overlap. So we only assigned one control family to one policy. And based on the results, we could see it generally, but it is generally balanced with missing control families. And those were missing was a six missing control families of ATCA, IA, MA, PT, and RA. Bottom up mapping results may deal with the missing control families, and I will present this right after, but and from here, we also thought about consider considering about the rearranging the policy to make the policy balanced while building up on the missed state 153. So for the city, the we are currently approaching our revision to be based on the newest revision version, the revision five of the new state 153. And we also conducted a bottom up analysis. So at here, we did, as I mentioned before, we here is a, it has a policy chapter number, article number, clause number and item number. So these are we divided every policy into items and we assigned every relevant control families based on our policy contents. We have because this, it was first done by myself, but because we are a human being who makes mistakes. Also, we also gone through multiple trials were validation and within our information security office. And there, there were both underrepresented and overrepresented control families on the policy. And at the same time, as I just suggested in the before the slide before, they're the missing six control families, which I mentioned from the top down approach was reinforced by the bottom up analysis. But still, there is a need for rearrangement to split apparently to apparently and clearly identify for those are missing. And these are the results. And someone. Well, I think it's the nature of the information security policy, but based on what we have here, access control is very overrepresented, while the MA is very underrepresented. And these are the points that we have identified and determined to be reinforced by new newest revised version of the policy. And second is about how to separate the policy and policy statement and controls. So this is another worksheet that I am using right now, and we determine every item to within the two three categories, which is controls and policy, and also some of them were mixed control mixed statements. So we assign we have gone through every 543 items for this process. And this was also have gone through multiple trials for the validation. And these are the some of the mixed mixed statements. So, if you see here, the technical operations and enterprise network architecture should ensure that system default settings are reviewed with the information security office before and solution to identify potential security vulnerabilities, which is a policy statement. However, the contents below is a technical control, and we intend to collect all the technical controls by each policy. So by each chapter. And then we develop a separate process documents that are for the reference of the ITSC's by doing so we are simplifying the policy statements and making it as a further stronger message. And we are also crystallizing the technical control with the process documents. This process not only lifts the burden of the reader. However, at the same time, it allows us to make more dynamic updates based on based on our current approval process. So the process document we only need the one we only need a single or two single or the whole signatures from the CISO and the CIO. But for the policy to be revised, we have to go all the way up through the mayor's office, which requires several months or several weeks in a good case. That's not because they're not doing their work, but there are so many things to be reviewed by the mayor's office. So that's the reason why we are separating these two to make more readable document, consumable document at the same time, more of the document as a living document, which can make rapid updates. So simplifying the policy document, we assure the room for flexibility to start the technicalities and we are considering this as a public rate document and crystallizing the technical controls. We allow more frequent updates with process documents, simplified approval process and internal rate document. And this policy intent to be a consumable policy for everyone. And final stages alignment. So to introduce some of the key references, then there are some regulations that we're adhering to right now. First, it's about understate 153. I believe everyone, not everyone, but this is a very phenomenal document, not phenomenal, but a cornerstone of the cybersecurity. So this state under 53 revision five is a comprehensive catalog of security and privacy controls for all US federal information systems, except those are related to national security. So even though the city government is a municipal government, not a federal level, however, we are trying our best to maintain our security level at the federal level and federal standard. And for the second, we are also related to the PCI DSS, the PCI data security. So payment card industry data security standard has the goal of managing the ongoing evolution of the security against the payment card, the car payments and transactions. So the city has a credit card payment environment, which makes us to maintain our compliance with the PCI. And we are also considering the newest developments and newest updates released by the PCI. And also we are not a, so sorry. And also we have, we are to adhere and to be compliant with the HIPAA. HIPAA is a Health Insurance Portability and Accountability Act is to modernize the flow of healthcare information, stipulate personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud, theft and address limitations on healthcare insurance coverage. So for the NIST, it is to maintain resilient city network compatible with the federal standard. And second for the PCI is to ensure the state credit card transaction environment. And HIPAA is to ensure privacy and confidentiality specifically on the protected health information. And the days that the times of pandemic we have, the city is also providing various services regarding the COVID-19. And in that manner, a lot of information is categorized as a protected health information and we should be compliant with the HIPAA. And this is a federal regulation. So all these are in consideration to align as our, for our revised version of the policy. So I believe this was quite helpful. Thank you for listening. And I will answer to the questions as far as I can. And if you have any further questions or any kind of requests, please reach out to me. And I am happy to reply it. Thank you for listening.