The Ohio Cyber Collaboration Committee
To strengthen cybersecurity in Ohio at the request of Gov. John Kasich, the Ohio National Guard has brought together more than 30 public, private, military and educational organizations to form the Ohio Cyber Collaboration Committee (OC3). The OC3 mission is to provide a collaborative environment to develop a stronger cybersecurity infrastructure and workforce.
OC3 has established four subcommittees to help it achieve its primary goals:
- Charter, Governance & Public Awareness;
- Education & Workforce Development;
- Cyber Range
- Cyber Protection & Preparedness.
The committees are composed of Ohioans with a wide range of cyber and educational expertise dedicated to making Ohio a leader in the public-private partnership approach to cybersecurity.
Risk Assessment (RA) to Cyber Security Framework (CSF) to SB220 Safe Harbor
On August 3, 2018, Ohio Governor Kasich signed SB-220, the Safe Harbor bill into law. The law is designed to protect companies that implements and maintains a program that follows a Cyber Security Framework (CSF).
TechR2® serves on the Ohio Cybersecurity Collaboration Committee (OC3) which is alliance of public, private, military and educational organizations initiative to provide a cooperative environment to develop a stronger cybersecurity infrastructure and workforce.
ISO certified Techr2® has developed an ISO 27001 and 31000 compliant Risk Assessment program that can help Ohio companies implement and maintain a program that follows the NIST Cyber Security Framework (CSF). TechR2® is a high-level manufacturer of data security systems and service providers for data destruction, data wiping and secure data transport for IBM globally.
An Ohio company can join the initiative by attending a working seminar where TechR2® will lead you through the Risk Assessment process and bring you up to date on the regulations that are binding to your organization.
Threat Announcement - 2019 Industry Weaknesses
2019 Across the Industry Findings – Security
- Organization allows processing of physical data bearing devices offsite and out of their control in direct violation of federal, state and industry regulations.
- Work on data bearing equipment is not done in a secure datacenter or enterprise workspace and in control of organization that owns the data.
- Enterprise offices have only a fraction of the security that the datacenter has and is vulnerable to compromise.
- Third party sub-contractors do not have the proper information security credentials required by law or industry standard. Sub-contractors utilize weak industry certifications versus undergoing Cyber Security Framework (CSF) certification.
- Third party providers sub contracts the work to another company. The next level provider does not have data security credentials and are not approved by the customer.
- Co-location datacenters allow computer technicians to exit their datacenters without any physical security check and they often are taking data bearing devices with them.
- Company datacenters on the whole do not properly contain the DBDs. Most often they are placed in boxes, in desks or on shelves.
2019 Across the Industry Findings – Management
- No written plan or budget that accounts for storage servers or devices from cradle to grave.
- Lack of budget to perform proper data security. In many cases, non-skilled personnel and unverified software is used to come up with a check the box method.
- Existing policies are outdated. Compliance and risk managers are ill advised. Procedures are out of date.
- Senior data engineers and security managers not present to verify critical data interaction.
- Software and hardware is used that does not conform to Cyber Security Framework guidelines. Software used does not remove the data and files are found with recovery software.
2019 Across the Industry Findings – Skill
- OEM manufacturers contracts are not compliant with current NIST and GDPR regulations. Data is sent on equipment to non-compliant OEM manufacturers as part of maintenance contracts. OEMs using non-compliant subcontractors.
- No tracking of data to within regulation guidelines. No tracking of Data Bearing Devices (DBDs) when removed from the host system. Only a few datacenters nationwide have an accurate and up-to-date inventory of critical data bearing equipment and devices.
- Organizations have existing internal procedures and policies that allow companies to bypass US NIST and other industry standards. Critical data procedures are contrived and are not verified.
2019 Across the Industry Findings – Training
- Single operators are interacting with data. Organization does not use a verifier.
- Organization does not use a verification method to test data bearing device are sanitized.
- Lack of training for professionals who interact with data. No certification documents or out of date certifications on file.
- Inadequate data migration and data eradication techniques. Too many companies using incomplete encryption or factory reset procedures where the data can be recovered on the DBDs by a professional.
- Machines used in the datacenter or enterprise that do not contain UL or CSA certification or validation documentation.
- Individuals with security credentials have to compromise their security training to comply with local policies.