Over the last 2 years, The City of Portland has rolled out a new-to-us control to protect city information from physical device theft or loss. This control meets requirements in our various compliance standards and is required in our policies.

The City of Portland must meet the following compliance standards:

• Payment Card Industry - Data Security Standard (PCI)
• Health Information Portability and Accountability Act (HIPAA or PHI)
• Criminal Justice Information Services (CJIS)
• State of Oregon Identity Protection Act (PII)
• City Information Security Policies 

Each of those have requirements to protect their information/data while it is "at rest" or stored on a computer system. Having Bitlocker on all workstations and laptops ensures the City meets requirements for each of the above standards. 

Ok, but what is it?

Bitlocker is a software product provided by Microsoft on all Windows 10 machines. Bitlocker encrypts the whole computer's storage device (hard drive). The only way to extract the information in a Bitlocker encrypted device is to decrypt it by supplying the Bitlocker key (which is done by the hardware device), then supply a valid username and password to the computer. 

Encryption is used to scramble the information such that no-one can read or use the information unless they know the secret key to decrypt the information first. Bitlocker ensures only authorized City employees can access the keys.

Other vendors have done the same thing within their systems. Some examples:

• Apple iPhones use built-in encryption as soon as you set a pin or pass-code to get into your device.
• Android phones use built-in encryption and must be turned on manually.
• Apple Mac computers have FileVault, Apple's version of BitLocker.
• The City's large storage solution, the SAN, provides encryption for all servers at the City.

Problems or Concerns?

What happens if the City loses the key? Well, the data is lost. This is one reason why BTS requires all data to be stored on servers and not workstations. If someone loses a workstation or laptop, the City does not want to lose City information.

The City has experienced a number of issues with BitLocker, where the system stops accessing the key and BTS has to manually intervene and sometimes replace the hardware. In these cases, there can be hours where the City user cannot access their computer or do work. BTS is working with Microsoft and our hardware vendor to resolve these issues.

Did you ever wonder what it would be like to have smart home? You could remotely change the temperature in your house, you could tell your lights to come on, or ask your refrigerator if you need to get milk at the grocery store, all from your smart home device or smartphone. You could play video games and access all your streaming services from one device, or know who is at your door from your connected doorbell.

The Internet of Things (IoT) is introducing these features into our homes by rapidly applying connectivity to everyday appliances and home features. As IoT devices become a part of our daily lives, and likely will become part of many more homes as holiday gifts, we need to take a look at the security risks and privacy concerns this smart technology introduces into our lives.

Personal Digital Assistants

Many people have a personal digital assistant like an Amazon Echo or Google Home. These devices analyze your past commands to try to anticipate your needs. These may also be linked to accounts used to purchase goods or services; make changes in your house such as turning off alarms, turning on the lights, or adjusting the temperature; or be linked to other accounts so they can tell you your schedule or read your email. Amazon Echo even has the ability to provide a pet-sitter with instructions, which is a give-away that you are not home.

Keeping these devices secure is especially important given that they may allow someone with access to the device to complete purchases using the owner’s accounts, identify key information, or find out more about you.

Smart Thermostats and Other Smart Home Devices

Many homeowners are beginning to opt for a digital thermostat that allows them to control the temperature in their home remotely using an app. While digital thermostats do come at a premium, the vendor also makes money on data it collects on usage and habits. Smart light bulbs and smart doorbells also allow for great levels of data collection by the manufacturer.

IoT manufacturers entice consumers with convenience and functionality by promising the world of the future through devices like those listed above. All the while, cybercriminals are finding that they can use these devices as pathways into your home network to steal your data and find out more about you. And yes, that includes using digital information to determine if the house is unoccupied and safe to rob.

Gaming Consoles

Sony PlayStation 4, Microsoft Xbox One, Nintendo Switch, and many other gaming consoles are in millions of homes across the United States. These devices rely on Internet connectivity to provide different forms of entertainment and include streaming video, interactive gaming, voice chat features, and apps that keep both the system and applications up-to-date. One major risk is that many gaming consoles require subscriptions and user accounts for accessing online content such as games and streaming services. This makes the console another device associated with an account that holds your personal and payment information for the purposes of renewing these subscriptions.

Here are a few tips to follow in building your smart home with IoT devices:

1. If you don’t need to connect a device to the Internet, don’t. If a device isn’t connected, it isn’t as big of a cybersecurity risk.
2. Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.
3. Research the privacy, security, and accessibility options that are available for customizing your device. You may find some options that provide greater security and privacy if you opt in. One example is that a device may offer multi-factor authentication (MFA) where you use your traditional password and username combination with the added step of receiving a verification code or providing a fingerprint through a scanner. If MFA is available, it’s worth using.
4. Always update your devices and apply patches when available. When selecting which IoT devices to purchase, ensure they offer patching and updates from the manufacturer to keep them up-to-date. Enable auto-updates on any IoT devices that support them.
5. Setup a separate unique, strong password for every device. Don’t share credentials across devices. 
6. Replace devices when they are no longer supported by the vendor, as security flaws will remain unpatched.
7. Turn off Universal Plug and Play if it is available on the device. You don’t want the device having this ease of connectivity with so little control.
8. When requested to provide information to use a device, do not provide personally identifiable information (PII), like Social Security Numbers and dates of birth. If you must share PII to use the device, you may want to consider a different make or model or keeping it off your home network.

Remember these tips over the holidays as you receive and give gifts. This will ensure you don’t give cybercriminals the holiday gift of your sensitive data!

 This October, National CyberSecurity Awareness Month is commemorating its 15^th year as an annual initiative to raise awareness about the importance of CyberSecurity. NCSAM 2018 is a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online, while increasing the resiliency of the Nation during cyber-threats. DHS is the federal, national lead for NCSAM. DHS also co-leads NCSAM with the National Cyber Security Alliance.

Focus Points for 2018:

• Week 1: Make Your Home a Haven for Online Safety

Every day, parents and caregivers teach kids basic safety practices ‒ like looking both ways before crossing the street and holding an adult’s hand in a crowded place. Easy-to-learn life lessons for online safety and privacy begin with parents leading the way. Learning good cybersecurity practices can also help set a strong foundation for a career in the industry. With family members using the internet to engage in social media, adjust the home thermostat or shop for the latest connected toy, it is vital to make certain that the entire household ‒ including children – learn to use the internet safely and responsibly and that networks and mobile devices are secure. Week 1 will underscore basic cybersecurity essentials the entire family can deploy to protect their homes against cyber threats.

• Week 2: Millions of Rewarding Jobs: Educating for a Career in CyberSecurity

A key risk to our economy and security continues to be the shortage of cybersecurity professionals to safeguard our ever-expanding cyber ecosystem. Raising the next generation of interested and capable cybersecurity professionals is a starting point to building stronger defenses. There are limitless opportunities to educate students of all ages – from high school into higher education and beyond – on the field of cybersecurity as they consider their options. In addition, veterans and individuals who are looking for a new career or re-entering the workforce, should explore the multitude of well-paying and rewarding jobs available. Week 2 will address ways to motivate parents, teachers and counselors to learn more about the field and how to best inspire students and others to seek highly fulfilling cybersecurity careers.

• Week 3: It’s Everyone’s Job to Ensure Online Safety at Work

When you are on the job – whether it’s at a corporate office, local restaurant, healthcare provider, academic institution or government agency ‒ your organization’s online safety and security are a responsibility we all share. And, as the lines between our work and daily lives become increasingly blurred, it is more important than ever to be certain that smart cybersecurity carries over between the two. Week 3 will focus on cybersecurity workforce education, training and awareness while emphasizing risk management, resistance and resilience. NCSA’s CyberSecure My Business™ will shed light on how small and medium-sized businesses can protect themselves, their employees and their customers against the most prevalent threats.

• Week 4: Safeguarding the Nation’s Critical Infrastructure

Overarching Theme

• CyberSecurity is our shared responsibility and we all must work together to improve our Nation's CyberSecurity

Key Messages

• Strengthen the Nation's CyberSecurity ecosystem
• CybeSecurity is a cross-cutting, cross-sector challenge, so we must tackle it together
• Increase and strengthen the CyberSecurity workforce across all sectors
• Secure critical infrastructure from cyber threats

For more information visit StaySafeOnline: https://staysafeonline.org/ncsam/

Why do I need Information Security and PCI training?

The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services—and the preservation of City information resources. This training facilitates the City’s due care and diligence to meet several regulatory requirements and honor our custodial information security responsibilities.

I don’t use computers, why do I need to take this training?

Our number one defense against information theft and loss is you! Everyone is responsible for knowing and following our organization’s security policies and procedures.

When do I need to complete my training?

This module meets two requirements for the City, so there are two answers to this question:

1. If you process payment cards, then you must complete the training by 9/15/2018.
2. All other people must complete the training within the fiscal year, which ends on June 30^th each year.

How long will the training take?

The training is self-paced and can be completed within 40 minutes.

How do I take the training module?

The primary and preferred method is to use new CityLearner.

If you do not have access to CityLearner (example: contract employees), please contact Edith Brown in Information Security at x37059 or edith.brown@protlandoregon.gov.

I don’t have CityLearner access, how do I take the training?

If you do not have access to CityLearner (example: contract employees), please contact Edith Brown in Information Security at x37059 or edith.brown@protlandoregon.gov.

I don’t have access to a computer, how do I take the training?

If you do not have access to a computer (example: contract employees), please contact Edith Brown in Information Security at x37059 or edith.brown@protlandoregon.gov.

How does General Awareness help me in my job?

The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services—and the preservation of City information resources.

What is PCI?

PCI stands for Payment Card Industry – Data Security Standard (PCI-DSS). All organizations that take payment with some form of credit card are required to have computer general awareness training.

Why combine general awareness and PCI into one training?

The PCI requirement for training is to have a General Security Awareness module. Since the goals of both PCI and our awareness effort are aligned, the training meets both requirements and is a good fit to produce only one training to rule them all. 

I don’t take payment cards (PCI), do I need to take the training?

Yes. General information Security Awareness is part of every job. 

“The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services – and the preservation of City information resources…” -Serilda Summers-McGee

For more information please reference:

1. BHR Admin Rule 4.08 ß make this a link – newly simplified in 2018.
2. https://www.portlandoregon.gov/citycode/article/12209

I already have PCI training in my Bureau, do I need to take this training as well?

Yes. Employees in a bureau which has its own PCI training will continue with their bureau-specific PCI training for 2018 and will also have to complete the General Awareness + PCI training module by June 2019.

The scope of employee information security responsibility is increasing, becoming essential to sustaining and improving City services—and the preservation of City information resources. This training replaces the “Payment Card Industry (PCI) Security Standards” training for PCI-related roles and facilitates the City’s due care and diligence to meet several regulatory requirements while honoring our custodial information security responsibilities. 

The "General Awareness 2018 + PCI” training is now available through CityLearner. Employees with Payment Card Industry (PCI) roles must complete this training by September 15, 2018—in time to meet the City’s 2018 PCI compliance training requirement. Employees who do not have PCI-related roles must complete this annual training by June 30, 2019. Note, Parks and Recreation employees will continue with bureau-specific PCI training for 2018 and will complete General Awareness by the June 2019 deadline.

This CityLearner training takes about 40 minutes to complete, including a short quiz. Exemptions from this mandatory training can be negotiated through the BHR standard review process.

The City of Portland honors the trust extended to us by our communities and employees to preserve and protect the sensitive information we collect, store, and share. Through information security awareness training the City can ensure shared understanding of and compliance with applicable laws, reduce potential information risks and liability, and reinforce appropriate employee behavior when handling sensitive City information.

For more answers, see the FAQ.