QUESTION
How does NYC Cyber Command ensure agencies comply with cybersecurity policies and protocols?
1:21:30
·
113 sec
The council member asks how NYC Cyber Command ensures city agencies comply with established cybersecurity policies and protocols.
- The chief information security officer explains there are escalation procedures and timeframes for remediation in place.
- This allows balancing security needs with operational requirements.
- Procedures build agencies' ability to quickly address vulnerabilities like zero-day threats.
- Zero-day vulnerabilities are disclosed without an available security fix.
- The goal is developing agencies' capacity for swift remediation when emergencies arise.
Jennifer GutiƩrrez
1:21:30
I wanted to ask about just city wide policies and protocols.
1:21:38
In 2020, localizing pass that requires New York City Cyber Command to ensure compliance with policies established with a Cyber Command.
1:21:48
How do you all ensure that agencies comply with those policies and protocols?
Kelly Moan
1:21:53
Thank you for that question.
1:21:54
As part of any cybersecurity program, both compliance and noncompliance are taken into consideration.
1:22:02
As folks continue to promote and use new and emerging technology, we have a escalation procedures in place
Sharon Brown
1:22:10
Mhmm.
Kelly Moan
1:22:11
And time frames for remediation that are leveraged to ensure that there is a there is a balance of both security and business operations.
1:22:21
We do have an understanding that no system is a 100% here because we have users.
1:22:25
Right?
1:22:26
We need to be able to operate on a device.
1:22:28
And so making sure that we're escalating, leveraging those procedures, should we see a noncompliance matter?
1:22:35
Or should we see, for example, we've last year alone, we saw we continue to see in the industry tree, a large omnipresence of 0 day vulnerabilities.
1:22:45
Mhmm.
1:22:46
And for the the public that might be listening, 0 day is a vulnerability that's disclosed without a fix, without a security update available.
1:22:57
And so we have procedures in place with time frames for remediation for a reason.
1:23:02
We wanna build the muscle and the dexterity of agencies to be able to fix things fast.
1:23:07
So that if we see an emerging or an emergency vulnerability like a 0 day come out, we're able to affect that change even faster because we have appropriate processes and place in the agency has that muscle to then go out and do the things that asking them to do.
Jennifer GutiƩrrez
1:23:23
In the instance of a 00 day scenario, which as I understand is it's a little bit more specific than like a full on or different than like a full on data to breach.