QUESTION
How often are audits conducted to review cybersecurity compliance and posture of city agencies?
1:18:08
·
114 sec
Kelly Moan explains that NYC Cyber Command routinely conducts audits and assessments to understand the cybersecurity landscape and maturity of city agencies.
- Audits and assessments are used to identify weaknesses or areas for improvement
- Findings are incorporated into collaborative roadmaps developed with agencies
- Agencies then implement prioritized remediation and mitigation work streams based on the roadmaps
Joann Ariola
1:18:08
And according to the citywide cybersecurity inventory policy, which is applicable to all systems that connect to a city owned network, Cyber Command must audit covered organizations for compliance and notify the first deputy mayor if it finds it on compliance.
1:18:23
The policy further states that command may conduct periodic audits to review a system's cybersecurity and related information How many times have you carried out this audit, and how many times did you report noncompliance in the last 2 years if you have that information?
Kelly Moan
1:18:41
While I can't go into the particular specifics given the public nature of this hearing, I am also happy to offer a follow-up in particular for that question.
1:18:52
We routinely engage any any method really, including audits and assessments to understand evolving cyber landscape and posture of our city agencies, including their journey in maturation.
1:19:06
Right?
1:19:08
As I mentioned before, our agencies span from, you know, smaller to larger agencies and also in complex and so making sure that we're partnering with them to engage and promote cyber maturity and enhancements at the agency is paramount, which is why we have a cyber road mapping process that actually takes into account any findings or weaknesses that we've identified or third parties have identified that can be improved.
1:19:38
And we implement those into our collaborative road maps that we work with agencies to develop.
1:19:45
So then they implement those those remediations or mitigations as a prioritized work stream.
Joann Ariola
1:19:53
Okay.
1:19:53
And just if you could anything that you cannot share here today publicly, you share with our chair in private so she can share with the rest of the community.
1:20:01
Thank you.
1:20:01
Alright.
