Intercity Transit now has a formal cybersecurity plan, its chief information officer, Jason Aguero, reported to its board of directors on Wednesday, March 3.
According to the new policy, IT would allocate resources for cybersecurity, promote cybersecurity awareness among employees, and integrate cybersecurity into the job responsibilities of all employees. IT would also hold all employees accountable for the appropriate use of information systems and ensure that vendor supply chains also comply with cybersecurity standards.
The policy was signed by former General Manager Ann Freeman-Manzanares on February 15, 2023. Before the document was formally adopted, it underwent two years of reviews and edits.
The document was first drafted by in March 2021. The document also underwent legal review, which was completed in May 2022, before IT’s senior management team conducted its review, which was finalized in January this year.
With a cybersecurity plan in place, IT is now looking to implement a cybersecurity standards document, which Aguero explained would detail how they would implement their cybersecurity plan.
IT is also looking for a new cybersecurity program manager, with Aguero set to conduct the first round of interviews for the applicants this week. He added that they are working to acquire cybersecurity insurance, which he noted has been a lengthy process.
Aguero also reported that IT underwent two evaluations to assess its cybersecurity system in 2021. The first review was conducted through the Nationwide Cybersecurity Review, which is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency under the Department of Homeland Security (DHS). IT scored an average of 1.8 out of 7 on this assessment, which evaluated IT’s cybersecurity levels in five categories.
A score of 2 is described as when technologies could help achieve an organization’s cybersecurity objectives, but such processes are either undocumented or not formally adopted by senior management.
The second assessment was done through a cybersecurity risk assessment tool called Cyber Quotient Evaluation, which was developed by risk management firm Aon. Washington State Transit Insurance Pool (WSTPI) coordinated the project through a competitive arrangement. Aguero said the agency also awarded IT a $15,000 grant to follow through with Aon’s recommendations.
For this evaluation, IT got an average score of 1.9 out of 4, with 1.9 being described as control not being in place to manage threats.
Aguero noted that they did not have their cybersecurity plan in place yet when the two reviews were done, which explained why they could not score higher.
Local cybersecurity situation
Aguero laid out the local cybersecurity situation behind the adoption of the cybersecurity plan. With the pandemic requiring workplaces to shift to homes, IT had to reevaluate how they use technology and how they could better protect their data assets.
Aguero also highlighted the need to improve cybersecurity systems, quoting a 2022 report from the Office of the Attorney General which found that 4.5 million data breach notices were sent to Washingtonians in 2022 and 6.3 million notices the year before.
Closer to home and more recently, are two cybersecurity incidents in Pierce County. The News Tribune reported a nearby agency, Pierce Transit, experienced a ransomware incident that temporarily disrupted agency systems in February. A Russian-based ransomware group called LockBit had accessed confidential data and demanded that Pierce Transit pay around $2 million for the return of the data. The incident had not compromised Pierce Transit’s operations, according to the news report.
In December 2022, the city of Lakewood also experienced a cybersecurity incident when another ransomware group called ALPHV claimed to have stolen 300GB of data from the city.
Comments
No comments on this item Please log in to comment by clicking here