State Government CybersecurityEnterprise Cybersecurity and Risk Management Program
In the State of Tennessee, cybersecurity is largely managed at the enterprise level. The Department of Finance and Administration houses the state's highly centralized information technology (IT) division, Strategic Technology Solutions (STS). The STS Cybersecurity and Risk Management program is run by the Chief Information Security Officer (CISO), under the guidance of the state's Chief Information Officer (CIO). This encompassing program includes governance of security, policy, compliance, vulnerability management, disaster recovery, security awareness and incident & response:
- STS developed overarching Enterprise Information Security Policies that set minimum security controls that every state department must adhere to. The STS Enterprise Information Security Policy can be viewed here.
- STS also works with departments where there is need to develop deeper levels of security policy specific to unique functions.
- The state processes and stores a significant amount of sensitive data including federally regulated data such as Personally Identifiable Information (PII), Protected Health Information (PHI), Federal Tax Information (FTI), etc. STS complies with information security controls defined in state and federal policies.
- STS works with state departments to make sure they meet the security controls. STS leverages a governance risk and compliance tool to assist in that area. All weaknesses are tracked and mitigated.
- Both Data Centers are SOC2 Type2 compliant and the certification is renewed annually.
- The state has a large Information Technology footprint consisting of thousands of servers. In order for those servers to stay secure the state must have a strong vulnerability management program. The STS Security Team does vulnerability scans on every server in both data centers regularly. Vulnerabilities are tracked in a governance risk and compliance tool and worked until the risk is mitigated.
- STS has established a procedure around solution development. All solutions have a security application assessment performed before the solution can be released to production.
- After solutions are released to production, an annual assessment and penetration testing are done on all Internet facing applications by a third-party security company.
- Multiple risk assessments throughout the year are performed and the state participates in the National Cyber Security Review (NSCR), which is based on the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and is sponsored by the Department of Homeland Security and the Multi-State Sharing and Analysis Center (MS-ISAC).
- The State of Tennessee has two data centers. Our primary data center houses most of our production data and a secondary data center is used for disaster recovery. Each data center is built for high availability.
- STS disaster recovery team works with the departments’ business and IT staff to perform Business Impact Analysis (BIA) and perform disaster recovery testing on a recurring basis.
- All state employees are required to take annual Cyber Security awareness training.
- Unannounced Phishing exercises are performed multiple times a year to gauge the effectiveness of the awareness training.
- Monthly Cybersecurity newsletters are sent to all state employees keeping them aware of emerging threats.
- Quarterly security meetings and workshops are held, and all departments are encouraged to attend.
- STS runs a 24/7/365 Customer Care Center and Security Operations Center.
- Tennessee's Department of Treasury holds the cyber insurance policy for the State of Tennessee.
- In 2019, the Tennessee Department of Treasury’s Risk Management program requested that all state departments have a Cyber Incident Response Plan (CIRP).
- In partnership, STS developed a comprehensive plan and worked directly with 52 state departments and organizations on development of their CIRPs.
- With the support of the new administration, an enterprise Cybersecurity Advisory Council was formed in September of 2019.
- The Tennessee Cybersecurity Advisory Council is co-chaired by the Governor’s Chief Operating Officer (COO) and the state's Chief Information Officer (CIO).
- Its membership is comprised of representatives from all branches of state government, and STS serves as staff to the Council.
The areas above summarize the state's investment in the appropriate tools, technologies and education that protect state data. These tools and enterprise practices help mitigate cyber threats to the state's network's and environment. The Governor's Office, the Constitutional Officers and the Tennessee General Assembly continue to be supportive of the investments required to continue to enhance Tennnesee's cybersecurity posture.