Case Study – Cyber Security in Local Government

Background

Our client is a large inner-city Municipal Council and is required to apply government mandated cyber security best practice, specified in the Victorian Protective Data Security Standards (VPDSS).

Compliance with these standards is measured by means of plan that each council must submit to the Office of the Victorian Information Commissioner (OVIC). This Protective Data Security Plan (PDSP) takes the form of a self-assessment and declaration of compliance. The Federal Government highlighted a more concerning cyber risk profile where sophisticated, state sponsored cyber-attacks against all levels of government are now being conducted representing a heightened threat situation requiring increased cyber security diligence at all levels of industry and government.

Like many organisations, our client may be a target of such criminal cyber-attacks and required a level of readiness to defend against any possible compromise of systems or sensitive data.

The client need

Our client understood the risks linked to a compromise is normally expressed as a cyber security attack surface which represent the number of methods attackers can use to gain access to internal systems. Our client required a reduction of the attack surface to be achieved by implementing various initiatives including a Cyber Security Framework, Governance and Operating Model.

Our approach

Our approach recognised the effectiveness of cyber defence is determined by the way an organisation changes its behaviour and ways of working in accordance with Cyber Security Governance and Operating Model. Based on DFP’s cyber security reference model, our client’s cyber capabilities were assessed for maturity and fit to purpose.  Additionally, a range of key risks were identified. This led to an initial program of technology hardening which DFP guided our client on.

The outcome

During the first phase of technology hardening, a major otherwise undetected cyber breach was found.  The breach was so severe that a decision was taken to shut all network access and lock down systems and data until the breadth of impact could be more accurately assessed.  DFP worked with the CEO and executive team on devising a plan assess and remediate which also involved handling mainstream media including TV. By leveraging DFP’s deep cyber analysis and technology and data management expertise, the impact of the vulnerabilities was removed and a systemic network and systems re-architecture program fast tracked.

The outcome was a stable and risk managed technology environment which had wide scale undetected vulnerabilities removed.  DFP continues to provide cyber security monitoring and advice to assist the council with continuous strengthening and risk reduction.