A CISO's Perspective on How to Address new Federal and State Guidelines

Author:
Lars Schmekel, Chief Information Security Officer at Miami Dade County
LinkedIn:  https://www.linkedin.com/in/lars-schmekel-miami-dade-county/


FIU and DigitalEra Group, recently hosted their sixth annual Secure Miami Conference on May 5th, 2022. Secure Miami brings the cybersecurity community together to address the latest security threats and strategies in a networking forum.

Robert Grillo_with title-1Robert Grillo, Vice President and Chief Information Officer at FIU, moderated the panel discussion on “Risk Management.” Read this blog post to learn what panelist Lars Schmekel, Chief Information Security Officer at Miami Dade County, had to say regarding new federal and state guidelines being enforced and how to address them.

Robert Grillo:
Lars and I have a similarity in our footprint; we're both quasi-government. [Miami Dade County] is more government than [FIU], but we basically both have a board of governors and directors at the state level that really manages institutions and universities. What are some of the new state and federal guidelines that are putting pressure on us? And how are we addressing that? What is being more required of us, and how do we figure out where do we get the investments in order to do those things?

Lars Schmekel:
So, from the county perspective, there are a number of laws, both at the federal level, and at the state level that are being enacted and that are going to impact county operations and operations within the educational systems. The federal government has mandated that critical infrastructure providers, as defined by the federal government, will have reporting and compliance requirements for themselves and for contractors that are providing services there.Lars Schmekel Title

So, in essence, they're going to say that if you have a significant cyber incident, you will have to report that within 72 hours to CISA. There are also going to be other requirements regarding protections and making sure that you have auditability and accountability on your systems at the state level. The state just recently passed some legislation that gives additional powers to the state, specifically for the state, local, territorial, and tribal entities. And that's around governance, reporting, and incident response.

In that case, there will be a requirement for reporting within 72 hours; ransomware within 24. You'll need to report incidents to the state computing infrastructure arm, as well as the Florida Department of Law Enforcement. So we will be reporting to CISA as well as the local Sheriff's office.

Interestingly enough, in that piece of legislation, there's also a prohibition against local governments from paying ransoms. So we'll see how that shakes out. There may be some conversations that our attorneys have because if we don't pay the ransom, but our cyber insurance pays it, does that mean we are we paying the ransom or not?


Lars Schmekel, Chief Information Security Officer at Miami Dade County
LinkedIn:  https://www.linkedin.com/in/lars-schmekel-miami-dade-county/


 

About DigitalEra

DigitalEra is a leading solution provider of network and cybersecurity products and services, serving major business, education and governmental agencies throughout the US. In addition to access to the most sophisticated and effective security products, DigitalEra provides expert guidance on use as well as ongoing security counsel and insights that help their clients prevent security breaches and mitigate threats. For more information, visit:www.digitaleragroup.com.

Follow DigitalEra Group: Twitter, LinkedIn and Facebook.