County Cyber Security

The Colorado Department of Health Care Policy & Financing (HCPF) in partnership with the Governor's Office of Information Technology (OIT) and the Colorado Department of Human Services (CDHS) are working toward the goal of standardizing cyber security measures for human services agencies across the State of Colorado. To accomplish this goal, the Department continues to work with county partners, CDHS and OIT on adherence to data security and privacy best practices and compliance with the Colorado Information Security Policies (CISPs) and the federal Health and Human Services Security Risk Assessment.

State Fiscal Year 2021-22: Remediation Efforts

Reference Documents

• OM 21-077 Implementation Of The FY 2021-22 Cybersecurity Incentive
• Colorado Information Security Policies (CISP) Glossary

Deliverable Submission

PLEASE READ OM 21-077 FOR MORE DETAIL. 

For Option 2 Counties, deliverables to be submitted for review and approval by the
Department to earn Cybersecurity Incentive funds are:

• Contingency Plan
  • Slides
  • Recording
• Incident Response Plan
  • Slides
  • Recording

Both deliverables must be submitted and approved to earn the Cybersecurity Incentive.

For Option 3 counties, deliverables to be submitted for review and approval by the
Department to earn Cybersecurity Incentives funds are:

• Contingency Plan
• Incident Response Plan
• System Security Plan
  • Slides
  • Recording

All three deliverables must be submitted and approved to earn the Cybersecurity
Incentive.

Counties with HCPF Cybersecurity Grants

For counties who have cybersecurity grants provided by HCPF for FY 2021-22, the
county cannot code efforts by the grantee or the contractor to create the policies listed
within this memo to the CFMS code for the HCPF County Grant and thereby earn the
Cybersecurity Incentive.

County Cyber Security Frequently Asked Questions

The Department will regularly update frequently asked questions on cyber security policy, the FY 2020-21 Risk Assessment and Remediation Plan deliverable, and other cyber security-related topics.

Frequently Asked Questions

What must counties do to achieve the Cyber Security Incentive for FY 2020-21?

Counties must answer every question on their Risk Assessment and Remediation Plan Deliverable, and you must provide details in the "County Response" section for all "No" answers. However, the remediation plans don't need to be implemented to achieve the incentive this year. The deliverable is due on July 5, 2021.

Where do I find the deliverable template?

Each county will have this fiscal year's deliverable sent directly to their county human/social services director, secondary director, and any contacts as requested by county leadership. There is no general Option 2 or Option 3 template for FY 2020-21. Each county will have their own deliverable with the responses from last fiscal year included.

What should I put in the Remediation Plan section?

If your county answers no on any of the policy questions, the county shall fill out each column of the corresponding remediation section under county responses.

Information should include:

Policy Remediation Status: Where in the process is your county in working towards meeting this policy requirement?

• Not Yet Started
• Started
• In Progress
• On Hold
• Finished

Estimated Completion Date: What date (approximately) do you anticipate your county could meet this policy requirement? Milestones with Estimated Timeline: What major milestones would your county need to complete in order to meet this policy requirement?

• Examples could include training, policy clarification, hiring a contractor, purchasing materials, writing a standard operating procedure, changing a business process, etc.

Compensating Controls: What is your county doing unofficially to address the policy requirement until processes are in place to officially meet the policy requirement? Comments: Any additional context that is needed.

This questionnaire is a form of a high-level security assessment that is based on controls required under HIPAA and the CISPs. Organizations may need to perform security assessments against controls that may not be covered by this high-level assessment in order to ensure that they are addressing security throughout their environment.

What is the difference between a security assessment and a security training?

A security assessment is the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating effectively, and meeting the security requirements for an information system or an organization.

Security training is focused on providing workers with an overview of their responsibilities with regard to a broad range of topics such as data handling, appropriate use of systems, physical security requirements, identifying and reporting security incidents, protecting against social engineering attacks, etc.

Do counties have to supply evidence of policies/procedures?

Counties do not need to turn in artifacts proving compliance with the questions asked in the Risk Assessment and Remediation Plan deliverable. However, if the county indicates that they do have a certain policy or procedure, the state may request to view it at a future date.

In the "Policy Requirement" section, who does Business Owner refer to?
Business Owner refers to the entity who is authorized to make decisions regarding a system or IT service. In context of the Risk Assessment and Remediation Plan, the Business Owner depends on context. When the county is answering questions regarding access to and use of state systems and state data, the Business Owner would be the state agency associated with the system - i.e. for CBMS the business owner is HCPF and CDHS, for CHATS, Trails, ACSES, etc. the Business Owner is CDHS. When the county is answering questions specific to its own county-provided Local Area Network, IT services, and/or workflow management system, the county is the Business Owner.

What are Compensating Controls?

Compensating Controls are defined as a security control implemented when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.

In this context, Compensating Controls are any steps your county is taking to informally meet the policy requirement until official business process change, written policy, security procedure, or other milestone is completed to formally meet the policy requirement. For example, if your county is not currently requiring every staff person with access to a state system to annually re-read and re-sign the appropriate acceptable use policy/policies, a compensating control would be a staff meeting to verbally review the acceptable use policy/policies relevant to that team's use of a state system.

If I don't know the answer to a question, what should I do?

If your county has a question about any of the policies included in the Risk Assessment and Remediation Plan deliverable, they can be emailed to HCPFCountyRelations@state.co.us. It is also recommended that county staff consult with any IT team members employed by the county, if available. Additionally, the Department will send information to county partners on Cyber Security Incentive support calls, where there will be opportunity to ask specific questions.

How do I answer (yes or no) if there are multiple questions with different answers?

If the county would answer no to any portion of a question, the county should answer no to the entire question. Clarification can be provided in the county responses section.

If I am an Option 2 county, how do I know what is Istonish's responsibility and what is a county responsibility?

Each question included on this Risk Assessment and Remediation Plan deliverable has been vetted by a team made up of HCPF, CDHS, and OIT, including Istonish's contract manager. No questions that would fall solely under Istonish's purview are included on the deliverable.

If the county has a question about how a certain policy requirement applies to them, the county can reach out to HCPFCountyRelations@state.co.us or attend a Cyber Security Incentive support call.

What are rules of behavior?

Rules that describe to users their responsibilities and expected behavior with regard to information and information system usage. Organizations should consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users.

What is a notice of last login?

Notice of last login is a message displayed to a user upon logging into the system that shows the date and time of their last login. The intent is to provide a mechanism for users to verify that their credentials haven't been used by someone else to gain access to the system. Users that notice a discrepancy should immediately report it through the organization's incident response process.

What is a security assessment?

A security assessment is the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating effectively, and meeting the security requirements for an information system or an organization.

Questions? Contact HCPFCountyRelations@state.co.us