Department leadership and managers are responsible for establishing a “tone from the top” and assigning appropriate staff to ensure that cybersecurity internal controls are developed, tested, 更新并定期培训所有员工，以防止由于网络事件造成的业务中断和数据或财务损失.
Enterprise Security Standards are now included as part of a department’s Internal Controls and have compliance responsibilities at all levels of the organization.
Tone from the Top – Cybersecurity is a top priority
Cybersecurity compliance in not solely an “IT” or technology function, but is a series of controls, operations, procedures and training that apply to all employees at all levels in a department.
Assign Key Staff to Ensure Cybersecurity Compliance
As part of cybersecurity preparedness, 领导层和管理者必须在组织的所有级别指派适当的员工，以确保遵守要求的网络安全和数据保护内部控制.
Cybersecurity internal controls require collaboration across the organization including IT, HR, Legal, Policy, Fiscal, Budget, Payroll, Program and Operations staff and extend to any contractor or 3rd party supporting operations.
Ransomware is now one of the biggest threats to both businesses and private citizens. This guidance can assist with preventing and mitigating ransomware attacks.
Internal Controls Policy
Internal Controls should be updated to include ransomware considerations, perform risk assessments, additional internal controls, and updated Incident Response, Business Continuity, and Disaster Recovery Plans.
CISA offers several free scanning and testing services to help organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size can find ways to reduce their risk and mitigate attack vectors.
For compliance services, departments are required to use Statewide Contract PRF73DesignatedCTR – Payment Data & Payment Card Industry (PCI) Compliance Services Statewide Contract. (Updated: December 30, 2020)
Health Care Privacy (HIPAA)
Health Insurance Portability & Accountability Act (HIPAA) 1996
A national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the Office for Civil Rights.