Jump to navigation
The Colorado Department of Health Care Policy & Financing (HCPF), in partnership with the Governor’s Office of Information Technology (OIT) and the Colorado Department of Human Services (CDHS) are working toward the goal of standardizing cyber security measures for human services agencies across the State of Colorado. To accomplish this goal, the Department continues to work with county partners, CDHS and OIT on adherence to data security and privacy best practices and compliance with the Colorado Information Security Policies (CISPs) and the federal Health and Human Services Security Risk Assessment.
State Fiscal Year 2020-21: Cyber Security Risk Assessment & Remediation Plan Deliverable
To move towards statewide compliance with the CISPs and data privacy, a baseline measurement of current cyber security and data privacy practices is needed. The measurement will be completed in increments through a Risk Assessment and Remediation Plan deliverable. For the FY 2020-21 Cyber Security Incentive, this deliverable is due on July 5, 2021.
The Department scheduled one support meeting per quarter for option 3 counties to ask questions and discuss the deliverable with HCPF, OIT, and CDHS. To be added to these meetings, contact HCPFCountyRelations@state.co.us
Dates and times of these meetings are as follows:
Option 2 County Cyber Security Incentive Support
The Department scheduled one support session per quarter per region listed below. These support calls are meant to be working sessions for option 2 counties to fill out the sections described below, ask questions, and take note of items for follow up.
Metro counties include Clear Creek and Gilpin Counties.
County Cyber Security Frequently Asked Questions
The Department will regularly update frequently asked questions on cyber security policy, the FY 2020-21 Risk Assessment & Remediation Plan deliverable, and other cyber security-related topics.
What must counties do to achieve the Cyber Security Incentive for FY 2020-21?
Counties must answer every question on their Risk Assessment and Remediation Plan Deliverable, and you must provide details in the "County Response" section for all "No" answers. However, the remediation plans don’t need to be implemented to achieve the incentive this year. The deliverable is due on July 5, 2021.
Where do I find the deliverable template?
Each county will have this fiscal year’s deliverable sent directly to their county human/social services director, secondary director, and any contacts as requested by county leadership. There is no general Option 2 or Option 3 template for FY 2020-21. Each county will have their own deliverable with the responses from last fiscal year included.
What should I put in the Remediation Plan section?
If your county answers “no” on any of the policy questions, the county shall fill out each column of the corresponding remediation section under “county responses.”
Information should include:
Do counties have to supply evidence of policies/procedures?
Counties do not need to turn in artifacts proving compliance with the questions asked in the Risk Assessment and Remediation Plan deliverable. However, if the county indicates that they do have a certain policy or procedure, the state may request to view it at a future date.
In the "Policy Requirement" section, who does “Business Owner” refer to?
Business Owner refers to the entity who is authorized to make decisions regarding a system or IT service. In context of the Risk Assessment and Remediation Plan, the Business Owner depends on context. When the county is answering questions regarding access to and use of state systems and state data, the Business Owner would be the state agency associated with the system - i.e. for CBMS the business owner is HCPF and CDHS; for CHATS, Trails, ACSES, etc. the Business Owner is CDHS. When the county is answering questions specific to its own county-provided Local Area Network, IT services, and/or workflow management system, the county is the Business Owner.
What are Compensating Controls?
Compensating Controls are defined as a security control implemented when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
In this context, Compensating Controls are any steps your county is taking to informally meet the policy requirement until official business process change, written policy, security procedure, or other milestone is completed to formally meet the policy requirement. For example, if your county is not currently requiring every staff person with access to a state system to annually re-read and re-sign the appropriate acceptable use policy/policies, a compensating control would be a staff meeting to verbally review the acceptable use policy/policies relevant to that team’s use of a state system.
If I don’t know the answer to a question, what should I do?
If your county has a question about any of the policies included in the Risk Assessment & Remediation Plan deliverable, they can be emailed to HCPFCountyRelations@state.co.us. It is also recommended that county staff consult with any IT team members employed by the county, if available. Additionally, the Department will send information to county partners on Cyber Security Incentive support calls, where there will be opportunity to ask specific questions.
How do I answer (yes or no) if there are multiple questions with different answers?
If the county would answer “no” to any portion of a question, the county should answer “no” to the entire question. Clarification can be provided in the county responses section.
If I am an Option 2 county, how do I know what is Istonish’s responsibility and what is a county responsibility?
Each question included on this Risk Assessment & Remediation Plan deliverable has been vetted by a team made up of HCPF, CDHS, and OIT, including Istonish’s contract manager. No questions that would fall solely under Istonish’s purview are included on the deliverable.
If the county has a question about how a certain policy requirement applies to them, the county can reach out to HCPFCountyRelations@state.co.us or attend a Cyber Security Incentive support call.
What are rules of behavior?
Rules that describe to users their responsibilities and expected behavior with regard to information and information system usage. Organizations should consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users.
What is a notice of last login?
Notice of last login is a message displayed to a user upon logging into the system that shows the date and time of their last login. The intent is to provide a mechanism for users to verify that their credentials haven’t been used by someone else to gain access to the system. Users that notice a discrepancy should immediately report it through the organization’s incident response process.
What is a security assessment?
A security assessment is the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating effectively, and meeting the security requirements for an information system or an organization.
This questionnaire is a form of a high-level security assessment that is based on controls required under HIPAA and the CISPs. Organizations may need to perform security assessments against controls that may not be covered by this high-level assessment in order to ensure that they are addressing security throughout their environment.
What is the difference between a security assessment and a security training?
Security training is focused on providing workers with an overview of their responsibilities with regard to a broad range of topics such as data handling, appropriate use of systems, physical security requirements, identifying and reporting security incidents, protecting against social engineering attacks, etc.
Questions? Contact HCPFCountyRelations@state.co.us