IT Security Policy Best Practices for Local Government

Cybersecurity is essential for local governments. Here's how solid government security policy and procedures help minimize your security risk.

December 23, 2020

Article highlights

In early 2017, a malware attack took down local government computer servers in Bingham County, Idaho. County employees couldn’t access the computer systems, the county website was down, and the hack caused issues with the emergency dispatching center.

Recovering from the attack took months and cost the county nearly $100,000. In the wake of the attack, the county implemented new firewalls and revisited its government security policy.

The cyber attack in Bingham County is far from an isolated incident. In the last few years, cyber attacks on local governments have become increasingly common. And while some of these threats come from external hackers or criminals, information security breaches are often the result of insider threats.

According to a report by IBM, 60% of all attacks were carried out by insiders. A significant number of these are unwitting employees who accidentally fall prey to a phishing scam or don’t follow IT security policies.

Government cybersecurity measures have to include infrastructure, firewalls, and information security protocols. But developing and training employees on government security policy is also crucial in protecting sensitive information.

Ultimately, people are the weakest link in any security protocol. So a solid government cybersecurity policy is the first line of defense in information security in government.

Understanding Your Security Risk

According to a report by the Brookings Institute, most government agencies lack IT security policies.

A lack of a good government security policy can open agencies to many different risks. As demonstrated by the story of Bingham County, a security breach can shut down government servers and costs thousands of dollars to repair.

In other cases, a cyber attack can result in the theft of sensitive data including Social Security numbers, credit card information, and medical records. At the very least, a security breach can damage a government’s reputation and public trust.

When it comes to effective information security in government, municipalities face several challenges:

Constantly changing and adapting security threats

Technology changes rapidly, and so does cybercrime. Cyber attacks are becoming increasingly complex and intense.

A report by the FBI found that in 2016, there were 4,000 ransomware attacks every day. That was a 300% increase from 2015, and the report concluded that new variants of ransomware are constantly emerging.

This makes government IT security challenging. Old firewalls or malware software may have gaps. And an outdated government security policy can leave employees unaware of potential security issues.

Confusing regulations

Local governments handle a lot of responsibilities. Different government departments have to comply with various federal and state regulations for information security. These may include regulations from HIPAA, the IRS, FBI, FSSA, and more.

Along with federal regulations and standards, municipal governments also must comply with state laws governing data security.

All the regulations and standards can be a lot for IT team to keep up with. The flood of suggested frameworks, tips, and best practices are not always helpful or clear and can create more problems than they solve.

Poor funding

In a 2016 survey by NASCIO and Deloitte, 80% of state governments said that funding was their top challenge in government information security.

Another study found that, in most state and local governments, cybersecurity makes up less than 5% of the IT budget. Private enterprises usually spend more than 10% of IT budgets on cybersecurity.

This is problematic. With cyber threats growing in number and complexity and more sensitive information going digital, information security is increasingly important.

Government IT departments need more money to do everything they need to do to protect critical information and systems. If the efforts aren’t properly funded, it’s difficult to stay on top of all of the security regulations and best practices.



Municipal governments often have a small IT team, and may not have an IT security expert on staff. IT personnel may not be familiar with all the information security regulations. And with no one person overseeing cybersecurity measures, important aspects of cybersecurity in government call fall through the cracks.

But often, the IT team is not the problem. The vast majority of government data breaches come from internal mistakes by employees.

Well-intentioned, but technologically unaware employees will always be the biggest security threat to any organization, including local government agencies. They may use weak passwords, click on phishing scams, or access an unsecured website.

Limiting Exposure Through Good Policy and Procedures

Cybersecurity technology can be helpful in government information security, but there’s only so much it can do. Firewalls can block harmful viruses and malware, but they can’t protect against employee mistakes.

The most effective way to limit local government information security risks is by creating and implementing good government security policy. Government cybersecurity policy and procedures establish a foundation for security best practices. They help ensure that every employee is aware of risks and actively working to protect government computers, networks, and sensitive information.

A good policy management software such as PowerDMS can help government IT managers create, update, and distributed good security policies to all employees.

Acceptable use policy

IT policies should set clear parameters on the type of content government employees are permitted to access from their work computers. This includes social media use, personal accounts, and prohibited websites.

As we wrote in our post about Updating Your Acceptable Use Policy, this is about more than just making sure employees aren’t browsing Facebook on company time. A good AUP limits liability risks by clearly prohibiting employees from illegal online activities.

Plus, as we wrote in the post, “Acceptable use policy and training help your employees know how to spot a phishing scheme and how to avoid downloading viruses onto their computers. Informed employees can protect your company network from dangerous malware.”

Bring Your Own Device (BYOD)

Nowadays, employees are used to constant connectivity. Lines between personal and professional use of computers and mobile devices can easily get blurred.

Many local government agencies don’t have the budget to provide work mobile devices to employees. So employees often end up using their personal phones for government business. This can be risky, as it gives the agency less control over information security.

A Bring Your Own Device (BYOD) policy can help put some protection measures in place. These policies may include restrictions on personal devices use for work purposes, password requirements, and measures for reporting stolen or compromised devices.

Security policy

A government security policy should include requirements for cybersecurity, physical security, and cloud security.

This includes things like who has access to each type of information and the protections that are in place for access (passwords, locks, etc).

It should also include procedures for regularly backing up information, identifying and managing risks, and responding to incidents.

Data access, storage, and retention

The more data a government agency stores and the longer they store the data, the greater their exposure to risks.

Many states have laws regarding data retention. But even in states that don’t, it’s essential for local governments to create a process for archiving and destroying old data.

Government security policies should establish strict rules around who can access data, how long it will be stored, and how it will be destroyed. This is particularly important for personally identifiable information such as voter registration details, tax records, and Social Security numbers.

Steps You Can Take Today

Information security in local government can seem like an overwhelming task. But it doesn’t have to be.

Much of limiting security risks comes through creating awareness about cyber threats and training employees about responsible technology use.

Here are a few things you can do to implement better security policies in your local government:

Share information with other municipalities

IT managers in local government don’t have to create an information security program from scratch.

Working together with those in similar roles in other local government can be extremely helpful. There are a number of state-level information systems groups which provide knowledge sharing.

For example, the Center for Internet Security provides resources to local governments through MS-ISAC (Multi-State Information Sharing and Analysis Center).

IT managers can even collaborate internally or invite a fellow IT expert to review policies. With PowerDMS’s workflow feature, they can easily and securely share information and collaborate.


Partner with industry

When it comes to information security, local governments can learn a lot from private organizations. This may include adopting tools or products from the private sector, or collaborating with IT experts from other industries to learn best practices.

When looking for security solutions, local government organizations should look for products that can help them comply with important regulations and security certifications.

For example, PowerDMS is in compliance with CJIS, HIPAA, and SOC. Our cloud-based system takes the guesswork out of compliance and security.

Culture of security awareness

Information security in local government isn’t solely the responsibility of the IT team. Every staff member plays a role in keeping data secure.

Government security policy lays the groundwork for a culture of security awareness in every department. But, of course, the policy alone won’t do much good if employees never see it.

With PowerDMS, government administrators can distribute IT policies and procedures to all employees with just the click of a button. They can gather electronic signatures to ensure every employee read and understood security policies. They can even deliver online training on cyber threats and security measures, and easily track results.

Conduct a security audit

Just like any other organization, local governments should regularly assess the effectiveness of their information security efforts.

Often, it’s helpful to bring in an outside expert, who may be better able to spot potential risks, gaps in compliance, and areas where security could be improved.

A solid government security policy is essential to protect local government agencies from cyber attacks, data breaches, and avoidable security issues. As you seek to create a security policy for your municipality, use PowerDMS to collaborate on policies, train employees, and ensure compliance with federal and state regulations.

Related Article

Footer CTA Image

Download your copy of the report

Download The Future of Policy & Compliance Management report.

How does your organization compare? Get your copy today.

Download the Report