need help with review my paper and add Abstract

Government Digital Transformation & Cybersecurity

Palm Beach State College

Marcos Caceres, Mark Hendricks, Afrina Kamal, Brandon Ortiz, Austin Williams

Capstone Experience: Security and Network Assurance ISM4331-1

Professor Irwin Ross

October 28th, 2024

Introduction (Austin)

In 2005, Congress enacted the Real ID Act. This represented a significant shift in identification standards for the United States. The driving force behind the change was post-9/11 security concerns. The Act creates minimum security requirements for state-issued identification cards and driver's licenses. The goal is to reduce cases of identity fraud. The passing of the law nearly two decades ago highlights the need for collaboration and the difficulty of implementing the law across 50 states.

Under the Real ID Act, there are specific standards that licenses and IDs must meet; advanced security features, proof of residency, and a more robust vetting process are included. Requirements for government facility access and air travel have made compliance necessary, but the initial deadline in 2008 faced many logistical, technological, and financial challenges. After many deadline extensions, The Department of Homeland Security has the “final” date for enforcement set to be May 7, 2025.

The delay in the rollout has sparked fierce debate on both sides of the political landscape. Supporters of the Real ID Act see it necessary to combat identity theft, fraud, and terrorism, while opponents raise concerns over privacy, government overreach, and implementation costs. There have also been concerns over how marginalized groups may be disproportionately affected by a more rigorous process with stringent documentation requirements.

As states continue to implement standards set by The Real ID Act, there are insights into the transition that display the complexity involved in state and federal cooperation, bureaucracy, the push and pull between national security and individual privacy, as well as the technical hurdles that often arise.

Purpose

This essay was written to explore The Real ID Act implementation across the United States over the past decade and analyze its implications for security, privacy, governance, and technological implementation. The phased rollout of the Act has highlighted the challenges for states to comply with federal mandates and the tensions that arise from them. Many states have navigated the challenges of implementing the Act, but the effectiveness of The Real ID Act has come under question. Some wonder if the intended security goals have been met and if the social, political, and economic consequences were worth the challenges faced.

A vital component of this essay is to evaluate the impact of the Real ID Act on national security. Was the purpose of preventing identity fraud and improving the integrity of identification standards to prevent terrorism met? How did the technical transition present obstacles, and how were these points of contention alleviated? Modernizing state-level identification systems has been one of the technical challenges for the Real ID rollout. This transition has also been costly and time-consuming for states with limited resources.

The interconnectivity of state and federal databases was an obstacle to the rollout. Compliance necessitated state systems to be able to verify and authenticate necessary documents against federal database records. Social Security numbers, immigration records, and birth certificates at the state level all need to match federally. Complex communication channels had to be constructed with security woven into the fabric of the task. This required new approaches to creating, transmitting, and storing data. This includes strict privacy and security standards.

Not only would this change require technical advancements that did not exist in state and federal government, but the transition would also entail retraining staff and revising administrative procedures for The Department of Motor Vehicles (DMV) in each state. Implementing these policies and technology led to technical difficulties, longer waiting times, and extended processing. The technical problems that plagued the Real ID rollout show the complexity of merging the state and federal systems.

Scope

The scope of this essay will cover critical aspects of the Real ID rollout and how it intersects with licensing, registration, and tax collection. We focused on integrating technology with existing systems to enhance the functionality of government processes. Our essay explores how the Real ID system streamlined procedures, reduced human error, and integrated public administration into the digital future. This discussion covers several layers of government and the shifting cybersecurity measures taken and needed for the safety of government data systems. The scope focuses on four main areas:

1. The Real ID rollout:

• Showcase features of The Real ID Act rollout, including identity verification systems and digital processing.

• What was the reason behind the implementation of The Real ID Act?

• Highlight security measures put in place to ensure the safety of personal data.

2. Online appointments:

• We will detail the technological shift towards online services and the reasons for the change.

• An analysis of the steps taken to implement the system is included.

• There is a review of security measures to protect integrity, focusing on encryption, access controls, and identity verification.

3. Cybersecurity in Government Databases:

• There is a discussion of cybersecurity best practices on the safety of government databases that handle sensitive data.

• Database management, network security, access control, and encryption will be covered.

• Cybersecurity frameworks created to ensure the confidentiality of digital records and technology are analyzed.

4. State and Federal Compliance:

• What state and federal technological regulations have been created to ensure data security?

• What is the role of education in maintaining security for the integrity of database systems?

mDL rollout (Mark)

Features of the Technology

Mobile Driver’s Licenses (mDL) and Digital IDs are identification systems that aim to enhance security, standardize identification documents, and facilitate digital identity verification for various services such as a driver’s license, health insurance card, and even Real ID, allowing users to carry identification on mobile devices.

Reasons for Implementation

Identification systems center people’s needs and desires and allow them to choose how they participate in society. This can be incredibly empowering. Building those systems digitally can make it quicker for people to participate in society, make it more accessible to change their data, and enable them to skip previously bureaucratic, analog processes (Rahman, 2020, para 4).

Security

IDs can use Apple Wallet to take advantage of the privacy and security features already built into iPhone and Apple Watch to help protect against tampering and theft. The driver's license or state ID data is encrypted, and biometric authentication using Face ID and Touch ID helps ensure that only you can view and use your license or ID. When using your digital ID, neither the state issuing authority nor Apple can see when and where you use your license or ID (Apple Support, 2024). When using Google Wallet to access a digital ID, Google Wallet keeps your digital driver’s license and state ID protected with advanced security. The digital ID is stored encrypted and only accessible with your personal authentication. Before you show your digital ID, you can review what data is shared, and if your phone is stolen or lost, your digital ID can be deleted with a remote data erase (Google Support, 2024).

In 2005, Congress enacted the 9/11 Commission’s recommendation that the Federal Government, “set standards for the issuance of sources of identification, such as driver’s licenses and identification cards.” It established minimum security standards for license issuance and production and prohibited federal agencies from accepting certain non-compliant driver’s licenses and identification cards for certain official purposes. As of this writing, the enforcement of the REAL ID Act is set to begin May 7, 2025. This means that anyone 18 years and older who plans to fly domestically or visit certain Federal facilities will need a REAL ID or another acceptable form of identification.

An International Organization for Standardization (ISO) standard for the mobile driving license (ISO/IEC 18013-5) was approved on August 18, 2021, and published on September 30, 2021.

ACLU

• Estonia - widely recognized as a global leader in digital governance. The country offers digital IDs to citizens and e-residents, allowing access to public services, banking, and e-voting.

• India - India’s Aadhaar is one of the largest digital ID systems in the world. It is a biometric-based digital ID system used to access various services, from banking to welfare programs.

• Sweden - Sweden’s Bank ID is a widely adopted digital identity solution for accessing government services, banking, and other digital transactions.

There are a few states that offer their apps to store your digital ID, such as:

• Arizona, Delaware, Mississippi, and Oklahoma — which use Idemia, a French security company, has launched the Mobile ID app in several U.S. states.

• Colorado — myColorado is a state-sponsored app that offers proof of identification, age, and address within the state.

• Louisiana — The DDL in the LA Wallet app is 100% legal for driving purposes and accepted by state law enforcement.

• Maryland — Maryland Mobile ID is an app that is a “voluntary, secure, digitized version of your MDOT MVA-issued driver’s license (DL) or identification card (ID) available in the Apple Wallet app on your iPhone and Apple Watch.”

• Utah — The Get Mobile group has developed an app for Utah that is an optional program.

There are plans for Connecticut, Georgia, Hawaii, Iowa, Kentucky, Mississippi, Ohio, and Puerto Rico to offer digital licenses shortly.

Government Databases: Cybersecurity and Its Role in Security (Afrina)
Government databases contain vast volumes of sensitive data, ranging from personal identification information to confidential state secrets. Cybersecurity is critical in ensuring this data is sufficiently safeguarded from unwanted access, modification, or deletion. This draft will discuss the significance of cybersecurity in the upkeep and security of government databases, networking procedures, access controls, and overall database security.

1. Maintenance and Security
   Maintenance is essential to database security in government systems. Regular updates and patches are required to fix software vulnerabilities that hackers can exploit. According to Stallings and Brown (2018), continuous vulnerability monitoring guarantees that holes are fixed quickly, which is critical for protecting government databases (p. 122). Furthermore, following correct backup processes ensures that data is not destroyed during a cyberattack or technological failure.

2. Networking
   The foundation of database access and communication is networking. However, it does bring security issues, such as illegal data interception during transmission. To prevent malevolent actors from intercepting sensitive information, government networks must use secure communication protocols such as VPNs and encrypted connections (Provos & Honeyman, 2003, p. 78). Furthermore, firewalls and intrusion detection systems are critical for monitoring network traffic and preventing unauthorized access.

3. Access Controls.
   Access control methods are critical for restricting who can access and change government records. Role-based access control (RBAC) is widely employed in government systems to ensure that only authorized people can see or alter sensitive data (Whitman & Mattord, 2018, p. 95). Implementing multi-factor authentication (MFA) and password regulations reinforces access controls, making it more difficult for unauthorized users to break security.

4. Database Security
   Database security in government organizations entails implementing encryption, audits, and anomaly detection to secure stored data from illegal access or manipulation. Encryption ensures that even if data is viewed, it remains unintelligible without the correct decryption keys (Schneier, 1996, p.210). Furthermore, auditing technologies allow for constant database activity monitoring, ensuring that questionable operations are reported and reviewed.

Online appointments, registration, licensing, and voter registration (Brandon)

Everything is going digital these days. This is a statement I feel should be obvious, even before world events would speed that process up, but it was on the path of mostly digital options for quite a while as it was. The pandemic would do a lot for the digital era, including adding curbside for items needed like groceries and medicines (if not over the counter), to a fancy new upgrade in a computer or television. The primary things I have noticed are transitioning to online service instead of in-person, voter registration, and making appointments online. These things have become such a mainstay that they can become a concern for security and safety.

The main question about why these new protocols have been enforced might have already been answered, but there is more nuance. The pandemic put a new emphasis on doing everything contactless. Payments, appointments, everything. It was also a period where cyber security has become super important in the past four years, as there has been a boom in interest in it in the past few years. Nowadays, it is common to see a registration process for a medical center, a car, or a portal to register for an appointment to get a license. Was this an overnight thing? No, it has been several years in the making, but the idea has been brewing for a reason, and when the pandemic hit, these methods came to the forefront. I believe RealID is a key identification factor brought upon post-pandemic. However, the question is, can security measures be implemented to see how well the Read ID system works?

Well, I know how to make sure voter registration processes can be changed for the better and how they are now compared to then. One problem with the 2020 elections was a supposed invalid voter problem, depending on whom you ask. There are still physical voter registration areas, but they are primarily online. That is for the better, as you cannot fake the exact identification twice without being seen as fraudulent. The process starts by figuring out how these new systems are implemented. At first, I saw that the VRDBs, or the voter registration databases, were very strong and vast in the United States. However, there have been questions about the databases during one of the elections, which need to be addressed. 2016 was a very controversial election, to say the least, but databases were the main topic that felt threatened. “There were hacks that happened via Russia, and thousands of records have been caught and taken.” The other major issue I saw when hacked was modification threats, like inserting and removing random records with zero authority.

So, how has this changed in recent years? Certain questions have been asked, such as if there have been new mechanics that put the security of this data in safer hands. There have not been reports of major hacks in voter fraud or invalid votes being thrown in by messing with the systems, so it is a good step forward. It is still digital to this day, and it seems to be the preferred way to get the registration in and be eligible to vote in this coming election. This was all just part of that speeding up.

The same thing can be said about making a simple appointment for your doctor’s visit. Typically, you go to the office, a practice that’s still recommended to this day, but now we have online visits for things like mental illness and maybe simple illnesses like the common cold. Another prominent thing that’s been gaining traction is mobile device application rollouts. Everything has an app, and I am always prompted to go through it when setting up an appointment with a specialist I have been recommended to see. It is just one more part of how technology is getting better and more of the default way to get things done, as mobile phones have become so powerful over the past ten years alone.

I feel like the rolling out has been more for convenience's sake because sometimes getting the recommendations for many different doctors can be a process not everyone likes. It is thanks to the rollout of portals and different apps that are mostly secure that we can now book said appointments at not just a doctor’s office but for the DMV to get a new driver's license or waiting for your financial aid to clear has moved on to the realms of the cyber world. Security has been good for, say, PBSC recently, but without a careful eye, it can slip up.

Licensing needs no introduction to cyber security or IT in general. It is one of those objects that says, “We went above to show our knowledge beyond just getting a degree.” It feels like we take advantage of how easy it is to sign up for a new certificate and get in the center, or if they offer it, a nice, clean workspace to work in to do it in the comfort of your bedroom and study. In the olden days, there was always physical studying and test-taking, which people did not mind. However, once things started changing in the world, it felt like the test-taking process had been less of a hassle and more secure thanks to the rollout of programs such as Respondous or potentially another first-party programming.

These days, we have neutral vendor licensing as well. CompTIA, a major vendor, offers its new Cyber Analysis Plus. While that is excellent, there seems to be a problem with some vendors not rolling out the licenses properly. I feel like a major thing to get the system and interfaces right is basically when there is a healthy level of trust in the system software itself and the trust of the vendor to bring in the systems necessary to get these offices working and not mess everything up by looking the wrong way. Certain problems, mostly points of attack, need to be looked at before they become an issue, such as ensuring the service's infrastructure is intact, the telecommunications on both ends should be working, powerlines need to be operational, etc.

The next major point is trust overall. There is a theory known as the prisoner’s dilemma: "Two partners in crime are locked up and basically have conditions that need to be met before the sentencing begins.” I feel like that relationship with the company and the rolling out of new software for those licensing firms are needed to have a good relationship and change to have securities ready to go by the time the product, or in this case, the licensing, is ready to be unveiled and rolled out. Suppose the chain, however, lets out some faulty licenses. In that case, it can lead to business disasters, and to avoid those, it is always good to check the systems and securities in place to see how they are being delivered and to make sure no important information gets out.

All in all, there seems to be one primary reason for the updates in security, and that is the world changing in a way that can accompany it. Sometimes, it is better to go in person to get all these things done, but setting up appointments, picking up essential objects, and everything of this sort has been nothing short of magic in some cases. Continuously checking licensing chains is always good to be sure you do not have any suspicious activity going on and are accidentally buying into something that’ll give your hardware a hard time because it was secretly a virus.

Security is seriously a concept that people latch on to dearly, and will do anything to protect. People love to defend it as much as possible, especially when it comes to voting and making their appointments. Data breaches are super common and there have been issues with it before with both fields, and there has to be a way to be secure that are effective for not just a few weeks, days even, but for years to come. Every day I think about when the next major hacking happens, and some of the first things I think about is “how can we have avoided that?” or “how did this happen?”

First steps into protecting any sort of major thing are “making it visible to an organization,” which is something I agree with. (Caravelli, Jones, 2019). Companies sometimes just aren’t aware things like this happen until it hits the news breaks on the television instead of their own walls. Officers should have a presence to secure some of the high data areas too, or starting with a simple firewall installation can fix a lot of problems in the long term.

Another good piece of advice that can protect voters is keep the volunteers informed about what to look for when keeping records of the peoples voting. Being aware of threats and potential fraudulent voting can majorly effect security as well. Not to mention you don’t know who’s trying to get the information of another person voting.

The last thing for general purposes is also getting a password on everything. This goes especially for tax websites because those can be actually devastating if there is a breach because that has to do with money. Nobody likes the ideas of their money and public records being broken into and sold off to the internet for anyone to just purchase. Passwords seem like an easy thing, but another thing to keep in mind is that they need to be strong and full of characters that no sane person would even consider putting together.

Confidentiality is something, everyone can get behind as that is the only thing I feel like we have left. From boards dedicated to basically remaining anonymous, to making sure nobody knows our taxes unless it’s in the hands of the right people because without that security, huge leaks are had, and people can just know everything about you and well all know how paranoia can take form. There are a few ways to protect the records as well when it comes to people wanting that protection.

Identification realistically can come from any way, shape or form because there are just that many ways of keeping yourself out of the eye of people trying to break in. A popular one is the social security method, and without that, most forms of identity are denied from accessing. There are also things like trying to implement RealID into the security to do so.

What I mean by this is the fact that new IDs everywhere are being implemented, to the point where I think that the airports refuse to take your identification if you don’t have it, they will not allow you on to the planes without them. With cyber security allowing metrics like that to be scanned, or putting it in via card scanners, it could help with anything. This also goes for getting records for people digitally. Scanners are a good method to verify that sort of information.

The fact it is easy to get identity is getting harder, tightening security is always a high priority for any sort of client really. Cyber security being the most prominent it ever is, along with the looming AI revolution having people possibly getting their identity stolen by a fake deep video or identification is always something to be scared of. Not saying that there won’t be ways to defend it, but it’s always a good thing when people do not have the threats apply to them any day of the week.

State and Federal compliance with security policies and procedures (Marcos)

As government entities such as the DMV collect information to provide driver’s licenses, the tax collector’s office allows the payment of traffic-related tickets and annual taxes. Also, they collect information on home and business owners. As processes move to a digital environment, several regulations and security frameworks are recommended or are mandatory to enforce changes within these sectors. Fines and other penalties may be enforced based on the severity of non-compliance.

The Florida DMV, for example, provides services related to issuing IDs and driver's licenses, vehicle registration and titles, driving records for residential and commercial purposes, and online services. They collect Personally Identifiable Information (PII) such as the first and last name, date of birth, current address, and social security number.

For example, the Palm Beach County tax collector’s office provides services related to property taxes, birth certificates, TSA PreCheck, digital fingerprinting, and SunPass. Their site states, “We are required by law to maintain the confidentiality of information regarding taxpayers, applicants for or recipients of child support services, personal or financial information of property owners, and certain personal information regarding our employees.” (Confidential Information).

Binding regulations

Several regulations and controls apply to these two facets of government. Although protected health information (PHI) is collected by these organizations as related to their employees, we are focused on moving to a digital offering for consumers. The county does not collect health information deliberately for consumers that utilize their products, so they are not required to adhere to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) states that an organization must enact standards to regulate the disclosure, use, and protection of an individual’s health information.

Due to the need to obtain personally identifiable information (PII) and credit card statements, as well as the employees who support the system and customer reviews, the following regulations and compliance requirements apply to the PBC Tax Collector’s office: The Payment Card Industry Data Security Standard (PCI DSS), The Electronic Communications Privacy Act of 1986 (ECPA), The U.S Federal Privacy Act if 1974, 5 U.S.C. 552a, and The General Data Protection Regulation (EU).

The PCI DSS standard was established in 2004, and technical and operational requirements for merchants and service providers that accept, or process cardholder data or sensitive authentication data used in payment card transactions were established. There are over 200 controls organized into 12 requirements to this standard. This is not a legal requirement and is not governed or enforced by a government body. However, payment card companies such as Visa, American Express, Mastercard, etc., enforce this standard to ensure the secure payment and processing of credit card data. If an organization does not comply with this standard, the main merchants will accept no electronic payment capability, rendering that part of the business model handicapped.

Congress created the Electronic Communications Privacy Act of 1986 (ECPA) to extend restrictions on government wiretaps to apply to computer and network-based communications. It prohibits eavesdropping, interception, and the unauthorized monitoring of electronic communication. Still, it allows communication providers such as Xfinity and ATT to monitor their networks for business reasons if they inform customers that they will be monitored.

The U.S. Federal Privacy Act of 1974, 5 U.S.C. 552a, is a law created with governance and practices related to U.S. government agencies' collection, maintenance, use, and dissemination of PII. The act balances the need for the government to maintain information about their citizens and permanent residents with the individuals' rights to keep their personal information private. The act disallows an agency to disclose records to any person or other agency except if the information owner grants permission. Although the act was created without the internet in mind, the principle still applies to online mechanisms.

The General Data Protection Regulation (GDPR) was established in 2016 and requires organizations to protect the privacy of EU citizens. Article 5 talks about collecting minimal information required by the business, ensuring the accuracy of the personal data, ensuring the securing and integrity of the data, abiding with applicable laws, and identifying the reasons why data must be collected, to name a few areas of focus. Article 25 requires that the default protects the data by design as a built-in section rather than bolting on protection afterward. Article 23 defines if there is a breach, the notification to authorities must be made within 72 hours.

Controls and Frameworks

Due to the need to protect the sensitive information and systems within the PBC Tax Collector’s office, a few categories of security controls and frameworks apply to ensure the hardening and continuous maintenance of securing systems from potential exploits and vulnerabilities within the environment. Two major categories of security controls that would apply to the PBC Tax Collector’s office are the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), with codependent NIST 800-53, and the CIS Critical Security Controls Framework.

The NIST CSF was published in 2014 and is a combination of standards, guidelines, and best practices to help manage cybersecurity risk within an organization. The initial version focused on critical infrastructure like banking, energy, and communication. Due to its popularity, it was adopted by both public and private organizations as a standard. NIST CSF v1.1 is mainly applied to the private sector and consists of 5 core functions: Identify, Protect, Detect, Respond, and Recover. NIST is a nonregulatory agency of the U.S. Department of Commerce that promotes innovation and industrial competitiveness by advancing standards and technologies (Deane and Kraus, NIST Cybersecurity Framework). The NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) controls is a large framework created to assist U.S. government agencies in managing their security programs. It is a comprehensive set of controls comprising 18 families with hundreds of controls.

The SANS Institute created the CIS Controls, which was passed to the Center for Internet Security in 2015. The controls identify basic, foundational, and organizational controls recommended to impede or mitigate the most common attacks against networks and systems.

Enforcement

The Palm Beach County Tax Collector’s website contains a link to their public affairs content, including their Countywide PPMs Policies and Procedures for public viewing. The various articles provide the administrative controls necessary to ensure adequate support of the security strategy for the county. The Information Technology Governance Policy and the Information Technology Security Policy are a few articles that oversee operations.

The governance policy provides strategic direction on the formulation, alignment, implementation, and use of technology to support the business goals of the county. Establishing and maintaining security frameworks and boundaries allow the direction to be implemented alongside supporting standards, programs, procedures, and guidelines based on the nature of the topic and how granular they must be explained. The policies were adopted by the industry’s best practices in 2005 and were approved by the appropriate standing committees at the time of the introduction. As the move towards digital transition became more prominent. Consumers demanded the ability to process applications and obtain information electronically via email, social media, or the website rather than coming to a physical location, which necessitated the re-organization and re-classification of the initial governance policy to 14 areas within IT, including an Advisory Committee, Database Administration, Enterprise Technical Standards, Software Development, Internet Content Management, and Centralized Network Services. The policy provides the responsibilities of each area, and in turn, those areas are required to create more detailed documents that support the governance policy.

The technology security policy promotes the requirement for identifying and mitigating risks to information. This will ultimately protect information from integrity loss and ensure the availability of the information when needed by the appropriate consumer. There is a clear mandate to have a conflicting policy override this, and the appropriate approval process must be followed to obtain an exception to the standard.

Security education in government

The Palm Beach County Tax Collector’s office contains a password policy for financial systems, a security awareness program, and an internet use policy to assist with the enforcement of continuous security education of their employees as it relates to protecting assets and themselves from becoming a victim of a threat actor which can infiltrate the county systems, steal PII, or render systems unavailable. This can happen by deletion and cryptographic locking of information systems located within the county’s purview.

The password policy states that transactions within the county’s financial system must be protected by user ID and password combinations. This is to ensure that only authorized personnel manage these transactions. It puts accountability on system administrators to create and maintain the login accounts within the secure Universal Security Identity management (SIM) system. It talks about the importance of maintaining the confidentiality of passwords. If a compromise occurs, it must be reset immediately within the county program or the IT help desk support hotline. It further emphasizes disciplinary actions for inappropriate use of login information.

The Security Awareness Policy states that the Information Security Services (ISS) department will oversee and ensure annual cybersecurity awareness training is delivered to and must be completed by all employees, new hires are required to go through mandatory training as part of their role, and the ISS department will conduct simulated phishing campaigns in a controlled environment. The accountability of the ISS department in managing this effort ensures that employees expect to participate in this program. Additional periodic security awareness training will also be provided. If there are repeat offenders for the phishing simulations, this will be brought to leadership's attention for further discussion.

The Internet use policy contains directions on email, file transfer, remote access, social networking, instant messaging, and other media use—as well as communications on county systems during working and non-working hours by any county employee or volunteer. Unacceptable activities include gambling, promoting personal business ventures, obtaining explicit or illegal content, unauthorized destruction of property, and activities that can consume excessive resources. There is also clarification on acceptable use for non-business purposes. Security is taken seriously. It discusses various threats and how they can be delivered to county employees, such as phishing attacks, website content, and malware downloads. There is additional guidance on treating files containing sensitive information and the requirement for Firewalls to be implemented and maintained to protect resources.

On July 5th, the Palm Beach County Tax Collector’s office discovered a security breach where hundreds of residents' personally identifiable information PII, including social security numbers, were disclosed in an unauthorized manner. The incident occurred due to a data file “erroneously attached during a computer backup process”. When these incidents occur, it reduces consumers' faith in the system that they have no choice but to send their information for processing. Unfortunately, the county did not explain what they did to ensure this does not recur; however, the updated policies and standards above show progress in ensuring the current direction is provided in writing and publicly available for consumers like us to review and understand how our information is protected.

Reduction of Vulnerabilities and System Hardening

The tax collector performs specific best practices to ensure vulnerabilities are reduced by the applications of system hardening techniques and vulnerability management to reduce risk within the systems and information within the possession of the county. A few systems and controls that this organization can implement to ensure systems are hardened are the CIS Controls provided and administered by CISSecurity.org, and a control to monitor and remediate vulnerabilities is Rapid 7’s InsightVM product. Due to collection of payment on the web site for various services, they must adhere to PCI DSS compliance.

CISSecurity is a well-known organization that provides a prescriptive, prioritized, and simplified set of best practices that can be used to strengthen cybersecurity posture within any company. There at 18 controls broken down into several categories with different levels of hardening based on how well the organization can adopt the hardening techniques before it breaks existing applications within the environment. The organization also provided benchmarks which are specific documents that show how to adjust settings within an Operating System to lock down that item to avoid any possible exploitation. Once the benchmark is applied, the systems are protected against basic attacks as a baseline on the system, so that additional application installed won’t interfere with the core components of the system by enhancing the exploitable areas. A good practice is to harden a golden image with baselines and use that to deploy any new systems for future use within the organization (CIS Critical Security Controls, n.d.).

Rapid7 is a well-known organization that provided threat defense and vulnerability management products within the industry. This is comparable to Tenable and Qualys who live in the same space. The InsightVM product is a vulnerability management tool that provides a large assortment of discovery scan to identify and fingerprint assets within the network, vulnerability checks for common and exploitable vulnerabilities, and compliance scanning for regulatory adherence when necessary. The product can use authenticated scans and agents deployed on assets to auto scan for vulnerabilities when allowed (INSIGHTVM Stay Ahead of Vulnerabilities, n.d.).

To scan for PCI DSS compliance, a product known as Qualys is a third-party independent assessor that is used to scan the web site’s externally exposes interfaces to display any high or critical vulnerabilities to the organization where they have to either remediate or explain when these findings are not applicable. Once the assessor is satisfied with the responses, the organization will achieve a passing score for that duration that can be provided to the financial banking institution that is being used for the merchant payment processing.

CIS Critical Security Controls. (n.d.). Retrieved from CIS Security: https://www.cisecurity.org/controls

INSIGHTVM Stay Ahead of Vulnerabilities. (n.d.). Retrieved from Rapid 7: https://www.rapid7.com/products/insightvm/

Summary

References

Add your driver’s license or state ID to Apple Wallet. Apple Support. (n.d.). https://support.apple.com/en-us/111803

Applied cryptography: Protocols, algorithms, and source code in C, 2nd edition. Wiley.com. (1996). https://www.wiley.com/en-us/Applied+Cryptography:+Protocols,+Algorithms,+and+Source+Code+in+C,+2nd+Edition-p-9781119183471

Baker, V. C. (2022, June 6). Cw-p-020.pdf - Palm Beach County. COMPUTER SECURITY FOR THE COUNTY’S AUTOMATED FINANCIAL SYSTEM . http://www.pbcgov.com/publicaffairs/ppm/pdf/cw-p-020.pdf

Baker, V. C. (2023, December 18). Pbcgov. INFORMATION TECHNOLOGY SECURITY POLICIES . https://www.pbcgov.com/publicaffairs/ppm/pdf/CW-F-002.pdf

Baker, V. C. (2024a, March 12). Pbcgov. INFORMATION TECHNOLOGY GOVERNANCE POLICIES . https://www.pbcgov.com/publicaffairs/ppm/pdf/CW-F-002.pdf

Baker, V. C. (2024b, June 14). CW-R-008, internet use policy. INTERNET USE POLICY . http://www.pbcgov.com/publicaffairs/ppm/pdf/cw-r-008.pdf

Baker, V. C. (2024c, June 14). Pbcgov. CYBERSECURITY AWARENESS TRAINING FOR EMPLOYEES AND OFFICIALS . https://www.pbcgov.com/publicaffairs/ppm/pdf/CW-F-002.pdf

Brown, L., & Stallings, W. (2018). Computer security: Principles and practice, 4th Edition. https://www.reddit.com/r/textbookrequest/comments/p8vfx0/computer_security_principles_and_practice_4th/

Deane, A., & Kraus, A. (2021). In The Official (ISC)2 CISSP CBK Reference (6th ed., pp. 21–47). essay, Sybex, Wiley. Retrieved September 2024,.

Francis, A. (2024, March 13). Best practices for digital transformation in government. New Charter Technologies. https://www.newchartertech.com/best-practices-for-digital-transformation-in-government/

Honeyman, P., & Provos, N. (2003). Hide and seek: An introduction to steganography | IEEE Journals & Magazine | IEEE Xplore. https://ieeexplore.ieee.org/document/1203220/

Kim, N. (2023). National ID for public purpose. The Georgetown Law Technology Review, 7(2), 273. <span class="docUrl">https://link.gale.com/apps/doc/A761573345/GPS?u=lincclin_pbcc&amp;sid=bookmark-GPS&amp;xid=56af2263</span>

Kuperberg, M., Kemper, S., & Durak, C. (1970, January 1). Blockchain usage for government-issued electronic ids: A survey. SpringerLink. https://link.springer.com/chapter/10.1007/978-3-030-20948-3_14

MacDonnell, U. N. (2014). Cyber threat!: How to manage the growing risk of cyber attacks (Wiley Corporate F&A): Ulsch, N. MacDonnell: 9781118836354: Amazon.com: Books. https://www.amazon.com/Cyber-Threat-Growing-Attacks-Corporate/dp/1118836359

NIST SP 800-63 Digital Identity guidelines. NIST SP 800-63. (n.d.). https://pages.nist.gov/800-63-3/

Preston, B. (2015, January). Getting carded: the feds want to replace your driver’s license with a national id card. Car and Driver, 60(7), 20. Retrieved September 23, 2024, from <span class="docUrl">https://link.gale.com/apps/doc/A515795942/GPS?u=lincclin_pbcc&amp;sid=bookmark-GPS&amp;xid=76d57224</span>.

Principles of Information Security, 6th Edition - Cengage. (n.d.). https://www.cengage.com/c/principles-of-information-security-6e-whitman/9781337102063PF/

Public record requests. Constitutional Tax Collector. (2020, June 9). https://www.pbctax.com/public-record-requests/

Rahman, Z. (2020, February 4). We know what’s wrong with digital identification. here’s what works. The Correspondent. https://thecorrespondent.com/268/we-know-whats-wrong-with-digital-identification-heres-what-works

Real ID: Homeland security. U.S. Department of Homeland Security. (n.d.). https://www.dhs.gov/real-id

Rylander, J. (2024, April 1). The pitfalls and challenges of Digital Transformation in the United States Government. PA TIMES Online. https://patimes.org/the-pitfalls-and-challenges-of-digital-transformation-in-the-united-states-government/

Transportation. National Conference of State Legislatures. (n.d.). https://www.ncsl.org/transportation/real-id-2023

U.S. Department of State. (n.d.). U.S. Department of State. https://www.state.gov/digital-government-strategy/

Wayan.vota. (2024, March 29). 10 examples of successful African e-government digital services. ICTworks. https://www.ictworks.org/examples-african-e-government-digital-services/