11.1 Introduction

This chapter, perhaps more than any other, is directed especially toward the top elected and appointed officials in local governments, although it will also be valuable to all staff regardless of pay grade or position. The chapter presents and provides brief answers to a number of questions that top local government officials should ask themselves and their cybersecurity teams. Asking should not be a simple one-off action, but rather an ongoing process. It is not sufficient, for example, for officials to ask the cybersecurity team what IT assets are being protected (Section 11.2) only once, because the number and types of assets change over time. Likewise, it is not sufficient to ask only once about the principal cyberthreats the local government is facing (Section 11.3) because the nature and severity of those threats change over time, just as does the underlying technology.

However, local officials need not pester cybersecurity staff with relentless and unnecessary questioning (after all, these staff members have important work to do!) Ideally, top officials should require regularly scheduled briefings by their governments’ cybersecurity leadership to ensure that these and presumably other questions are asked and answered.

The questions discussed in this chapter are based upon industry experience, best practices, and recent academic research regarding local government cybersecurity. Presented in no particular order, they are ...