Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Success Story: Government of Bermuda

Government of Bermuda
Credit: Government of Bermuda

NIST’s Cybersecurity Framework has provided us with a comprehensive roadmap to ensure effective cybersecurity practices are implemented across Government.

- Hon. Wayne M. Caines, JP, MP., Minister of National Security


Benefits Received from Implementing the Framework:

  • Alignment of information systems with business security needs across ministries and departments.
  • Identification of information gaps and security controls deficiencies to focus on specific areas for improvement.
  • Identification of relevant guidance in each area of program development.
  • Support of informed governance and management at the department, executive and Cabinet levels.

Situation

  • Difficult to consistently manage cybersecurity risk across all Government ministries and departments.
  • Information systems environment contained centralized and decentralized components.
  • Security requirements were inconsistently established on a system-by-system basis.
  • Personal Information Protection Act 2016 established penalties including fines and potential imprisonment if reasonable security measures are not implemented to protect sensitive personal information.

Drivers

  • Government’s increasing dependence on Information and Communication Technology (ICT) to process sensitive information and provide critical services.
  • Cybersecurity seen as an important component to economic resilience for the island.
  • Cybersecurity leadership needed for Government and Critical National Infrastructure entities within the jurisdiction.
  • Recognition of the need for information systems and security governance was met with the political will to initiate programs.
  • High-profile Fintech Initiatives were launched.
  • The cyberthreat environment intensified.
  • Island needed to increase cyber awareness internally and in the wider community.
  • Continuous investment was needed by all stakeholders in order to enhance their collective ability to protect their systems and data.

Process

  • Cabinet Cybersecurity Committee established to provide oversight of the Information Systems Risk Management Programme development and administration.
  • Self-assessment performed using the NIST Cybersecurity Framework to identify gaps in information, control deficiencies and areas of high risk.
  • Asset identification, valuation and categorization performed by each department to reduce information gaps identified during the initial self-assessment.
  • Control deficiencies and risk ratings identified and used to create prioritized action plan.
  • Results of the self-assessment garnered Cabinet support for remediation initiatives.
  • Informative references used to provide guidance in areas such as policy development and implementation steps.
  • Regular reporting of security posture to Cabinet using the Cybersecurity Framework as a dashboard.
  • Strategic partnerships with public and private entities were formed to develop the jurisdictional Cybersecurity Strategy.

Results and Impacts

  • Consistent standardized approach to address business security across all ministries and departments.
  • Addressing complex cybersecurity risks across organization more manageable.
  • Security activities more closely aligned with business needs.
  • Information System Risk Management Committee established to ensure program, policies and standards were developed in a collaborative manner focused on stakeholder needs.
  • Development of policies and processes that enable the risk management program.
  • Close integration with records management and privacy policies and processes.
  • Implementation of regular training for staff and information security professionals.
Building in Bermuda

What’s Next

  • Dashboard for system owners and authorizing officials.
  • Integration of quantitative methods into the risk assessment processes.
  • Closer work with Government’s Internal Audit Department.
  • Work with the Disaster Risk Reduction and Mitigation Unit on jurisdiction-wide cybersecurity response.
  • Enhancement of educational programs to encourage further integration of computer science in curricula and to provide further professional development opportunities for information security professionals.

Contact Information & Resources

Government of Bermuda Website:
https://www.gov.bm/

Bermuda contact: sidaniels@gov.bm

Here is the downloadable version of this Success Story.

Government Of Bermuda
Credit: Government Of Bermuda
Created June 1, 2020, Updated June 29, 2020