Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Success Story: Government of Bermuda

Government of Bermuda
Credit: Government of Bermuda

NIST’s Cybersecurity Framework has provided us with a comprehensive roadmap to ensure effective cybersecurity practices are implemented across Government.

- Hon. Wayne M. Caines, JP, MP., Minister of National Security


Benefits Received from Implementing the Framework:

  • Alignment of information systems with business security needs across ministries and departments.
  • Identification of information gaps and security controls deficiencies to focus on specific areas for improvement.
  • Identification of relevant guidance in each area of program development.
  • Support of informed governance and management at the department, executive and Cabinet levels.

Situation

  • Difficult to consistently manage cybersecurity risk across all Government ministries and departments.
  • Information systems environment contained centralized and decentralized components.
  • Security requirements were inconsistently established on a system-by-system basis.
  • Personal Information Protection Act 2016 established penalties including fines and potential imprisonment if reasonable security measures are not implemented to protect sensitive personal information.

Drivers

  • Government’s increasing dependence on Information and Communication Technology (ICT) to process sensitive information and provide critical services.
  • Cybersecurity seen as an important component to economic resilience for the island.
  • Cybersecurity leadership needed for Government and Critical National Infrastructure entities within the jurisdiction.
  • Recognition of the need for information systems and security governance was met with the political will to initiate programs.
  • High-profile Fintech Initiatives were launched.
  • The cyberthreat environment intensified.
  • Island needed to increase cyber awareness internally and in the wider community.
  • Continuous investment was needed by all stakeholders in order to enhance their collective ability to protect their systems and data.

Process

  • Cabinet Cybersecurity Committee established to provide oversight of the Information Systems Risk Management Programme development and administration.
  • Self-assessment performed using the NIST Cybersecurity Framework to identify gaps in information, control deficiencies and areas of high risk.
  • Asset identification, valuation and categorization performed by each department to reduce information gaps identified during the initial self-assessment.
  • Control deficiencies and risk ratings identified and used to create prioritized action plan.
  • Results of the self-assessment garnered Cabinet support for remediation initiatives.
  • Informative references used to provide guidance in areas such as policy development and implementation steps.
  • Regular reporting of security posture to Cabinet using the Cybersecurity Framework as a dashboard.
  • Strategic partnerships with public and private entities were formed to develop the jurisdictional Cybersecurity Strategy.

Results and Impacts

  • Consistent standardized approach to address business security across all ministries and departments.
  • Addressing complex cybersecurity risks across organization more manageable.
  • Security activities more closely aligned with business needs.
  • Information System Risk Management Committee established to ensure program, policies and standards were developed in a collaborative manner focused on stakeholder needs.
  • Development of policies and processes that enable the risk management program.
  • Close integration with records management and privacy policies and processes.
  • Implementation of regular training for staff and information security professionals.
Building in Bermuda

What’s Next

  • Dashboard for system owners and authorizing officials.
  • Integration of quantitative methods into the risk assessment processes.
  • Closer work with Government’s Internal Audit Department.
  • Work with the Disaster Risk Reduction and Mitigation Unit on jurisdiction-wide cybersecurity response.
  • Enhancement of educational programs to encourage further integration of computer science in curricula and to provide further professional development opportunities for information security professionals.

Contact Information & Resources

Government of Bermuda Website:
https://www.gov.bm/

Bermuda contact: sidaniels [at] gov.bm (sidaniels[at]gov[dot]bm)

Here is the downloadable version of this Success Story.

Government Of Bermuda
Credit: Government Of Bermuda
Created June 1, 2020, Updated June 29, 2020