Citizens Property Insurance Corporation Adopts the CIS Controls

The Florida Legislature created Citizens Property Insurance Corporation (Citizens) in August 2002 as a not-for-profit, tax-exempt, government entity. Its mission is to provide insurance protection to Florida policyholders who are entitled to but are unable to find property insurance coverage in the private market. Mitchell Brockbank is the Director of the IT Risk and Security Team at Citizens.

Adopting the CIS Controls

When asked why he selected the CIS Controls, he stated, “Florida is following the NIST Cyber Security Framework as the basic framework for Information Security. The CIS Controls are known set of best practices. As a non-profit organization, we are trying to balance what the government and private industry are doing. In rewriting our policies and procedures, we decided to build in the CIS Controls into our standards.”

After looking at the 20 CIS Controls in early 2016, they performed a high-level review with the IT Senior Leadership Team to identify which CIS Controls were appropriate for Citizens’ environment and to what level.

“In rewriting our policies and procedures, we decided to build in the CIS Controls into our standards.”
– Mitchell Brockbank, Director, IT Risk and Security Team Citizens Property Insurance Corporation

Gap Analysis

Mr. Brockbank stated, “Now we are going to do a gap analysis to define where we are to help us identify the work effort that we will need and how to get us to where we want to be.” Citizens has developed a multi-year IT security strategic plan that includes the new standards with the CIS Controls to identify the gaps, identify the work effort needed to close the gaps, and the plan to close the gaps within this strategy. His team is building out the artifacts they will be using to document the gaps and the progress that they expect going forward.

Barriers and Benefits

As with any security program, it is common to hit a barrier when introducing new ideas that often leads to changes in policies and processes. When asked about barriers and benefits, he stated, “The initial concerns are: what is the work effort going to be, how much is it going to cost, and what do we focus on first? There are concerns you would expect. There will be areas where there are no gaps that we can say to leadership we are already implementing and maintaining the CIS Controls.” Their plan is to engage with the owners of the CIS Control(s) responsible for implementing and maintaining them, identify and document what stage they are in, document gaps or no gaps, and then prioritize and implement the work. To balance out the work effort needed, they will determine the highest priority based on either the perceived or the identified level of risk of not having the control in place. If there are quick wins available for implementation, they may consider moving those up but be mindful of helping balance out the risk exposure for not having the CIS Controls fully implemented.

Tools and Risk Assessment

Citizens uses a number of automated tools. They also have a risk assessment process that can be very detailed at the highest level or a quick analysis of a risk. Mr. Brockbank explained that it is not too much effort to qualify a risk against the CIS Controls, as they are a best practice.

About Mitchell Brockbank

Mitchell Brockbank is Director of IT Risk and Security in the Jacksonville, FL area with over 15 years of experience in Information Technology. His certifications include CISSP, CISA, CCM, and CISM. He received his education from Southwestern College and Excelsior College.