Protecting electronic data from unauthorized access or use is vital, especially for federal IT professionals. They know that practicing good information security (InfoSec) is a must, but among the many dynamic responsibilities IT teams handle on a daily basis, instilling InfoSec habits into an IT culture is much easier said than done.
Luckily, there are steps federal administrators can take to embed good InfoSec practices within their operations.
Build Security into the Community
For many organizations, mentions of security are limited to trainings and orientations. Security only becomes top of mind after a breach occurs.
To ensure that agency teams have security on the brain before things go awry, administrators should consider embedding security practices and conversations about good security habits within the daily office environment. For example, gamifying security training by using fun and engaging activities to convey an agency’s position on the importance of constant vigilance can help create a lasting, effective, and deep-seated security culture.
Implementing an approach styled after a Secure Development Lifecycle (SDL) is also important. An SDL consists of the security processes and activities an organization performs for every software release. SDLs are becoming widespread across industries, and Microsoft® has released its own SDL for others to use as an example. While SDLs were conceived for development, their principles can and should be applied across the agency. By agreeing upon standard security practices for any processes that involve sensitive data, you can instill InfoSec into all facets of the agency.
Implement Strong IT Controls
According to respondents of a recent Federal Cybersecurity Survey, agencies with evidence of strong IT controls are more likely to possess the hallmarks of strong InfoSec environments. They experience fewer threats and are able to respond more quickly to those that do occur. They also enjoy more positive results when implementing IT modernization initiatives, and are ready to comply with regulations, such as HIPAA and FISMA. These agencies are using a myriad of controls for configuration and patch management, web application security, file integrity monitoring, and, of course, security.
IT controls consist of procedures or policies that help ensure that technologies are being used for their intended purposes in a reasonable manner. They are divided into general controls (ITGC) and application controls (ITAC). General controls are used for essential IT processes, such as risk management, change management, security, and disaster recovery. Application controls are automatic actions the software takes to help ensure that applications are used with authorization and are properly maintained, monitored, and audited.
Building strong IT controls requires a deep level of visibility into one’s IT infrastructure, which network and application performance monitoring tools provide. They continuously collect data on operations and alert IT administrators to anomalies, such as lags in performance or intrusion attempts, providing constant and valuable insight into network activities.
Invest in Physical Security
A solid InfoSec posture involves protecting agencies from insider threats just as much as it does fortifying against external hackers. Indeed, fifty four percent of respondents to the cybersecurity survey cited careless or untrained insiders as their top threats, with 40 percent designating “malicious insiders” as security concerns. The reality is that sizeable portions of security risks come from inside the house.
To combat this, agency IT professionals should consider investing in physical security and surveillance technology and limit access to data to authorized personnel. Monitoring and logging when someone accesses sensitive data and when that activity occurs can allow managers to trace breaches back to their sources and discourage malicious insiders. Additionally, video surveillance of areas like data centers can also dissuade potential breaches. Consider video analytics tools to help identify patterns and anomaly events, which can help identify the source of, or even prevent, potential breaches.
Consider Investing in Security Consultants
With so much at stake, it pays to have an experienced professional around whose primary goal is finding holes in an agency’s security. Outside security consultants can bring a fresh perspective to the status of an agency’s security posture, and are well versed in testing, reviewing, and consulting on potential security risks. They can work with in-house personnel to create tailor-made security plans.
Agencies cannot afford to take InfoSec lightly—not in today’s dynamic cyberthreat environment. Taking these steps can help government IT teams build a strong security culture. They can then support that culture through knowledge and insights gleaned from strong IT controls, physical security measures, and outside consultants. The result will be a strong InfoSec footing that can be used to curb even the most sophisticated threats before they take hold.