We all understand the criticality of cybersecurity. What is not well understood, however, is how to create and implement a successful cybersecurity strategy that aims to provide a sound security posture for your agency.
Guidance for federal IT security pros is available, such as the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Training Program, which provides information on security automation. While many federal IT pros currently have a cadre of tools to perform various security functions, neither tools nor automation alone will provide complete protection for your agency.
There are fundamental steps every federal IT pro should take—before diving in to any implementation—to create a strong security foundation. An overarching plan that encompasses multiple layers of security can serve as the most effective strategy.
The Five Fundamentals
1. Create an information security framework
You wouldn’t build a house without a blueprint; the same concept applies when building a security strategy. A security framework is essentially your security blueprint. It encompasses a series of well-documented policies, guidelines, processes, and procedures about how best to implement and manage ongoing security within your agency.
There are several established security frameworks, but the U.S. government usually follows the guidelines set forth by the National Institute of Standards and Technology (NIST). Specifically, agencies use the National Institute of Standards and Technology SP 800-53 to comply with the Federal Information Processing Standard’s (FIPS) 200 requirements.
Use NIST guidelines to establish a security framework that assists with successfully detecting and responding to incidents in a quick and efficient manner.
2. Develop a consistent training program
The best framework in the world will not be effective if the team does not know what it entails and how best to implement it. Just as important, end-users must understand the importance of practicing good cybersecurity hygiene—and the ramifications of poor security practices.
Regular, consistent training across the agency body is key.
Train your team to understand how to recognize potential vulnerabilities quickly, and how to find the gems of important information within a sea of security-related alerts and alarms. Train developers on secure coding methodologies. And, train end-users on topics like creating strong passwords, identifying phishing emails and other social-engineering attacks, and what information can and cannot leave the confines of the agency.
3. Outline policies and procedures
Creating the security framework is one thing; ensuring that everyone understands the policies and procedures associated with that framework—or, ensuring that the building crew understands the blueprint—is as important as the framework itself.
Sharing this information with all staff, security teams, and end-users alike, is often best done upon hiring. Outline policies and expectations clearly from the start to avoid any misunderstandings.
4. Monitor and maintain IT systems
Day-to-day security monitoring and maintenance is the key to successful risk and vulnerability mitigation.
Part of having good security hygiene is making sure you’re up to date on all hardware and software updates and patches. New malware is introduced every day; ensuring all your systems are up to date should be your baseline.
Another form of important maintenance is to have a strong backup system in place. If a breach occurs and data is compromised, a good backup system will support minimal data and productivity loss.
Finally, even if all end-users are up to date on security training, there is always the possibility they will—knowingly or unknowingly—violate security policy. Federal IT security pros must be able to monitor end-user activity to mitigate this risk and catch policy violations before they become breaches.
5. Stay current with government mandates and regulations
Every federal IT pro understands the importance of complying with the federal mandates required by law. Some of the most common are the Federal Information Security Management Act (FISMA) of 2002, Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS) for agencies that deal with any kind of credit card transaction, and NIST regulations.
Meeting these regulations is not only required, but will go a long way toward enhancing your overall security posture.
The above five fundamentals are just a start. As the basics fall into place, expect more layers to become necessary to shore up your cybersecurity strategy plan and build your strongest possible posture. Adding layers like perimeter defense, device failure, power outage monitoring, and enhanced monitoring for insider threats can help enhance a stable foundation, and result in a safer and more secure agency.