All too often, federal IT personnel misconstrue software as being able to make their agency compliant with various regulations. It can’t – at least not by itself.
Certainly, software can help you achieve compliance, but it should only be viewed as a component of your efforts. True and complete compliance involves defining, implementing, monitoring, and auditing processes so that they adhere to the parameters that have been set forth within the regulations. First and foremost, compliance requires strategic planning, which depends on people and management skills. Software complements this by being a means to an end.
To illustrate, let’s examine some regulatory examples:
- Federal Information Security Management Act (FISMA): FISMA’s requirements call for agencies to deploy multifaceted security approaches to ensure information is kept safe from unauthorized access, use, disclosure, disruption, modification, and destruction. Daily oversight can be supported by software that allows teams to be quickly alerted to potentially dangerous errors and events.
- Federal Risk and Authorization Management Program (FedRAMP): FedRAMP may be primarily focused on cloud service providers, but agencies have a role to ensure their providers are FedRAMP compliant, and to continually “assess, authorize and continuously monitor security controls that are the responsibility of the agency”. As such, FedRAMP calls for a combination of hands-on processes and technology.
- Health Insurance Portability and Accountability Act (HIPAA): The response to HIPAA has typically centered on the use of electronic health records, but the Act requires blanket coverage that goes well beyond technology use. As such, healthcare workers need to be conscious of how patient information is shared and displayed.
- Defense Information Systems Agency Security Technical Implementation Guides (STIGs): The STIGs provide guidelines for locking down potentially vulnerable information systems and software. They are updated as new threats arise. It’s up to federal IT managers to closely follow the STIGs to ensure the software they’re using is not only secure, but working to protect their systems.
Particular types of software can significantly augment the people and processes that support your compliance efforts, so take a closer look at the following tools:
- Event and Information Management tracks events as they occur on your network and automatically alerts you to suspicious or problematic activity. This type of software uses intelligent analysis to identify events that are inconsistent with predetermined compliant behaviors, and is intelligent enough to issue alerts before violations occur.
- Configuration Management allows for the configuration and standardization of routers, firewalls, and switches to ensure compliance. This type of software can also be useful in identifying potential issues that might adversely effect compliance before they come to pass.
- Patch Management is critical for closing known vulnerabilities before they can be exploited. It can be very handy in helping your organization maintain compliance with regards to security and ensuring that all operating systems and applications are updated.
Each of the aforementioned types of software can form a collective safety net for FISMA compliance and serve as a critical component of a security plan, but they can’t be the only component if you’re to achieve your compliance goals. As the old saying goes, the rest is up to you.
Find the full article on our partner DLT’s blog, TechnicallySpeaking.