It is a good time to remember that improving agency IT security should be yearlong endeavor. Before gearing up to move forward with implementing new fiscal year 2017 IT initiatives, it is a best practice to conduct a security audit to establish a baseline and serve as a comparison to start thinking about how the agency’s infrastructure and applications should change, and what impact that will have on IT security throughout the year.


Additionally, security strategies, plans and tactics must be established and shared so that IT security teams are on the same page for the defensive endeavor.


Unique Security Considerations for the Defense Department


Defense Department policy requires agencies follow NIST RMF to secure information technology that receives, processes, stores, displays, or transmits DOD information. I’m not going to detail the six-step process—suffice it to say, agencies must implement needed security controls, then assess whether they were implemented correctly and monitor effectiveness to improve security.


That brings us back to the security audit: A great way to assess and monitor security measures.


Improving Security is a Year-Round Endeavor


The DOD has a complex and evolving infrastructure that can make it tricky to detect abnormal activities and ensure something isn’t a threat, while also not prohibiting legitimate traffic. Tools such as security information and event management platforms automate some of the monitoring to lessen the burden.


The tools should automate the collection of data and analyze it for compliance, long after audits have been completed.


It should also be easy to demonstrate compliance using automated tools. Automated tools should help to quickly prove compliance, and if the tools come with DISA STIGs and NIST FISMA compliance reports, that’s another huge time-saver.


Performance monitoring tools also improve security posture by identifying potential threats based on anomalies. Network, application, firewall and systems performance management and monitoring tools with algorithms that highlight potential threats effectively ensure compliance and security on an ongoing basis.


Five additional best practices help ensure compliance and overall secure infrastructure throughout the year:


  • Remove the need to be personally identifiable information (PII) compliant, unless it’s absolutely critical. For example, don’t store stakeholder PII unless required by agencies processes. Not storing the data mitigates responsibility risks for securing it.


  • Remove stored sensitive information that isn’t needed. Understand precisely what and how data is stored and ensure what is kept is encrypted, making it useless to attackers.


  • Improve network segmentation. Splitting the network into discrete “zones” boosts performance and improves security, a win-win. The more a network is segmented, the easier it will be to improve compliance and security.


  • Eliminate passwords. Think about all the systems and applications that fall within an audit zone, and double check proper password use. Better yet, eliminate passwords and implement smart cards, recognized as an industry best practice.


  • Build a relationship with the audit team. A close relationship with the audit team ensures they can be relied upon for best practices and other recommendations.


  Find the full article on Signal.