By Paul Parker, SolarWinds Federal & National Government Chief Technologist
Federal IT professionals know that practicing good information security (InfoSec) is a must, but instilling InfoSec habits into an IT culture is often easier said than done. Luckily, there are steps federal administrators can take to embed good InfoSec practices within their operations.
Build Security into the Community
Administrators should consider embedding security practices and conversations about good security habits within the daily office environment. For example, gamifying security training by using fun and engaging activities to convey an agency’s position on the importance of constant vigilance can help create a lasting, effective, and deep-seated security culture.
Implement Strong IT Controls
According to respondents of a recent Federal Cybersecurity Survey, agencies with evidence of strong IT controls are more likely to possess the hallmarks of strong InfoSec environments. They experience fewer threats and are able to respond more quickly to those that do occur. They also enjoy more positive results when implementing IT modernization initiatives, and are ready to comply with regulations, such as HIPAA and FISMA. These agencies are using a myriad of controls for configuration and patch management, web application security, file integrity monitoring, and, of course, security.
Building strong IT controls requires a deep level of visibility into one’s IT infrastructure, which network and application performance monitoring tools provide. They continuously collect data on operations and alert IT administrators to anomalies, such as lags in performance or intrusion attempts, providing constant and valuable insight into network activities.
Invest in Physical Security
A solid InfoSec posture involves protecting agencies from insider threats just as much as it does fortifying against external hackers. Indeed, 54 percent of respondents to the cybersecurity survey cited careless or untrained insiders as their top threats, with 40 percent designating “malicious insiders” as security concerns. The reality is that sizeable portions of security risks come from inside the house.
Monitoring and logging when someone accesses sensitive data can allow managers to trace breaches back to their sources and discourage malicious insiders. Additionally, video surveillance of areas like data centers can dissuade potential breaches. Consider video analytics tools to help identify patterns and anomaly events, which can help identify the source of, or even prevent, potential breaches.
Consider Investing in Security Consultants
With so much at stake, it pays to have an experienced professional around whose primary goal is finding holes in an agency’s security. Outside security consultants can bring a fresh perspective to the status of an agency’s security posture, and are well versed in testing, reviewing, and consulting on potential security risks. They can work with in-house personnel to create tailor-made security plans.
Agencies cannot afford to take InfoSec lightly. Taking these steps can help government IT teams build a strong security culture. They can then support that culture through knowledge and insights gleaned from strong IT controls, physical security measures, and outside consultants. The result will be a strong InfoSec footing that can be used to curb even the most sophisticated threats before they take hold.
Find the full article on Government Technology Insider.