By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering
Here’s an interesting blog that reviews the fundamental steps every federal IT pro should take to create a strong security foundation. I agree with the author that an overarching plan that encompasses multiple layers of security can serve as the most effective strategy.
The Five Fundamentals
1. Create an information security framework
A security framework is essentially your security blueprint. It encompasses a series of well-documented policies, guidelines, processes, and procedures about how best to implement and manage ongoing security within your agency.
There are several established security frameworks, but the U.S. government usually follows the guidelines set forth by the National Institute of Standards and Technology (NIST). Specifically, agencies use the National Institute of Standards and Technology SP 800-53 to comply with the Federal Information Processing Standard’s (FIPS) 200 requirements.
Use NIST guidelines to establish a security framework that assists with successfully detecting and responding to incidents in a quick and efficient manner.
2. Develop a consistent training program
Just as important, end users must understand the importance of practicing good cybersecurity hygiene—and the ramifications of poor security practices.
Regular, consistent training across the agency is key.
Train your team to understand how to recognize potential vulnerabilities quickly, and how to find the gems of important information within a sea of security-related alerts and alarms. Train end users on topics like creating strong passwords, identifying phishing emails and other social engineering attacks, and what information can and cannot leave the agency.
3. Outline policies and procedures
Creating the security framework is one thing; ensuring that everyone understands the policies and procedures associated with that framework is as important as the framework itself.
Sharing this information with all staff, security teams, and end users is often best done upon hiring. Outline policies and expectations clearly from the start to avoid any misunderstandings.
4. Monitor and maintain IT systems
Part of good security hygiene is making sure you’re up-to-date on all hardware and software updates and patches. New malware is introduced every day; ensuring all your systems are up to date should be your baseline.
Another form of important maintenance is to have a strong backup system in place. If a breach occurs and data is compromised, a good backup system will support minimal data and productivity loss.
Finally, even if all end users are up to date on security training, there is always the possibility they will violate security policy. Federal IT security pros must be able to monitor end user activity to mitigate this risk and catch policy violations before they become breaches.
5. Stay current with government mandates and regulations
Some of the most common are the Federal Information Security Management Act (FISMA) of 2002, Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) for agencies that deal with any kind of credit card transaction, and NIST regulations.
As the basics fall into place, expect more layers to become necessary to shore up your federal cybersecurity strategy plan. Adding layers like perimeter defense, device failure, and enhanced monitoring for insider threats can help enhance a stable foundation, and result in a safer and more secure agency.
Find the full article on Government Technology Insider.
The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.