cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

What Every Government IT Professional Should Know: 5 Cybersecurity Basics

Level 13

By Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

Here’s an interesting blog that reviews the fundamental steps every federal IT pro should take to create a strong security foundation. I agree with the author that an overarching plan that encompasses multiple layers of security can serve as the most effective strategy.

The Five Fundamentals

1. Create an information security framework

A security framework is essentially your security blueprint. It encompasses a series of well-documented policies, guidelines, processes, and procedures about how best to implement and manage ongoing security within your agency.

There are several established security frameworks, but the U.S. government usually follows the guidelines set forth by the National Institute of Standards and Technology (NIST). Specifically, agencies use the National Institute of Standards and Technology SP 800-53 to comply with the Federal Information Processing Standard’s (FIPS) 200 requirements.

Use NIST guidelines to establish a security framework that assists with successfully detecting and responding to incidents in a quick and efficient manner.

2. Develop a consistent training program

Just as important, end users must understand the importance of practicing good cybersecurity hygiene—and the ramifications of poor security practices.

Regular, consistent training across the agency is key.

Train your team to understand how to recognize potential vulnerabilities quickly, and how to find the gems of important information within a sea of security-related alerts and alarms. Train end users on topics like creating strong passwords, identifying phishing emails and other social engineering attacks, and what information can and cannot leave the agency.

3. Outline policies and procedures

Creating the security framework is one thing; ensuring that everyone understands the policies and procedures associated with that framework is as important as the framework itself.

Sharing this information with all staff, security teams, and end users is often best done upon hiring. Outline policies and expectations clearly from the start to avoid any misunderstandings.

4. Monitor and maintain IT systems

Part of good security hygiene is making sure you’re up-to-date on all hardware and software updates and patches. New malware is introduced every day; ensuring all your systems are up to date should be your baseline.

Another form of important maintenance is to have a strong backup system in place. If a breach occurs and data is compromised, a good backup system will support minimal data and productivity loss.

Finally, even if all end users are up to date on security training, there is always the possibility they will violate security policy. Federal IT security pros must be able to monitor end user activity to mitigate this risk and catch policy violations before they become breaches.

5. Stay current with government mandates and regulations

Some of the most common are the Federal Information Security Management Act (FISMA) of 2002, Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS) for agencies that deal with any kind of credit card transaction, and NIST regulations.

Conclusion

As the basics fall into place, expect more layers to become necessary to shore up your federal cybersecurity strategy plan. Adding layers like perimeter defense, device failure, and enhanced monitoring for insider threats can help enhance a stable foundation, and result in a safer and more secure agency.

Find the full article on Government Technology Insider.

  The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates.  All other trademarks are the property of their respective owners.

8 Comments
Level 14

Good base plan.  Thanks for the article.

Level 13

So true.  So easy to get caught up in all the detail you lose focus on the fundamentals.  Thanks for sharing.

Level 20

For us today it's all about RMF - Risk Management Framework.

rmf_dodit-e1395181938972.png

I agree with this 100%, and if it were possible I'd require even more attention to be focused on training and providing budget to ensure all employees have the necessary knowledge  and tools and training to help the endeavor to succeed in a more timely fashion.

Level 13

Thanks Good article.

Level 14

We have ISO27001.  It's still very difficult to get users to think.  We have just had someone ask if we can receive credit cards details by fax.    

Yes I know there are secure fax to e-mail systems but that's not what they wanted.  They wanted us to provide a fax machine at this end too.

Level 15

Great article.  I too agree with this 100%.  With regards to the framework, this takes the most time but the end result is consistency.  I have found in so many environments that they "think" they need security and "know" that it is important but they don't take the time to actually develop and embrace the framework.  And as rschroeder​ states, train, train, and train so more. 

Thanks!

Level 12

very interesting and good article.