For federal agencies, the crux of an effective cyber security strategy is both obvious and challenging: a valid, enforceable security policy. But what does that kind of strategy look like, and how do you achieve it?
A meaningful, successful security policy accomplishes several things, including (but certainly not limited to):
- Providing a core list of enforceable requirements to proactively protect your network.
- Robust processes and strategies for addressing potential security events.
- Enabling constant assessment of your security systems, not only to monitor for risks or vulnerabilities, but to ensure that federal regulations are being met.
Whether you’re starting from scratch or you already have a strategy in place and simply want to refine it, there are a few critical issues that every IT decision maker needs to address. Here are four essential matters that every agency should understand when creating or updating IT security plans and technology.
ONE: Regulations—and how to meet them
Governing the federal IT space are strict sets of regulations and best practices that vary in scope and strength. Understand your regulatory landscape, including what you can and cannot do.
For example, the National Institute of Standards and Technology’s “Generally Accepted Principles and Practices for Securing Information and Technology Systems” has specific guidelines about passwords and system owner responsibilities—but it’s neither compulsory, nor consistently enforced.
On the other hand, the Department of Defense (DoD) is governed by Security Technical Implementation Guides (STIGs) that include specific compliance criteria that DoD agencies must follow. It enforces best practices such as firewalls on perimeters and scanning BYOD devices before introducing them to the network. Agencies that do not adhere to STIGs can have their authority to operate revoked.
TWO: Multiple layers of protection
The old security adage of defense in depth still rings true. At minimum, every federal agency should develop an IT policy with multiple layers of IT security and with a focus on protecting both the end-user and the agency’s critical assets.
Layer your defenses so that if one fails, another fills the gap. This means, for example, not only having a firewall at the network’s edge, but protections within your network too.
THREE: Multiple security strategies
Cover all your bases. Investing in an intrusion detection system so that you can record brute-force network breaches is critical. But don’t stop there—make sure you’re covering multiple endpoints by investing in web and mail security filters, along with specific data center protections.
FOUR: Traffic management and monitoring
It’s important that federal agencies stay aware of what data travels in and out of their networks. Equally important is where the data goes once it’s inside.
New technologies such as StealthWatch achieve this. The insight it provides allows you to develop additional security solutions, including trend analysis and anomaly detection.
Cybersecurity is an evolving game, and, as such, the security technologies constantly change. The main principles, however, remain the same. You need to be aware of what goes on inside your network, what goes on in Washington and which layers of protection you need to keep the bad guys at bay.