Tips to Aid IT Security and Compliance

Selecting solutions that will help tighten security, while keeping an eye on the need for investments that ease compliance is important for federal organizations in the coming year. Strategies that will help them stay on top of security threats, while easing the compliance burden include:

*Assess risks appropriately – using technologies that can help organizations gain greater awareness of the security required for each process or task, based on the agency’s mission and types of information stored.  This step is critical to avoiding investments in short-term solutions that be costly and leave some areas, systems and information unprotected.

*Outside assistance is (often) required – Although the organization may already have multiple security solutions in place, proper risk assessment may require the help of an experienced partner with proven expertise in securing government environments.

*Stop data leaks – easier said than done it seems, monitoring tools can be deployed to assist government organizations in tracking and monitoring information and systems to avoid the bad publicity and exposure of sensitive information when data/systems are lost or stolen.

*Expand endpoint security – recent research on ‘trusted computing’ from the Aberdeen Group, maintains that organizations which have deployed applications based on trusted computing infrastructure exhibit superior capabilities in governance, risk management and compliance. Trusted computing, as defined by the Aberdeen Group, refers to “applications that leverage hardware-based, ‘roots of trust’ at the edge of the network and at the endpoints, for higher assurance.”

*Link personnel and processes – maximize security technology investments by connecting personnel and processes within the mix.

*Stick with open, industry standard solutions – security platforms must integrate a variety of third-party products and support multiple operating systems so organizations won’t need to purchase multiple solutions to provide end-to-end security.

*Seek solutions that can scale – security management solutions must be able to grow as quickly as data requirements do each year.

*Broaden the use of Virtual Private Networks (VPNs) – reduce mobile users’ exposure to eavesdropping at Wi-fi hotspots by implementing a VPN, which allows secure network accessibility for remote access and mobile computing.

*Remain committed to data encryption – though newer management solutions may help with the handling of expiring keys when employees leave or recovering keys when users forget their passcode key information, strong encryption mechanisms are a must.

*Leverage Intrusion Detection Systems (IDS) – adjusting configurations and investing in training for personnel may increase an agency’s understanding of how to use the multiple reports and logs included in most IDS systems. Taking advantage of these features will allow government organizations to gather more detailed information for analysis and compliance reporting.

*Invest in assessment tools – scan regularly to help prevent ‘back door’ entry via databases and web servers onto agency networks. Working to gain back door entry into agency databases through unprotected web pages is fast-becoming a common exploit among hackers. Make sure there’s a policy in place to scan regularly to make sure no application developers create new back doors into agency networks.

*Reward personnel for innovative solutions. Set up a reward system to foster out-of-the-box thinking and ways to improve the agency’s security protections, by having the organization’s internal IT staff make and then benefit from suggested improvements. In many cases, current IT personnel are the real experts when it comes to understanding the major weaknesses of an agency’s systems and networks. Rewards and incentives may be one of the best ways to increase morale and improve protections agency-wide.