Best Practices Offer Guide to Security

IT Security Buyer's Guide
Best Practices Offer Guide to Security

By Teri Robinson

Successful agencies know what works and what doesn’t, when it comes to assessing, investing in and deploying security products, applications and services. While every security strategy is different, because agencies have different needs, there are several guidelines that all agencies should follow.

Assess what you have. Agencies can use creating a security game plan as an opportunity to assess its IT resources and determine not only obvious gaps in your security scheme but also in workflow and processes. So many IT infrastructures and security initiatives are built piecemeal that agencies often have a patchwork of solutions that don’t work well together. Once an agency understands both what it has and what it’s missing, it can fill in the gaps more efficiently.

Invest wisely. While it’s tempting to grab onto the latest, greatest technology as a panacea for security woes, tight budgets and an abundance of solution choices call for agencies to be more prudent in their purchasing strategies. A thorough assessment of an agency’s security landscape and vulnerabilities can guide a purchasing strategy.

Establish a security policy and enforce it. Agencies should first assess existing policy and determine where the holes or vulnerabilities might be, then fill the gaps. A security policy should be solid but also flexible enough to accommodate changes in work environments and technology. And it should address and include provisions for social networking.

In addition, there should be clear consequences for security violations and an agency must follow through with the stated reprimands and penalties. A strong security policy also needs the proper technology and human resources behind it. Security officers need the most current technology for monitoring and ensuring compliance.

Small things count. Some of the best laid strategies are compromised by the smallest of transgressions, missteps or practices. For instance, users often create easy to remember, therefore easy to hack, passwords and do not change them frequently enough.

Know your vendor. Vendors do more than provide products and services, they serve as agency partners and are privy to sensitive information and processes. Most vendors implement their solid security measures, but an agency should never assume. Ask for a detailed rundown of a vendor’s security strategy and initiatives. A recent audit at the VA found that 10-20 percent of its contacts with vendors didn’t include information security clauses.

Train, train, train. Qualified IT security professionals are in short supply. The Comprehensive National Cybersecurity Initiative 2 (CNCI2) announced this spring will focus on training and education and the creation of educational tracks and degree programs to turn out security professionals. In addition, a number of measures in that initiative will coordinate and manage “the federal enterprise network as a single network enterprise.” By understanding and coordinating security initiatives across agencies, the government can identify the points of vulnerability, recommend where agencies need to take action and stimulate the use of shared resources.

Accommodate change. Many security initiatives bring changes to the work environment and threaten the delicate work culture. Even a small change can be perceived by workers as troublesome and unnecessary – and can threaten to bring business to standstill. For any security strategy to succeed, an agencies need to get workers on board. Complicate the way they work and they’re more likely to look for work-arounds and ways to disable security mechanisms, all of which can compromise security.

Take a trial run. A pilot or trial will go a long way in testing a security measure and introducing it to workers. It is an opportunity to work out kinks in the system and create a measure of comfort among the workforce before the full solution is rolled out.

Watch it. Even the best of security plans and measures require constant vigilance. Set up 24/7 monitoring capabilities and act quickly when a vulnerability is exposed.

Assign responsibility. Most agencies have a Chief Information Security Officer. In fact, a survey by the 1105 Government Information Group last year found that 87 percent of the respondents had a CISO or CISO-equivalent in place. But their influence vary from agency to agency. In a (ISC)2 report, “A View from the Front Line: The State of Cybersecurity from the Federal Chief Information Security Officer’s Perspective,” 90 percent of the respondents said that they had significant influence on their agency’s security strategy. While most CISOs in the (ISC)2 survey claimed to be satisfied with their jobs and are more influential than ever before, they have a long way to go. According to the study, “76 percent of CISOs report to the agency Chief Information Officer, but none to the Chief Operating Officer, the Chief Financial Officer or the Chief Risk Officer, which CISOs believe limits their overall effectiveness.”