Despite being saddled with significant economic concerns, President Obama-recognizing the significant importance of cyber-security to the nation-ordered a 60-day review of United States information security and the systems that support Critical Infrastructure Protection (CIP)-or in this case, cyber CIP. This call to action recognizes that a failure to implement proper security measures can facilitate internal and external threats to the confidentiality, integrity and availability of the nation’s critical infrastructure.
In January 2009, the U.S. Government Accountability Office (GAO) published the GAO-09-271 update to their High-Risk Series report, which outlines federal information and cyber CIP concerns. The report stated that protecting the federal government’s information systems and the nation’s critical infrastructure is a topline challenge, but this requires resolving deficiencies that have not yet been broadly identified.
The report also stated the importance of fully implementing effective security programs. The following challenges are too important to go unaddressed:
Challenge No. 1: Cyber-security as top-level priority
Earning cross-agency buy-in is critical for managing threats effectively, and for ensuring centralized and controlled access to vital information and systems.
Challenge No. 2: Establishing and implementing consistent security initiatives
Mandating policies can be a complex and daunting task, but with insufficient processes in place to enable full accountability, agencies become susceptible to internal and external threats.
Challenge No. 3: Preventing system disruption
Dynamic and complex technology environments-including virtualized, cloud computing or service-oriented infrastructures-make managing information access extremely difficult, requiring flexible controls and solutions to adapt and prevent interruptions (or worse).
Challenge No. 4: Improving warning capabilities
Access to critical information assets must be monitored and managed intensively in all facets of the organization. Implementing proactive warning systems can circumvent critical incidents, limiting exposure to agency credentials and vital information that can open the agency to extreme governance risks (both inside and outside its walls).
Challenge No. 5: Strengthening incident recovery
While mitigating occurrences is the first line of defense, the ability to recover from incidents quickly without exposing critical information and access needs to be improved upon. When events do arise, privileged information and access are compromised without a disaster recovery plan in place.
Government agencies by their very nature must be unfailingly vigilant in trusting secure information to external and internal resources-if only because the information they control can financially, legally or even physically endanger the public’s well-being if it falls into the wrong hands.
How to Protect Vital Information
How to protect vital information
By taking the following three simple steps, federal agencies can employ a proactive approach to prevent breaches and protect vital information assets-avoiding the devastation and havoc that even one rogue person can inflict. The three steps are:
Step No. 1: Know who has access to privileged information
Federal agencies must assess who has access to what data, enabling them to understand and manage access as appropriate.
Step No. 2: Apply appropriate policies to protect sensitive information
Federal agencies must create an actionable plan and put it into place, applying privileged passwords and access management controls throughout each level of information.
Step No. 3: Update security and access credentials regularly to monitor and maintain control
By implementing a regimented program to automatically update access management and passwords, federal agencies will ensure that the right people have the right amount of control over vital information.
In conclusion, by taking the necessary steps to address these security challenges, federal agencies will be positioned for better governance, less risk and greater compliance. This will ultimately serve to protect the public’s trust and keep national security risks at bay.
Robert Grapes is Chief Technologist at Cloakware. Robert has more than 17 years of professional experience in the technology sector. Prior to joining Cloakware in 2004, Robert spent many years with Entrust Technologies as a software toolkit product manager, with Cognos in vertical analyst relations and with Allen-Bradley as a control systems automation developer. Robert’s expertise on enterprise security and Governance, Risk Management and Compliance (GRC) has enabled many large government and financial service organizations to meet their audit requirements for PCI-DSS, FISMA, FERC and other regulations, while reducing risk and improving operational efficiency. He can be reached at robert.grapes@cloakware.com.