The day-to-day work in running an IT department can be all consuming at times, often leaving information security a lower priority than keeping the lights on and delivering business value. Even in organizations that have set up security programs, many times administrators are not aware of a security flaw until the system has been breached.
It is important for organizations to get proactive on IT security, not just reactive when there is a breach, according to Bill Wyatt, CIO and CISO at State of Georgia, The Office of the State Treasurer. His organization uses maturity modeling to accomplish this — assessing their preparedness and making preventative improvements.
Wyatt’s team has embraced the National Institute of Standards and Technology (NIST) 800 Series in order to cost-effectively meet the requirements of the Federal Information Security Management Act (FISMA).
“The NIST 800 series is our platform for identifying security controls,” Wyatt said. “It starts with having a framework and knowing what that roadmap for success looks like.”
According to Wyatt, NIST has outlined nine steps towards meeting FISMA compliance.
Categorize the data and information you need to protect
Develop a baseline for the minimum controls required to protect that information
Conduct risk assessments to refine your baseline controls
Document your baseline controls in a written security plan
Roll out security controls to your information systems
Once implemented, monitor performance to measure the efficacy of security controls
Determine agency-level risk based on your assessment of security controls
Authorize the information system for processing
Continuously monitor your security controls
In addition to adhering to the standard 800 series steps to establish and optimize your security framework, Wyatt embraces the NIST Special Publication 800-53, which was created to heighten the security of government information systems, covering mobile and cloud computing, insider threats, application security and supply chain security.
“As you flow through the 800-53 model of low, moderate or high, your goal is to continue to strengthen controls within the enterprise,” he said.
“Once adequate controls are in place, then it’s all about the monitoring for change and making sure there’s change management mechanisms in place.”
Being Proactive Means Monitoring Effectively
For Wyatt, being proactive is all about monitoring network and end device activity so admins can be aware of potential threats before there is a security event such as a breach.
“Being able to effectively monitor your technology ecosystem, and especially mitigate all the false positives, is an important part of ensuring that what you are seeing is what really needs your attention. I want to have a higher sense of confidence that most events that are popping up are things that really need a response,” he said.
The efficacy of any IT security maturity program improves over time as the model within the environment is exercised. This leads to addressing common low-hanging fruit activities such as performing proactive security scans and the ability to fingerprint what normal behaviors look like, according to Wyatt.
“Unfortunately, it seems to take years for programs to mature, not that your staff is incapable, but mostly due to a lack of resources, priorities and overall leadership commitment.”