Best practices for government agencies to secure IT infrastructure

Many government agencies, departments, subcontractors, service providers, and organizations that operate IT systems on behalf of the government must ensure protection of their critical infrastructure and ensure data security and continuous systems operation.

These requirements are documented in various international and national standards, regulations and statutes established by authorities and covered by best practices frameworks such as COBIT, NIST800-53, ISO/IEC 27001, ISO/IEC 15408 and ITIL. They demand that government agencies secure and protect the confidentiality, integrity, and availability of information systems and the data processed, stored, or transmitted by them.

Staying compliant with these regulations is a question of reputation for a wide range of organizations including data clearinghouses, state departments, military subcontractors, and private vendors if their data is exchanged directly with government systems. Failure to meet the regulations may lead to direct and indirect financial losses and exclusion from operating within certain industries.

To meet compliance requirements and ensure the security of IT infrastructure, government IT professionals should consider the following recommendations:

Establish control over users and their activities. A large part of data security requirements lies within access control, account management, and separation of duties. In fact, today these are some of the cornerstones of any security policy, established in response to the dramatic increase in security incidents or as a part of compliance efforts. In order to avoid critical issues such as internal misuse of information systems, it is important to monitor user activity, ensure that permissions are granted to users on a need-to-know basis, and implement continuous tracking of modifications made to user accounts.

Gain complete visibility and accountability with audit reports. Responding to compliance regulations, organizations may be required to submit reports with various levels of detail for an arbitrary period, proving effective implementation of security controls and adherence to enacted policies. However, because it is extremely impractical to collect, consolidate, and correlate data manually on configurations, security settings, and activities in databases, file servers, and virtual environments manually, a change-auditing solution will notify you of all changes across all IT systems and provide comprehensive custom reports.

Monitor and evaluate your environment. Being compliant in many aspects means being sure that security policies and procedures are functioning properly and are helping with risk reduction. Having your IT infrastructure constantly audited validates that you have complete visibility across all your IT systems and proves that your IT environment is under permanent control.

Control access and modifications to shared resources. When it comes to data stored in critical systems such as SQL, file servers, and SharePoint, it is necessary to know who did what, when, and where. Consider deploying a solution that will provide you with a detailed view, including before and after values, on any attempt to access, modify, or delete sensitive data.