This interview is an excerpt from GovLoop’s recent Guide to Government’s Critical Cyberthreats. This research guide explains the various cyberattacks government endures and provides steps to safeguard your information systems.
Agencies have to work diligently to meet with the myriad of compliance standards and requirements, especially during the process of implementing new systems to support updated applications, replace old, aging systems, or implement new functionality. Unless the agency has a strong plan in place for understanding and implementing those requirements, they risk being out of compliance and creating cybersecurity risk for the agency.
In a recent interview, Kurt Manske, Vice President of Corporate IT and Security at QTS, shared how a “one-to-many” approach to aligning with compliance requirements and focus on effective, working relationships with service providers can help agencies better manage compliance requirements while tackling new threats.
ALIGNING RISK WITH COMPLIANCE
Manske recommended thinking beyond just meeting baseline compliance standards. Every organization has a unique risk profile, and the baseline compliance standards must be complemented with efforts specific to the organization risk profile. “Unfortunately, the baseline standards are only part of the effort to secure technologies. Every organization needs to go above and beyond if you want to effectively operate compliant systems – including those in the cloud,” he said.
STREAMLINING COMPLIANCE & SECURITY
Every organization should make sure they are streamlining compliance efforts by considering the potentially overlapping requirements within compliance standards.
For example, if a federal agency is required to be compliant with FedRAMP for cloud services, and they also need to be compliant with Payment Card Industry (PCI) requirements because of e-commerce transactions, they need to make an effort to find where the requirements of both standards overlap and implement a single practice that meets both requirements.
Manske suggested that a “one-to-many” compliance approach should be the goal for any organization as it reduces both time to implement and time to manage the compliance efforts.
Agencies should be wary of the subtle differences between the guidelines of disparate standards and make sure that they understand how those standards are interpreted and implemented.
“Many compliance initiatives have some sort of regulatory oversight organization or have a defined set of common standards for expectations as to how the standard is to be adhered to or executed in an IT environment. These standards and expectations are commonly well defined, but they can be unwritten as well. It’s important that, as you execute a “one-to-many” approach to regulatory compliance, the agency have a firm grasp of these expectations to know what the set of compliance expectations are. Having a good working relationship with the regulatory agency and/or service provider can help you navigate those challenges.”
If an agency doesn’t stay on top these differences, it can cause serious noncompli- ance and security issues. After your organization has a firm grasp of the different regulatory expectations, you will be in much better shape to begin aligning standards in “one-to-many” approach. Your service providers can provide additional counsel for these guidelines
TRANSLATING TO RELATIONSHIPS
Once you have an understanding of your compliance requirements, it’s time to translate your needs to your service provider. This won’t be a one-time conversation. The reality is cybersecurity threats and practices change over time – even daily.
“It’s important that you have an engaged, communicative relationship with your service provider,” Manske said. “That way, you can work together to address security issues and threats in real-time.”
Manske encouraged asking the following questions internally and having an engaged conversation when considering a service provider relationship for your technology:
• What sort of assurances does your organization have that you’re driving security in your day-to-day tasks?
• How do you drive security in what you’re doing from an operational perspective?
• How do you drive security in your product development?
• How do you drive security in your project management practices?
The conversation should involve more than just agency leadership. In addition to a technology operational leader engaged in the conversation with the service provider, you should bring in your agency’s security leader, audit leader and compliance leader. “An information security leader in the agency needs to have someone at the service provider that he or she can develop a trusting relationship with – someone to have a professional-to-professional discussion regarding security. Same for audit and compliance. These relationships are key to managing risks on behalf of both the organization and provider ends.”
Once the conversation is started, keep it going as circumstances change. Communicate the goals and progress of your agency clearly, whether they include moving to a new cloud platform, maintaining compliance requirements or staying on top of ever-evolving cyberthreats.
There are many components to managing cyberthreats in the public sector. Navigating compliance standards and requirements should be a top priority, but it’s important to remember another critical component: the people and relationships your agency uses to combat evolving cyberthreats. A robust relationship will provide continuous thought and support to both of those components.