As custodians of some of the world’s most sensitive personal information, you’d expect the public sector to lead other industries forward on data security standards. Yet, government organizations are repeatedly responsible for some of the most serious data breaches across the globe.
In the 11 months leading up to February 2012, the UK’s Information Commissioner’s Office (ICO) received 467 reports of data security breaches suffered by public sector bodies, compared with 263 cases in the private sector. This year alone, the ICO has issued fines totaling more than £700,000, including the first penalties ever given to an NHS body and a police force.
Elsewhere in the world, the situation is much the same, resulting in the introduction of legislation such as the Data Protection Directive in Europe and data privacy regulations in Massachusetts, which have been designed to regulate the processing of personal data and prevent data leaks.
Regulations such as these highlight the need for organizations in both the private and public sectors to implement effective internal practices to avoid future data losses. In many cases, this will fall under the responsibility of the organization’s SIRO/CIO, who will be expected to develop and introduce an IT security strategy for the organization. But what is the best way to actually go about implementing such a strategy?
Putting in place an information security solution seems like the logical thing to do, but in order for this to be effective, clear security processes must be defined and implemented so that all employees understand the role they have to play in keeping data secure.
Too often, organizations invest in only one piece of this equation – a security solution – and solely focus on meeting compliance obligations rather than the organization’s overall security posture. In reality, by investing in a broader, comprehensive approach, organizations will find they can more easily meet changing compliance obligations without having to rethink their technology choices. This approach, in tandem with an effort to educate employees about the value of data held, will result in more secure and compliant public sector bodies.
Security Solutions
There are a number of critical elements to a successful security strategy. These include the ability to efficiently and effectively provide employees with privileges based on their role, having in place strong controls that are enforced, and ensuring that all internal and external activity is monitored to provide visibility into misuse use of privileges and external attacks.
There are a number of solutions available that develop these elements of a security strategy. These include end point security, DLP, malware detection, authentication, web session intelligence, identity and access management (IAM), identity and access governance (IAG), access management, provisioning and security information event management (SIEM) solutions. For example, by using IAM tools, public sector SIRO/CIOs can manage and control who has access to what and at what times, ensuring that only those people who require access are granted it. Access can be centrally monitored to make sure that workers are using resources, systems and applications appropriately. IAG solutions allow business owners to grant, certify and re-certify the access that has been given users to meet compliance demands.
In a public sector organization, this level of control is especially important, as tens of thousands of workers – employees, contractors and other third-parties – could be accessing resources, systems and applications with a wide array of entitlements at any given time and in a variety of physical, virtual or cloud environments. Moreover, while workers may have rights granted to perform specific tasks, that access may enable malfeasant behavior. SIRO/CIOs need the visibility and control to take action when these inappropriate activities occur, and minimize organizational risk and data exposure.
Security solutions in particular can do more than protect data from accidental or intentional misuse by employees and demonstrate compliance. SIEM solutions, for example, can also be used to monitor and quickly identify new security threats. By analyzing network event and log data in real-time, SIEM solutions can alert to potential security risks, data breaches and insider threats.
Crucially, when using IAM and SIEM solutions in tandem, organizations are able to evaluate user activity in context with the user’s role and privileges, adding another level of valuable insight into the security environment. SIEM solutions can also help generate reports needed for public sector compliance purposes, saving SIRO/CIOs a considerable amount of time, effort and expense.
Security Processes
The automation of security processes eliminates the need for unnecessary human intervention, reduces human error and helps free up valuable resources, which can be redeployed to drive other IT projects forward. By defining processes that respond to insider attacks, threats to sensitive data, or even unauthorized changes to business-critical systems, SIRO/CIOs can ensure that responses are consistent, speedy and appropriate to the level of the threat.
For example, an incident response process enabled by SIEM incorporates anomaly detection, forensic analysis, identity context, reporting and other activities that all serve to streamline and reduce the time to event response and mitigation. Perhaps an even greater consideration is the cost savings from not having to manually mine vast quantities of data for security breaches and, in turn, streamlining the organization’s compliance efforts.
Playing it Safe
While it might not be possible for organizations to completely eliminate the possibility of data loss, the strategies, processes, automation and technologies that are available today serve to help public sector SIRO/CIOs to keep sensitive data secure. This, combined with clear guidelines for staff and on-going security education, can help secure data, limit exposure, and minimize organizational risk.
Adam Evans is a senior security solutions consultant for the UK, Ireland & Middle East for NetIQ. With over 20 years’ experience in the IT industry, Evans has held influential positions in both large corporate organizations, and software security vendors. For the past five years, he has worked for NetIQ, a business unit of Attachmate. With a wealth of experience in security and compliance management, Evans has specialized in working with organizations to help them meet internal, external and regulatory compliance mandates through effective use of technology.