Agencies Find Continuous Monitoring Critical for Security
The Federal Information Security Management Act (FISMA) for security compliance calls for continuous monitoring of all systems on the enterprise network to discover breaches as they’re unfolding.
“Taking a snapshot and calling that compliance doesn’t really secure the data,” says Chris Ipsen, chief information security officer for the state of Nevada. “Continuous monitoring focuses on continually reassessing your environment against known attack vectors.”
Security challenges are mounting, and the public sector is in a unique position because it acts as a foundation for identities. “As we see attacks getting more sophisticated and the costs going up, we have not just a fiduciary responsibility to protect the data; there’s an ethical responsibility that’s above and beyond the fiduciary responsibilities,” Ipsen says. “The reason we collect the data is to do something with it; hopefully to help improve the quality of life of citizens.”
To obtain a complete picture of the security posture of Nevada’s network, Ipsen’s group monitors desktops and servers for operating system updates, examines third-party applications, and reviews the configuration files of firewalls and perimeter security devices and audits against those on a regular basis.
Vulnerability scanners and centralized endpoint monitoring solutions from manufacturers such as McAfee and Symantec aid the state in sniffing out anomalous traffic patterns. “If I’m normally up at 11 p.m. turning on my browser and kicking off e-mails and today I’m working at 3 a.m., that may or may not be anomalous behavior,” Ipsen says.
In addition to monitoring, the strongest security practices come down to people. The state of Nevada takes the approach that all data is public until specified as private. That requires awareness from data owners in specifying its usage, Ipsen explains.
Above all, the Nevada CISO recommends taking a multi-tiered approach, giving people the right tools and having mindful individuals. “Most people want to do the right thing, so you have to explain it to them,” he says.