Public sector IT departments confront a dilemma: They must protect critical IT infrastructure from intrusion, while also providing contractors and consultants with access to systems that hold critical data. Credit card and Social Security numbers, driver’s license information, court documents, health records — the list of vulnerabilities is long.
Further complicating this situation is the fact that agencies’ relationships with IT service providers, such as cloud services, have become more complex.
“As governments embrace technology — and innovative partners and suppliers — to deliver public services more efficiently, their exposure to cybersecurity risk is escalating,” states a 2016 report from KPMG.
To minimize risks, state and local governments should review their policies and procedures for managing outside access. The National Institute of Standards and Technology recently published “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” which provides guidance for safeguarding federal data located in third-party information systems and organizations. Much of NIST’s advice is relevant to state and local governments, and can help IT leaders keep their agencies secure from intruders:
1. Apply a Principle of Least Privilege
Agencies should employ the principle of least privilege, providing individuals and systems with the minimum level of access they need to accomplish approved tasks. This rule should be applied not only to external contractors, but also to the users of agency services and internal staff implementing the services.
For example, IT leaders should consider whether a contractor or employee requires access to perform backups, make changes to virtualization servers or deploy firewall configurations. By separating duties, agencies can guard against the ability of one person to enact a breach.
2. Call on Multifactor Authentication
Three factors typically are used for authentication: something you know, something you have and something you are.
Passwords and personal identification numbers are examples of something you know. The bar is raised for something you have, requiring access to a preconfigured object; a handheld token or a smart card, for example. A third factor, something you are, controls the most secure environments and is usually facilitated by a biometric device such as a fingerprint or retinal scan. NIST recommends two or more factors for authentication.
3. Rely on Regular Security Audits
Required updates, replacement equipment and employee turnover all introduce changes over time that can leave government operations vulnerable to third-party threats.
Regular technical audits as well as governing policies and procedures help ensure availability, confidentiality and integrity. Agencies should separate audit logs from the local system and grant minimal audit privileges to a limited number of individuals. More important, auditors should not be the same people who are responsible for the normal operation of IT services.
4. Third-Party Cybersecurity Starts with Awareness and Training
In addition to regular security education for managers and technical staff, outside contractors also should receive training. The program should cover the security implications of their roles and responsibilities, and teach them how to identify and report unauthorized activity.
Participants should be alerted to the threat of spear-phishing, where criminals solicit confidential information by sending counterfeit email messages that mimic the look of official communications.