The White House is getting serious about cybersecurity. News emerged last week that the Obama administration has directed all federal agencies to take measures to lock down government systems. While not mentioned by the White House, it’s expected that the high-profile breach at the Office of Personnel Management might have something to do with it.
Called a “cybersecurity sprint”, these new directions focus on the following eight priority areas:
- Protecting Data: Better protect data at rest and in transit;
- Improving Situational Awareness: Improve indication and warning;
- Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel;
- Increase Awareness: improve overall risk awareness by all users;
- Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities;
- Controlling, Containing, and Recovering from Incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly identify and resolve events and incidents;
- Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner; and
- Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect.
Agencies have been told that they must report on their progress and/or problems with these procedures within 30 days.
In my opinion, this is a good move from the White House but it can’t be ignored that agencies should already be working toward these eight areas, rather than being forced to by recent events. I’m also interested to see what type of policies and procedures can be put together in just 30 days.
A “Cybersecurity Sprint Team” has been created, comprising members from OMB’s E-Gov Cyber Unit, DHS, the National Security Council Cybersecurity Directorate, and the Defense Department. This team is in charge of the 30-day sprint and is expected to issue a “Federal Civilian Cybersecurity Strategy”.
Across the pond in the UK, the UK Government has created the Cyber Essentials scheme, which covers five key areas of basic cybersecurity. The scheme is derived from the international best-practice standard for cybersecurity, ISO 27001.
If the US Government is to get serious about forcing federal agencies to buck up their ideas and get their cybersecurity defenses in order, then it would be beneficial to them and the nation to follow the UK Government’s example and look at ISO 27001.
Cybersecurity best practice
ISO 27001 is the international standard for information security management. It sets out the requirements of an information security management system (ISMS), a holistic approach to information security that covers people, processes, and technology, and is based on international best practice. Achieving independent accredited registration to the Standard will reassure your customers, stakeholders, and staff that security best practice is being followed.
Conducting regular penetration tests to determine the vulnerabilities in your systems and having a properly documented patch management process to make sure you keep your software up to date can be easily achieved with an ISO 27001-compliant ISMS.
Starting at less than $600, IT Governance’s ISO 27001 Packaged Solutions make it easy for organizations to implement the Standard and prepare for registration using a project approach appropriate for them. Click here for more information >>