eGovernment holds the promise of seamless sharing of electronic information between agencies and private business and providing online access to a variety of constituents. However, ensuring access to authorized users and protecting sensitive government and personal data while meeting compliance demands presents unique challenges:
- Complex interconnected environments with a wide mix of both state-of-the-art and legacy information systems.
- A need for cross-agency consensus on the governance of critical information and processes.
- Addressing security threats that are largely unique to governments.
- Minimizing the impact of risks (e.g., cyber warfare) that are unique to governments
Diagnosis: eGovernment Pain Points
- Effectively leveraging and demonstrating compliance with the wide array of overlapping and ambiguous government and industry standards (e.g., FedRAMP, FISMA, NIST, PCI, PII, HIPAA).
- Managing third-party risk associated with the increasing need to share sensitive data with vendors, private businesses, constituents, and other agencies.
- Ensuring that new eGov initiatives fully achieve information security objectives via effective Security Certification & Accreditation efforts.
- Thwarting malicious attacks targeting the wealth of personal and sensitive government information.
The Information Assurance “Prescription”
Addressing the unique challenges of government information security requires a unique and flexible approach.
- Compliance Simplified
More so than in other sectors, the particular initiative defines the physical and logical scope of an eGov engagement:
- PII (or NIST or HIPAA or PCI) Gap Assessment – Is the design of our environment consistent with relevant Guidance?
- ISO 27002 Gap Assessment – The benefit of leveraging 27002: Is the design of our environment consistent with HIPAA, PCI, NIST and PII Guidance?
- Assessment support via Vulnerability Assessments and Penetration Tests to ensure net security objectives are being achieved.
It is critical to optimize the scale (e.g., agency, location, application) and scope (e.g., 800-53, OWASP) of the engagement to achieve the specific assurance required.
- Third Party Risk Simplified
Our Third Party Risk Management practice ensures:
- Third party security risks and compliance requirements are identified and communicated.
- Agreements evolve as business, technologies, and threats do.
- Monitoring mechanisms ensure third parties achieve your objectives.
- Security Incidents are identified, responded to, and learned from.
Managing intra-agency risk in this manner is often effective at breaking down ”silos of information” that frequently complicate government initiatives.
- Security Certification & Accreditation Simplified
The potential impact of government breaches dwarfs those in the private sector, necessitating a comprehensive approach:
- Requirements Gap Assessment during the Requirements phase to ensure that the security requirements are sufficient to achieve security and compliance objectives.
- Design Gap Assessment during the Design phase to ensure that the systems design is fully consistent with the specified requirements.
- Security Certification & Accreditation activities prior t0 deployment, to ensure that the implementation is consistent with the design and that the supporting organizational elements are in place.
- Monitoring and ongoing Risk Management during the Operations phase to ensure that the security and compliance posture is maintained.
Most SC&A activities leverage some variation of NIST 800-37, NIST 800-53A, OWASP and the information specific guidance required. (e,g, HIPAA, PII)
- Security Incident Prevention/Response Simplified
Cyber Security Incidents are essentially Information Security Risks – realized. Accordingly, prevention is a risk management function, requiring a holistic approach to ensuring the security of the processes that act on the information and the assets (servers, networks, applications, personnel, facilities) that support these processes.
- Secure Data Flow Diagrams (SDFD) — Identify critical risks and the required security controls at each point where sensitive information is acted on in your environment.
- Risk Assessment — The SDFD can easily be extended into a formal Risk Assessment (e.g., NIST 800-30, OCTAVE, ISO27005) to ensure all critical risks are identified and mitigated to an acceptable level.
- Formal SC&A Activities — Leverage appropriate activities in each phase of the project lifecycle to ensure risks are effectively managed (e.g., Design Review, Policy Development, Web Application Security Assessment, Network Architecture Assessments, Social Engineering, Incident Response Planning)
- Solution Monitoring — Ensure that critical logs are monitored to provide early detection and response according to a formal Incident Response Plan to minimize the impact of cyber incidents.
Why Partner with Pivot Point Security?
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, government knowledge and experience, and organizational character to help you define and execute on the best course of action to know you’re secure and prove you’re compliant.
- Domain expertise means we know the ins and outs of FISMA, NIST, PCI, HIPAA, PII, and other regulations you need to comply with. It also means that we are experts in the Security Frameworks (NIST 800-37, NIST 800-53, ISO27002, OWASP, FIPS-199) that should form the basis of Information Security Management Systems.
- Government experience means you won’t have to spend time explaining to us why conventional threat and risk acceptance criteria aren’t relevant, or describing the challenges (akin to herding cats) of coordinating the resources and consensus necessary to take a comprehensive approach.
- Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll appreciate.
Pivot Point Security is a great choice for your Information Security demand.
Representative Government Clients
Government Industry Issues
eGov allows seamless sharing of electronic information between agencies and private business, and provides online access to a variety of constituents. However, ensuring access to authorized users and protecting sensitive government and personal data while meeting compliance demands presents unique challenges.
You must enhance public safety and crime prevention, connect citizens to needed services and promote economic development.
A malicious attack on federal or local systems to gather financial, personal or sensitive government information could lead to crime, terrorism, foreign intelligence gathering or acts of war — greatly affecting vital national interests and the security of our nation. Without the knowledge and resources to mitigate security threats on federal and local systems, agencies risk a loss of public confidence and trust.
Managing the security risks associated with our government’s growing reliance on information technology is a continuing challenge. In particular, federal agencies, like many private organizations, have struggled to find efficient ways to ensure that they fully understand the information security risks affecting their operations, and implement appropriate controls to mitigate these risks.
Publications that provide guidance on eGove security issues include:
- Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
- Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations
- Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations
- Draft Special Publication 800-30, Guide for Conducting Risk Assessments.
More Thoughts on Government Information Security
- US Department of Energy Hacked as Obama Signs Cybersecurity Order
- High-Profile Breaches Galore… Can the Hackers Be Stopped?
- Hacktivists Turn US Government Site into Playable Video Game as China Hacks the New York Times
- Internet Freedom Upheld, Worst Government Breaches of 2012 Recalled
- President Promotes Cybersecurity Awareness While DoD Postures and State CIOs Struggle