Compliance Begins with People and Processes, Ends with Software
All too often, federal IT personnel misconstrue software as being able to make their agency compliant with various regulations. It can’t – at least not by itself.
Certainly, software can help you achieve compliance, but it should only be viewed as a component of your efforts. True and complete compliance involves defining, implementing, monitoring, and auditing processes so that they adhere to the parameters that have been set forth within the regulations. First and foremost, compliance requires strategic planning, which depends on people and management skills. Software complements this by being a means to an end.
To illustrate, let’s examine some regulatory examples:
- Federal Information Security Management Act (FISMA): FISMA’s requirements call for agencies to deploy multifaceted security approaches to ensure information is kept safe from unauthorized access, use, disclosure, disruption, modification, and destruction. The approach requires daily oversight from managerial and operational personnel: a human touch. This can be supported by software that allows teams to be quickly alerted to potential errors and events that might cause information to be compromised.
- Federal Risk and Authorization Management Program (FedRAMP): FedRAMP may be primarily focused on cloud service providers, but you also have a significant role to play. FedRAMP parameters require agencies to ensure their providers are FedRAMP compliant, and to continually “assess, authorize and continuously monitor security controls that are the responsibility of the agency” (www.cloud.cio.gov). As such, FedRAMP calls for a combination of hands-on processes (working with partners) and technology implementation (ensuring security measures are maintained and data is continually locked down).
- Health Insurance Portability and Accountability Act (HIPAA): The response to HIPAA has typically centered on the use of electronic health records, which can be more secure than an old fashioned paper trail. But that’s not enough, because the Act requires blanket coverage that goes well beyond technology use. As such, healthcare workers need to be conscious of how patient information is shared and displayed. After all, showing a patient’s chart on a large HD screen – for all the office to potentially see – isn’t very secure, is it?
- Defense Information Systems Agency Security Technical Implementation Guides (STIGs): The STIGs provide guidelines for locking down potentially vulnerable information systems and software. They cover a lot of ground and are updated as new threats arise – but it’s up to federal IT managers to closely follow the STIGs to ensure the software they’re using is not only secure, but working to protect their systems.
In fact, particular types of software can significantly augment the people and processes that support your compliance efforts. Specifically, you should take a close look at the following tools:
- Event and Information Management tracks events as they occur on your network and automatically alerts you to suspicious or problematic activity. This type of software uses intelligent analysis to identify events that are inconsistent with predetermined compliant behaviors, and are intelligent enough to issue alerts before violations occur.
- Configuration Management allows for the configuration and standardization of routers, firewalls, and switches to ensure compliance. This type of software can also be useful in identifying potential issues that might adversely effect compliance before they come to pass.
- Patch Management is critical for closing known vulnerabilities before they can be exploited. It can be very handy in helping your organization maintain compliance with regards to security and ensuring that all operating systems and application
Each of the aforementioned types of software can form a collective safety net for FISMA compliance and serve as a critical component of a security plan, but they can’t be the only component if you’re to achieve your compliance goals. As the old saying goes, the rest is up to you.
About the Author:
Chris LaPoint is vice president of product management at IT management software provider SolarWinds, based in Austin, Texas.