Page 5 - GCN, Feb/Mar 2018
P. 5

                                    IT MODERNIZATION
Automation can help ensure continuous compliance.
In many ways, states and municipalities have a harder job securing their data than private companies or even federal agencies. That’s because they often have to manage and protect increasingly different types of data, stored in increasingly disparate locations. State and local agencies must also determine which regulations they need to meet for specific data
sets at the federal, state, local, commercial, and even global
level. This daunting task is
often made more challenging by insufficient human and financial resources.
The time required to ensure compliance is just one aspect of the problem. Others include determining which regulations are applicable
and  nding ef cient ways to ensure compliance. However, there are several steps agencies can take to ease the burden of compliance. One of the most important is to identify one high-level decision-maker within the organization to take charge of compliance matters. It can be a Chief Privacy Of cer,
Chief Compliance Of cer, or Chief
security standards, such as FISMA. NIST SP-800-171 focuses on how non-federal organizations handling federal data must protect unclassi ed information.
cloud. While the cloud provides
many bene ts, it also can make it more dif cult for agencies to ensure continuous compliance. According
to a report from Frost and Sullivan, automating security and compliance checks for virtualized workloads in the cloud helps organizations improve security risk and reduce the instances and severity of compliance violations.
(Information) Security Of cer. This executive’s job is to determine which regulations are applicable and ensure they are being met.
ensure continuous compliance with multiple regulations is by automating as much of the process as possible. With the right technology, agencies can automate everything from policy enforcement, controls testing, user access, and continuous auditing to the compliance work ow and reporting. These systems can enforce least privilege and separation of duties on
Another way to make sense of everything is to take the time to fully understand two important NIST publications. NIST SP-800-53 is a comprehensive set of security best practices and the basis for many other
virtual machines, create rules
to de ne  ne-grained access controls to enforce administrative boundaries, and prevent replication and access to sensitive workloads.
 According to a letter to the National Institutes of Standards
and Technology (NIST) and
the Of ce of Management and Budget (OMB), states are  nding
the amount of human resources needed to remain compliant is unacceptably high. The letter,
sent in August 2017 by the
National Governors’ Association
and NASCIO, cites several examples. Complying with HIPAA requirements, for example, takes at least six full time employees working more than 800 hours.
Most compliance automation solutions use a combination of technologies to continuously monitor and automatically take action to ensure controls are
kept in a compliant state, while providing rich auditing logs for analysis to con rm the state of an environment.
Once agencies determine the applicable regulations, the goal is to achieve continuous compliance. In other words, it’s about ensuring there are no gaps in compliance. Without continuous compliance, it’s possible for an organization to fall out of compliance. Even more importantly, falling out of compliance means data isn’t fully secure.
Taking these steps can go a long way toward sorting out the complex array
of regulations that apply to speci c state and local agencies. Even more importantly, they can help ensure continuous compliance, and continue to protect valuable information.
Perhaps the most effective step state and local agencies can take to
These functions become even more important as agencies move more data stores to the

   3   4   5   6   7