What can organizations do to protect data with regards to ITAR compliance? We listed a short, summarized list below that can help organizations with ITAR compliance through some data security best-practices. It is important to understand that data security is not an end result, but a continuous journey in protecting your information assets. We implement solutions, test and validate our security by third parties and constantly fine tune our security posture, while enabling business units to function optimally. Sound more like an art form than a science? It can be.
We’ve listed a few best-practices below that can help you get started on your journey.
Security Policies & Incident Response Procedures:
- An ITAR specific security policy is the foundation of a data security practice and strategy
- This is not a check box or one time deliverable, but a living, breathing document–as the business environment changes, so do the policies and the strategy.
- The policies should include physical and network security.
- Hope for the best & plan for the worst: A tested Incident Response plan is critical. In the event of a breach, a good incident response program can be the difference between a speedy recovery, and going out of business permanently
- The policies and procedures should be tested and validated annually
Next Generation Firewall:
- Traditional firewalls are a thing of the past. Perimeter firewalls today have to provide advanced threat defense from malware, viruses, and zero day attacks as well as provide traditional firewall functionality
- Smart, agile perimeter security is vital for ITAR protection from savvy hackers and ever changing threat vectors
- Some of the new functionality to look for is sandboxing (for Malware protection), IPS/IDS functionality, some SIEM (Security Identity and Event Management) functionality, Application Protection, an easy GUI based management and easy incident response capability.
- Look for complexity in functionality, but ease in ongoing management of next generation firewalls.
- All data is not created equal; Data classification is a pre-requisite to a successful Data Leakage Prevention (DLP) implementation.
- Before we can protect our data from leaking, we need to classify information into data categories:
- 1) Public Use, 2) Internal Use Only, 3) Confidential and 4) Top Secret
- After data discovery, come data tagging and classification, followed by secure data storage and data leakage prevention.
Data Leakage Prevention:
-There are three employee scenarios that a properly implemented DLP solution can protect you against:
- 1) The well-meaning insider: This is the accidental leak. The innocent employee who made a mistake. Someone emailing themselves, or taking data home to work on it, mentioning what they do or worked on on their social media page, leaving a USB device or smart phone at the coffee shop, etc.
- 2) Malicious Insider: The employee that didn’t get the promotion he/she thought they deserved, or just a trouble maker trying to leak information, or someone working for the competition or a foreign state (in the case of ITAR specifically).
- 3) Malicious Outsider: Competitors, enemy states, corporate espionage, hackers, etc fall into this category.
Once data is appropriately tagged, we can then have DLP protect it from all three scenarios listed above.
Lastly, if sensitive data does need to leave the organization for valid business reasons, it needs to be encrypted.
- Encryption policies must be in place to effectively secure all types of data including:
- Data at Rest (Laptops, desktops, USB Devices, Offsite Backup, Databases, etc)
- Data in Use (SharePoint, Private Cloud, File & Application Servers, Databases, etc)
- Data in Motion (Emails, File Transfers, Web Traffic, etc)
- Multi-Factor authentication combines two or more forms of authentication; Something you know (password) and something you have (finger print, voice, retina scan, token, soft token, smart phone, etc).
- It’s possible to steal credentials in the form of static and weak passwords but multi-factor authentication makes just hacking passwords useless.
Identity & Access Management (IAM):
- Identity is the ‘Who’ – who needs to have access to this information and from which authorized systems.
- Access is the ‘What’ – what information do they need to access. It includes the individual’s role, permissions and security restrictions come into play as well
- The correct combination of Identity and Access Management can help a great deal with ITAR compliance.
End User Security Awareness Training:
- You are as secure as your weakest link. And that unfortunately is us – people, employees, end users, execs, managers, bosses – whatever our role may be in the organization
- Invest in end user training, annually if you can, biannually if you have budgetary restrictions
- A trained employee can save a company millions in breach costs
- Prevention is truly the best option here, and end user training is a huge step in that direction
In conclusion, the above best practices will help us on our journey to ITAR compliance. It’s a ‘low hanging fruit’ checklist. It is by no means a comprehensive list or a 100% answer to data security, as the threat landscape changes every second. However, the goal is to provoke thought and to provide an easy to understand checklist to get us started. If some of the above foundational security elements are not in place, it would make it very difficult for us to prove that we did our due diligence to be ITAR compliant or to prevent a data breach from occurring.