7 Steps to

Basic Cybersecurity Hygiene for Government

1 THE INSIDER’S GUIDE TO CYBERSECURIT Y FOR GOVERNMENT

Recently, the White House announced the Cyber National Action Plan (CNAP), a $19 billion commitment to enhance cybersecurity awareness and protections throughout the public sector.

To reflect this urgent shift towards more secure government information and systems, there are a number of basic hygiene strategies that government organizations can employ now.

These seven steps are a starting point to enabling strong cyber hygiene and up-to-date cybersecurity practices for the entire organization.

Understanding what data needs to be protected allows your organization to plan for stronger security measures and access controls for certain types of information. This is part of a larger data security strategy that outlines tiered access and manages user rights as well. Proper data classification determines the criticality of data sets and helps to align proper processes for handling.

Identify critical dataSTEP 01

President Obama’s recent CNAP announcements emphasized the need to shift away from vulnerable cybersecurity basics like passwords towards more secure forms of identification such as multi-factor authentication.

Today, new methods are being developed to leverage more flexible derived credentials. In these new models, asymmetric key pairs—rather than string comparisons, like passwords—are used, and hardware can secure key material even further.STEP 02

Emphasize multi-factor, strong identification

Patching critical systems and maintaining their health is vital to protecting agency information, as newer patched systems are more secure. And, whenever possible, agencies should move toward more standardized and automated processes to decrease the time necessary to manage incidents.

STEP 03

Patch systems and automated processes

The right security policies can go a long way to keeping data safe. Establishing information rights management rules and data loss protection procedures are two basic hygiene measures that are critical for government agencies. In addition, agency data should be fundamentally segmented from employees’ personal information to prevent vulnerability and leaks.

Prevent data leakageSTEP 04

Part of preventing leaks requires instructing employees on the best practices to follow when working in email, on social media, or with outside systems. Often, employees (at all levels) in the public sector don’t recognize that they’re potentially compromising sensitive information with un-hygienic cyber behavior, so it’s important to emphasize this throughout all levels of the organization.

An educated workforce is a core part of the CNAP initiatives, and $62 million will be dedicated to help attract cybersecurity talent to the public sector.

STEP 05 Teach good hygiene at all levels

Sensitive information and certificates need to be protected at all times. Secure transport protocols such as IPsec and SSL/TLS can be enabled between devices, VPNs, virtual machines and datacenters. Government organizations can encrypt keys with the high-level protection of compliant hardware security modules.

For data at rest, FIPS 140-2–compliant AES 256 symmetric SQL transparent data encryption and other options are available, depending on organizational needs.

STEP 06

Encrypt data at rest and in motion

Simulating a breach when there are significant changes to the IT environment means you’ll discover where you need stronger defenses and where your organization is well protected from attackers. As a part of CNAP, the Obama administration will draw up a new Cyber Incident Response Framework by spring 2016 to change the way government agencies respond to cyber incidents.

Employing trustworthy technology and mandatory software development is a critical step towards ensuring your organization’s security technology evolves as cyber technology does.

STEP 07

Perform real world breach simulations

These steps are just the beginning of best practices cybersecurity that keep government agencies secure. There are more considerations beyond basic hygiene that need to be considered, including compliance.

How does your agency measure up? Read The Insider’s Guide to Cybersecurity for Government to find out.

http://aka.ms/govcybersecurityguide

All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. ©2016 Microsoft Corporation.

microsoft.com