Government and Its Regulator Burden
GRC Labs is a flexible solution that lets you find the optimal deployment based on your needs — or more specifically, on the security needs your customer has, that you, as a government agency, must satisfy.
Security and compliance risks in the government sector are high today because of so many failures yesterday. Agencies routinely collect personal data such as name, address, and age; if the agency accepts payments from the public, it also collects credit card or bank account information. Health agencies may collect medical records.
All that data is subject to protection from multiple laws: FedRAMP (Federal Risk and Authorization Management Program); HIPAA (health information); the Gramm-Leach-Bliley Act (financial information); state breach disclosure laws (other personal information); and even the European Union’s General Data Protection Regulation (if the agency collects personal data about EU citizens).
What’s more, many agencies also have security risks simply because of the sensitive information they possess: intelligence data, threat assessments, scientific research. Even if privacy and breach disclosure regulations don’t apply, the agencies still have high operational security risks from outsiders wanting to steal that information.
.
Compliance Objective
Agencies work with multiple frameworks to achieve those objectives. NIST provides several frameworks for security. NIST 800-53 helps agencies themselves assess the data security protocols they need; NIST 800-171 does the same for government contractors that handle “confidential, unclassified information.”
More “traditional” data can also be secured with other frameworks. Credit card data can fall under the PCI DSS framework. Health information is governed by the HIPAA Security Rule, which now maps to the NIST frameworks.
Assess vulnerabilities in the network and application layers.
Remediate any weaknesses, either through security patches to software or through changes to data collection practices.
Be able to report those risk assessments and remediations to other parties as necessary.
Study data collection practices for non-compliant behaviors (say, failure to secure consent for collecting data on minors).
Map progress on those remediation efforts.
Integrate new threat alerts or updated regulations into your compliance program as they come along.