Guidelines for Managing Corporate Security in a Post-COVID World: A Look at the Risk Management Framework
The COVID-19 global pandemic is not likely to end anytime soon. When it does end, our business environment might never go back to what it was like before. Across the globe, organizations are not simply taking temporary measures to cope with the current situation, but are rather choosing to adapt to the new normal by establishing a sustainable remote work environment.
Cloud-based applications and services have removed all the functional obstacles of remote work. Collaborative storage platforms like Google Drive and Dropbox allow us to share our work online, while video conferencing services like Zoom and GoToMeeting enable us to attend meetings anywhere in the world.
Still, we are facing a lot of problems when it comes to managing information security in a decentralized environment. In an office environment, everyone has physical access to the corporate network, so that all external devices and IP addresses can simply be blocked from entry. Such practice is not possible in a remote work environment because employees need to access corporate servers from external networks. To solve this problem, businesses need to set thorough guidelines to manage their information security risks for a decentralized workforce.
If your business does not yet have a set of data security guidelines, now may be the perfect time to do so. This process may seem like a lot of work at the beginning, but the long-run benefits far outrun the cost. Here we introduce a general guideline to get started.
What is the Risk Management Framework?
The Risk Management Framework (RMF) is a set of data security guidelines developed by the United States’ Department of Defense. Originally used by the DoD for managing sensitive military information, it has since then been adopted by all US federal government agencies to manage data security. It is currently overseen by the National Institute of Standards and Technology (NIST).
The RMF is not commonly discussed in the business field. Nonetheless, it does serve as a solid foundation for businesses to develop their own data security strategy. Many large corporations have built their own data security policies based on the RMF.
The 6-step process of the Risk Management Framework
The RMF involves three basic components: identification, protection, and monitoring. All three components must be present for an effective and efficient data security strategy. These three components are further broken down into six broad steps. The original guidelines were written in the language of government agencies, however, here we introduce these steps from a business perspective.
Step 1: categorize information system
Businesses store all kinds of data. The information contained in them varies greatly by nature. This may include publicly disclosed information, work-related information, sales information, and highly sensitive information. In order to manage data safely and efficiently, a business should begin by identifying the usage, value, and sensitivity of their data, then assign a security level to each set of data and categorize them into a multi-layered data management system.
One way to have a layered data management system is to divide your corporate network into multiple separated networks in a process called air-gapping. Remote employees would be granted access to the network that stores work-related data, while highly sensitive data would be kept in another highly secured network where only a few individuals are granted access.
Many shortsighted businesses skip this process and dump all data into one network. This can be extremely costly in the long run because it would need to apply the highest security measure to a massive network where half of the data within the network are not even confidential. Especially in the current situation where a large number of remote workers require access to the corporate network, having one combined network only leads to chaos.
Step 2: select security controls
After having a layered data management system, the next step is to choose the most appropriate security control for each layer. Work-related documents can be stored in Google Drive and Dropbox where the servers are safely managed by the cloud provider. Yet, employee awareness is important to prevent leakage of login credentials.
Customer-related sales data can be kept in an encrypted private cloud database, where only customer support staff has access to. For those using open-source databases, an encryption solution like MyDiamo would help ensure security compliance.
Highly sensitive data containing information like passwords, financial information, and social security information should preferably be separated in an air-gapped network. They should also be encrypted with a product like D’Amo, which utilizes multiple encryption technologies for maximized security.
Step 3: implement security controls
Every business environment is different. Simply having a set of data encryption products won’t suddenly make you safe. It is crucial to configure them properly to maximize their performance and minimize your risks based on your specific needs. This is why Penta Security offers product support and follow-ups through our partners around the world, ensuring that our customers are getting the most out of our products.
Step 4: access security controls
Having an independent assessor to evaluate the security controls to make sure they have gone through proper configurations is an extra step to help ensure proper deployment. This step is specifically designed for government agencies. Yet, it is still a good idea for businesses to have multiple independent members evaluating the security controls.
Step 5: authorize information system
For federal agencies supervised by the RMF, authorization is mandatory. From a business perspective, this means regulatory compliance. Penta Security’s enterprise security solutions use an “authentication – web security – data encryption” three-step approach to help businesses comply with data privacy regulations like the GDPR, CCPA, and PCI DSS.
Step 6: monitor security controls
Businesses should regularly monitor their security controls to make sure that they reflect all new changes to the IT environment. Whenever necessary, go back to step one and go through the process again.
Implement your own strategy
The enterprise IT environment around the world is undergoing significant changes amid the pandemic. Those who successfully adapt to the new environment would have a long term advantage over those who don’t. Based on the RMF, carefully plan out a data security strategy for your business, and keep your business organized and steady in the storm.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Smart Car Security: AutoCrypt