Ensuring IT Infrastructure and Services Meet Federal Data Protection Standards
Business success depends upon managing and controlling how data is gathered, stored, and shared. A company’s reputation as being trustworthy and its relationship with its customers all depend upon adequate protection of data.
The federal government also regulates data protection practices. These compliance rules differ depending upon the industry and whether a company provides services to the government. Two important and broad-sweeping ones are NIST 800-171 and HIPAA.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 lists more than 100 security requirements. The rules specify that companies contracting with the government must have file sharing and information exchange practices that “support the delivery of essential products and services to federal agencies (e.g., providing credit card and other financial services; providing Web and electronic mail services; conducting background investigations for security clearances; processing healthcare data; providing cloud services; and developing communications, satellite, and weapons systems).” The regulations also specify how cyber incidents should be reported.
Companies that work with the Department of Defense were required to comply by Dec. 31, 2017, but NIST 800-171 applies to any organization that works with U.S. systems and data. Contractors must establish that their cloud services are configured in compliance even if their cloud-service provider already meets federal requirements.
To be successful, companies must strike a balance between productivity and compliance. FCW suggests they do this by first locating the systems in the network that contain the covered data and categorizing the data according to control family. The organization then would implement access controls and prevent access once the project is completed. Monitoring access is essential, as is training employees. Data also should be encrypted.
NIST 800-171’s rules are challenging because organizations must be compliant across all cloud environments and 14 different control families. While cloud vendors provide some security with their platforms, this security typically is not enough to be compliant across multiple vendors. Cloud environments change rapidly; the lifespan of some apps can be only a few hours. With all the responsibilities an inhouse IT department has, keeping up with these changes is difficult and takes time away from more strategic functions.
Prisma Cloud, by Palo Alto Networks, helps organizations comply with NIST 800-171 through its integrated set of security capabilities across multi-cloud and hybrid cloud environments. Prisma Cloud also allows organizations to comply with various industry standards, such as NIST Special Publication 800-53 (NIST 800-53) and ISO 27000. Prisma Cloud is part of Palo Alto Networks Government Cloud Services, which is currently In Process with the Federal Risk and Authorization Management Program (FedRAMP).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates patients’ medical and health care data. It restricts access to this information to only those people who have a genuine need for it. It applies not only within the database but also when information is shared. TRAPS, by Palo Alto Networks, is a replacement for Legacy AV systems that detects almost three times as many threats as the Legacy AV system. TRAPS also helps businesses comply with the Payment Card Industry Data Security Standard (PCI DSS), which, although not federal government regulation, represents the industry standard regarding the use of credit card information.