Government organizations and companies that operate in the defense industry have a great deal at stake in the event of a data breach. If any information that’s subject to ITAR is vulnerable to being accessed by an unauthorized foreign party, you’re at risk of facing serious noncompliance consequences.
ITAR provisions are intended to prevent the compromise of sensitive data associated with defense-related articles and services. Are you properly prepared to prevent this type of danger? Do you understand what data security steps you should be implementing to achieve compliance?
The responsibility of data security as it pertains to ITAR compliance can become an overwhelming one, due in large part to the fact that U.S. export control laws do not offer specific direction on how to protect the types of technical data itemized on the USML. Even so, your government agency or defense-related organization must ensure the security of this information or be held accountable for it.
To avoid the serious civil and criminal penalties, complete import/export bans and even imprisonment that can result from ITAR noncompliance, it’s critical to execute a dynamic data security approach. Use these eight actionable tips to strengthen your data protection efforts, prevent breaches and maintain compliance with ITAR mandates.
1. Limit Geographical Access
In a government agency, mission-critical information is being shared constantly, plus contractors and other individuals spread out all over the world must be able to communicate and collaborate on this information.
One important way to secure your defense-related technical data is by implementing a solution that enables you to deny access from any country in the world except the United States (unless certain authorizations or exemptions are in place). This is how you minimize the risk of unwanted visitors on a global scale. Especially with users operating around the world, it is essential to be vigilant with your data, maintaining tight control over who is accessing it and from where.
Leverage technology from a provider like Sharetru, which gives you the power to limit access by country using a highly accurate, professional geo-IP database. This affords you the control to allow authorized users to obtain necessary information while denying access to potentially dangerous entities.
2. Incorporate a Physical or Electronic Barrier
ITAR compliance involves a high level of data security, which naturally lends itself to the types of solutions that hinder intruders from breaching your systems. One fundamental component of this approach is safeguarding your data on both a physical and electronic level. Make sure that restricted-access servers, storage facilities and networking cabinets are locked and monitored. For additional security support, implement access shields like authentication prompts, password protections and firewalls.
3. Regularly Update Your Malware Protection
Last year, cyber criminals launched 430 million new types of malware software out into the world. If your agency is operating with outdated malware protection, it is in major jeopardy of being breached by a malicious intruder.
Cybercriminal activity is constantly evolving. Even as data security features like malware protection become more advanced, so do the tactics of intruders to get around these security efforts, which makes software updates and security patches extremely important. The software you’re using must be equipped to thwart the data attacks being deployed in the present, not the past. So make sure that your malware protection is regularly updated.
4. Know NIST 800–88, Guidelines for Media Sanitization
The National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce, developed publication 800-88 to assist organizations and system owners in making practical media sanitization decisions based on the confidentiality of their information. Make sure that you are well informed on this publication and how it applies to the protection of technical data stored on any media device.
“The application of sophisticated access controls and encryption help reduce the likelihood that an attacker can gain direct access to sensitive information. As a result, parties attempting to obtain sensitive information may seek to focus their efforts on alternative access means such as retrieving residual data on media that has left an organization without sufficient sanitization effort having been applied. Consequently, the application of effective sanitization techniques and tracking of storage media are critical aspects of ensuring that sensitive data is effectively protected by an organization against unauthorized disclosure. Protection of information is paramount. That information may be on paper, optical, electronic or magnetic media.”
5. Encrypt Data Being Transmitted or Emailed
Any organization that wishes to remain ITAR-compliant should use a wide range of different encryption methods to protect data, regardless of where it happens to be. Encryption is vital in your efforts to protect defense-related technical data against hackers and maintain government compliance. By “scrambling” the data contained in your files, encryption ensures that only the sender and the intended recipient can gain access to the relevant information.
When transmitting or emailing ITAR-category data, utilize in-transit encryption. This safeguard is designed to protect files when they are being sent or received over an Internet connection and block it from being seen by any outside parties as it travels from point A to point B.
6. Use Firewalls to Detect Exfiltration
In order to prevent an unauthorized foreign party from extracting data from your systems, be sure to utilize firewalls. This way, you can monitor incoming and outgoing traffic and identify whether data is being transmitted to the proper location over an authorized protocol. It’s an important barrier to your sensitive information.
7. Enable and Back up Audit Logs
Robust auditing and analytics are essential for mitigating data security risks and meeting ITAR requirements. Arm your IT department with the proper tools, like on-demand reports, detailed logs and historical analytics to glean valuable information on data security and compliance.
Detailed activity logs should always be available to administrators so they know how files are being accessed and who is sharing them. And, of course, you must have an effective backup plan in place to prevent loss of information. Backups should be run several times per day, encrypted and housed at a secure, off-site location.
8. Use Isolated Directories
Defining folder visibility and writing capabilities enables you to restrict information from unauthorized users and protect data from human involvement and/or error. Visibility of data should be classified based on the sensitivity of that data, and only granted to those individuals specifically designated to access it. By employing isolated directories containing any data that falls under ITAR jurisdiction, you have a greater level of control over this sensitive information and can define permissions accordingly.