ITAR compliance is about having a good data security strategy and defensive technology implementation. Defense information cannot be exported or transmitted to non-authorized personnel without explicit permission from the federal government, so security policies and other measures should be in place to limit access only to those with permission and protect controlled data.
- Security Policies and Incident Response Procedures: Security policies, procedures, and manuals should be written and ITAR particular. Businesses are not static, they grow and change, so these policies and strategies need to change too. Policies and incident response procedures should be tested and validated annually.
- Advanced Firewall: Not only should firewall provide their traditional protections, but they should also provide advanced threat defense from malware, viruses, and zero-day attacks. Firewall functionality to look for includes sandboxing, IPS/IDS functionality, some SIEM functionality, application protection, and secure incident response capability.
- Data Classification: Classify information into categories like Public Use, Internal Use, Confidential and Top Secret. The information, primarily classified or controlled information, should be consolidated so it can be more easily safeguarded.
- Data Leakage Prevention: A data leakage prevention solution should have plans and policies in place for not only accidental leaks but also intentional leaks carried out by disgruntled employees or malicious outsiders.
- Data Encryption: Data at rest, in motion, and in use must all have adequate encryption policies in place. Data at rest refers to data stored on a hard drive that is primarily protected by firewalls and antivirus programs and includes data on laptops, databases, and USB devices. Data is at its most vulnerable when in transit, like emails, file transfers, and web traffic, so encryption must cover mobile email applications. Data in use indicates dynamic data stored in a non-persistent digital state or data currently being processed by applications.
- Multi-Factor Authentication: Two-factor authentication is comprised of something you know with something you have. The ‘know’ portion is, of course, a password, but the ‘have’ can range from a smartphone or token to your face or fingerprint. While passwords can be guessed or stolen, getting both the password and the second ‘have’ factor is much more challenging.
- Identity and Access Management: This is who accesses your information and what they need to access. Only authorized US citizens should have access to controlled ITAR data and your IAM software should reflect that.
- End User Security Awareness Training: End user training is proactive and cheaper than reactive security. Trained employees can help avoid data breaches. Training should occur when people are newly hired and regularly after that.
ITAR governed businesses must do due diligence and invest in the security of ITAR regulated information. Without foundational security elements like those listed above, it would be difficult to prove due diligence or prevent data breaches.
To learn more about robust support for ITAR compliance, get in touch with Cyberstreams at (561) 432-7823 or firstname.lastname@example.org.