Security Lessons from FedRAMP-Compliant Companies

Businesses that want to establish trust with their clients should go beyond basic security requirements.

This is especially true for companies that handle clients’ personal or sensitive data.
Threats from hackers and privacy breaches are becoming increasingly serious as more and more companies move their data to the cloud. Companies that adopt a forward-thinking attitude toward security will be way more likely to avoid the incidents that cost businesses tons of cash, productivity and consumer goodwill.

Wondering whether your own security could use an upgrade? You may be able to improve by looking to the security guidelines that the federal government requires of companies that store its data in the cloud.

The Federal Risk and Authorization Management Program makes an official effort to standardize such privacy and security protocols so that it’s easier for cloud service providers to comply with them.

Most FedRAMP requirements deal with the security of the programs and equipment that store data. However, there are also significant requirements for non-tech internal procedures and visitor management.

Regardless of whether you’re considering becoming officially FedRAMP certified in the future, it’s helpful to peek into what the most secure companies are expected to do to keep data safe.

Learning from the FedRAMP Requirements

When you think of keeping electronic data secure, the first things that come to mind may be password protocols and code vulnerabilities.

In the compliance process, there are pages and pages of these kinds of technical details to comb through — even in the “tailored” version of certification created just for “low-impact” SaaS cloud services.

However, the FedRAMP security requirements that are unrelated to the technology itself may be just as important. After all, the efforts you make to stop remote hackers won’t be worth much if someone can simply walk into your facility and physically access sensitive data.

The appendix of FedRAMP Tailored guidelines lists some of these protocols, and we’ve paraphrased a few of the non-technical ones below. (Note that we’re not lawyers or experts in this process, and you’ll want to find those kinds of pros as you move forward with certification.)

Staff Security Training

In order to be FedRAMP-compliant, companies’ staff must undergo annual security awareness training and have updated training materials (refreshed at least annually) to prove it. They also need to keep records of that training. The FedRAMP documents specify that “privileged users” should get security training that’s targeted to their role specifically.

Incident Response Training

Like security training, an incident response plan must be kept in writing and updated annually. Administrators must also get annual incident response training. Any incidents should be identified and tracked (in writing) until they’re closed. Any system user with the potential to experience a security incident should have access to all the resources available for incident response.

Maintenance Authorization

There should be a process in place for authorizing maintenance personnel, and the company must keep an updated list of those authorized personnel at all times. Authorized personnel must be given credentials in order to enter the facility. If unauthorized personnel require access, they have to be escorted by someone who is authorized.

Physical Access and Visitor Management

At FedRAMP-compliant facilities, all physical access must be monitored, and logs of those visits must be reviewed at least monthly and maintained for at least a year. FedRAMP-compliant companies are also expected to have physical controls in place to keep people from wandering where they’re not allowed.

Compliance requires that companies have rules of behavior in place when it comes to access to the protected system. The company needs to have records that people who want to access a sensitive area have read and understand role-appropriate rules before they get access.

Finally, the guidelines specify that a company have formal sanctions in place for those who don’t comply with their agreements.

Departing Personnel

There must be procedures in place for removing access for staff who are fired or transferred. If fired, all of the staffer’s access must be “disabled and revoked” the same day they’re let go and retained by another authorized staffer. People requesting transfers get a bit more time, but their access must be revoked, too.

Your Takeaways for Security

Even if you’re not a cloud service provider, you can take similar steps toward physical security. Here are some best practices:

Your Company Should be Process-Driven

Smaller companies may still relish the opportunity to stay agile and flexible, not bureaucratic and procedural.

However, even the smallest companies can benefit from written procedures. They come in handy when an employee is fired, for example. If the process has been thought through and written down, you may be able to avoid not just big security breaches, but smaller inconveniences like your company’s Twitter account password getting stolen by a disgruntled former intern.

Smaller companies benefit enormously from relying on written procedures without becoming too bureaucratic. Click To Tweet

Procedures for emergencies and security incidents needs to be thought through and reviewed, too, regardless of the size or industry of your company.

Document Frequently and Make Docs Accessible

If there’s no accountability to use the procedures you’ve established, they might not get used at all. Documents are especially important to use as proof that you’re legally complying with something, but they also clarify records and processes.

Plans are only helpful if your staff understands them and can access them easily.

Rely on Programs Designed to Boost Security

Creating systems from scratch to implement and document your security efforts is a lot of work. Instead, leverage programs that other businesses have created to take care of the common security needs that many businesses share.

For example, visitor management software can handle many of the visitor access parts of FedRAMP compliance: automatically storing visitor records, sending the records for review at intervals that you choose, issuing visitor credentials, and storing citizenship data (also required by FedRAMP).

If you’re ready to boost your company’s physical security with a visitor management system, for FedRAMP or simply as a best security practice, contact us or start a free trial.

Share this Post