Jun 15, 2021

Strengthening Data Privacy, Compliance and Incident Response for SLED

Before the American Rescue Plan funds arrive, SLED organizations can start preparing by reassessing current IT security and data privacy practices

By Gary Buonacorsi, SLED CTO, Tanium

The U.S. is reopening, but things are still far from “normal.” State and local governments and educational organizations (SLED) are adjusting their work habits and logistics to account for people returning to offices and students returning to school. And to help address recent challenges in operations and security, help is on the way in the form of new funding from the federal government.

The American Rescue Plan Act, which was signed into law in March 2021, promises SLED organizations new federal funds for their operating budgets and new investments in cybersecurity.

The funds aren’t here yet, which gives SLED organizations time to prepare for the funds when they arrive. Now is the time to assess current IT requirements and capabilities and make strategic plans for the future.

By rationalizing current IT investments, optimizing what works and deprovisioning or enhancing what doesn’t, SLED organizations can prepare to make the best possible use of American Rescue Plan Act funding when it arrives later this year.

In a previous blog post, I recommended that SLED organizations begin by taking stock of current IT assets, rationalizing IT toolsets, and developing a plan for supporting endpoints in a hybrid work-from-home (WFH) environment indefinitely.

In this new post, I cover two more areas that SLED organizations should explore:

Addressing data privacy requirements and regulations

To help comply with government regulations and follow IT best practices, SLED organizations need to protect the confidential data they collect, store and manage. They also need to familiarize themselves and potentially may need to comply with a growing number of federal data privacy regulations, such as PCI, HIPAA, NIST 800-171, and IRS 1075. In addition, many states are passing their own data privacy laws similar to Europe’s General Data Protection Regulation (GDPR). And they need to put data privacy practices in place so they can earn and keep the trust of their constituents.

Addressing cybersecurity threats and strengthening IT defenses

Cyber threats are increasing in variety, severity and sophistication. Targets have expanded from corporate networks to national infrastructure. In part, that’s because today’s threat actors include nation states and criminal syndicates, all of which have lots of money, tools and patience. Meanwhile, SLED organizations are more exposed than ever before because of employees working remotely, outside the protection of traditional security perimeters.

SLED organizations should take the time now to evaluate their IT tools and practices for data privacy and cybersecurity. There’s no point investing new federal funds in old technology and practices that aren’t working as they need to be. Instead, clean out the old, optimize what you’re keeping, and lay the groundwork for any new investments you identify.

Here are some recommendations for evaluating your IT organization’s capabilities for data privacy, regulatory compliance and cybersecurity.

SLED organizations, data privacy and regulatory compliance

Data privacy is important not only for fulfilling the American Rescue Plan’s goals of strengthening cybersecurity; it’s also important for winning the trust of constituents.

Demonstrating that you take data privacy seriously gives customers the confidence to trust the digital services you’re offering.

Here are some questions to ask when evaluating your organization’s strengths and weaknesses regarding data privacy and regulatory compliance:

  • How does your organization assess its data privacy risks today?
  • Has your IT team identified all the types of data that require protection?
  • If so, has your IT team identified all the data repositories and applications where that data might be found?
  • Can you systematically track user access rights across devices and services, so you can limit access to sensitive data to only authorized users?
  • How do you measure compliance?
  • How does your organization ensure compliance with all relevant regulations and policies?
  • Does your organization conduct regular audits of its regulatory compliance?
  • Can your IT team generate comprehensive reports on compliance without relying on manual processes, spreadsheets and guesswork?
  • If so, are those reports shared with executive leaders and the IT security team?
  • When risks appear, can you address them quickly?
  • If a security attack threatens the privacy or integrity of your organization’s data, how quickly can you quarantine affected endpoints and mitigate the attack?

Answer these questions, then determine what changes you should make to improve your organization’s data privacy protections. For example, do you need to improve visibility into employee endpoints? Improve employee training on best practices and security threats? Monitor employee activity more closely for possible regulatory violations?

Determine what you can change and optimize now to address data privacy requirements and preserve your organization’s reputation as a trusted protector of confidential data.

SLED organizations and cybersecurity

Cybersecurity is a key focus of the American Rescue Plan. As soon as organizations switched to a remote workforce, cyber threats increased. In a 2020 survey, 63% of chief information security officers (CISOs) reported an increase in attacks.

At the same time, 58% reported being concerned that remote employees weren’t following security guidelines, and 36% reported a lack of visibility into IT assets such as employee endpoints.

Without visibility into employee endpoints, IT teams can’t detect threats and mitigate them.

Answer these questions to assess your organization’s IT security strengths and weaknesses:

  • Do you have comprehensive visibility into your endpoints, including the devices that remote employees are using?
  • Do you have visibility into the applications and services those endpoints are connecting to in the cloud?
  • Can you collect endpoint data in real time? If not, how current is your data? Is it collected once a day? Once a week? If you collect endpoint data only once a week, are you willing to endure the cybersecurity risks of having week-old data about security threats?
  • Do your IT security practices depend on endpoints connecting over a local area network (LAN) or a virtual private network (VPN)? Or can they work with today’s remote workforce, which is rarely on LANs and VPNs?
  • When security incidents occur, can you respond quickly, stopping threats before they spread to other endpoints?
  • Can you automatically scan the endpoints that employees are using, identify vulnerabilities, and patch the endpoints to eliminate those vulnerabilities?
  • What means does your organization have for detecting and cleaning up attacks that may have been active for 90 days or longer?

Answer these questions to identify the shortcomings in your current IT security practices or toolsets. Then determine what, if anything, needs to be replaced, added or optimized.

For example:

  • Do you need to revise policies and processes now that you have an ongoing WFH workforce?
  • Do you have the tools and procedures you need for complying with the latest government regulations?
  • If you’re keeping your current IT security toolset, could you easily augment that toolset with other tools to strengthen and optimize your overall security?

Reassess and optimize your IT security and data privacy practices now so that when new federal funding arrives, you’ll be able to spend it productively — and be ready for the future.


Learn more about Tanium’s offerings for SLED organizations.

Catch up on the previous posts in this series:

Accelerating Digital Transformation With the American Rescue Plan

Why SLED Organizations Need Asset Visibility and IT Tool Optimization for Digital Transformation