To protect high value assets (HVAs), Jennifer Franks, the director of information technology and cybersecurity team at the Government Accountability Office (GAO), recommends agencies build a more structured organization around HVAs, or even a designated team, as opposed to only having one or two people with access to HVAs.
During GovExec and SailPoint’s 2021 Government Identity Security Summit on Dec. 2, Franks explained that having a more structured organization is crucial for times when designated HVA contacts are on vacation, go on maternity or paternity leave, or are out sick.
“Similar to the HVAs, if you don’t have key contacts identified and your key contacts are just one or two persons, what if they’re both out? And what if some unplanned event has happened? What if they’re both just sick, and they just cannot communicate with you? You need to have more of an organizational approach for others with this need to know to be able to remediate whatever is needed in your environment,” Franks said.
Franks also said that agencies who have “several HVAs in your environment,” should prioritize which HVAs pose the highest risks. In doing so, Franks explained that if an organization only has one or two key contacts who are out, those stepping in can still meet the “critical needs” of the organization and protect the HVAs.
“That’s why you need a little bit more of a structured organization, maybe even a team that really helps you center your HVA activities, so that it would have more of a widespread impact to assisting your organization,” she said.
She went on to say that AI and machine learning “could definitely assist” in prioritizing HVAs for risk, but organizations “would need to make sure” that those systems can identify and “are coded to kind of pick out and identify some of the active vulnerabilities or something that’s not programmed to be a foreseen issue.”
“Of course, machine learning in automating some of these services with AI would be very helpful, but it still wouldn’t negate us having to make sure that there is less risk,” Franks said. “So, looking at that tolerance level for any kind of vulnerability that could be identified, you know, taking out the human error and now you have machine error… it would just be a continual operation.”