Feds Aren't All Bad At Security: What Makes the Difference

Featured Resource:

Every year U.S. Federal agencies get graded on their information security, and this year is a mixed bag. Some agencies did well, others failed. Assuming private sector enterprises have the same range of the good, the bad, and the ugly, it is worth asking, what does it take to have a decent information security program?

In Federal Times we get a hint of the key with this description of Housing and Urban Development's (HUD) jump from a D+ to an A- iin one year:

The Housing and Urban Development Department took the same step [i.e. completing an inventory of IT assets], which helped it jump from D-plus to A-minus. Chief Information Officer Lisa Schlosser said that HUD’s secretary and deputy secretary helped her hold the agency’s senior leaders responsible for computer security. She said that in 2006, HUD mandated security training for employees, provided more resources and filled key vacancies in the computer security office.
And HUD is now holding contractors responsible for security breaches committed by their employees. Schlosser said the agency wrote contracts allowing them to dock contractors’ payments whenever security breaches occur.

Not suprisingly, security improved when management made it a priority. They figured out what needed to be done, developed metrics for measuring how well those things were being done, and held managers accountable.

We are justified in being discouraged about the increasing sophistication of malware, the onslaught of botnets, the buckets of spam and phishing emails clogging our email systems, the lack of user understanding of their role in poor security, and the ubiquitous threat of insufficient funding, ... but ... we can still make progress as HUD demonstrates.

We don't need perfection but management priorities can go a long way to move from ugly to bad and maybe come within striking distance of good.

Not everyone sees much value in this annual exercies of grading federal agencies. Brian Krebs at the Washington Post notes:

Critics of the process have called the annual FISMA reports more of a paperwork exercise than an accurate representation of the security of federal agencies' computers and networks. They say the reports do not require or give agencies credit for taking certain types of security precautions, such as penetration tests to locate gaps in security defenses.

Kim Hart, also at the Washington Post, points out the "one size fits all approach" of FISMA doesn't work for many CIOs.

A recent survey of federal chief information security officers, conduced by the Merlin International Federal Research Consortium, shows that the grades do not take into account the different needs of large and small agencies.

The annual review has the right objective but it sounds like it needs some refinement.

If you are a manager and wondering what you can do, start with educating yourself.
For starters, see Understanding Phishing and Pharming and Reigning in Malware.

Recent Posts

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net

Site Sponsor:

Now Available:

Featured Resource:

Realtime Communities

Newsletter

Monthly Archives

RSS

Ask the Expert