[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Requirements to improve security may hurt more than they help

To: isn@xxxxxxxxxxxxxxx
Subject: [ISN] Requirements to improve security may hurt more than they help
From: InfoSec News <alerts@xxxxxxxxxxxxxxx>
Date: Mon, 24 Mar 2008 12:52:35 -0600 (CST)
Delivered-to: isn@xxxxxxxxxxxxxxx
List-archive: <http://www.infosecnews.org/pipermail/isn>
List-help: <mailto:isn-request@infosecnews.org?subject=help>
List-id: InfoSec News <isn.infosecnews.org>
List-post: <mailto:isn@infosecnews.org>
List-subscribe: <http://www.infosecnews.org/mailman/listinfo/isn>, <mailto:isn-request@infosecnews.org?subject=subscribe>
List-unsubscribe: <http://www.infosecnews.org/mailman/listinfo/isn>, <mailto:isn-request@infosecnews.org?subject=unsubscribe>
Organization: InfoSec News - http://www.infosecnews.org/
Sender: isn-bounces@xxxxxxxxxxxxxxx

http://federaltimes.com/index.php?S=3425020

By COURTNEY MABEUS
Federal Times
March 20, 2008 

With threats of cyber attacks mounting, federal chief information 
officers say ensuring data security is one of their most important 
roles. But in a survey released last month, many say the mandates they 
must comply with may be impeding — rather than improving — security.

The Federal Information Security Management Act became law five years 
ago requiring agencies to establish controls to protect sensitive data 
contained in information technology systems. It requires agencies to 
inventory systems and to develop standards for categorizing information 
contained within them by risk.

The Office of Management and Budget has complicated matters, some 
experts say, by placing even more demands on CIOs, including mandates 
that all laptops be encrypted and a governmentwide plan to cut down on 
the number of Internet connections.

In an annual survey released by the Information Technology Association 
of America in February, CIOs interviewed said they question whether the 
return on their investments is outweighed by the burdens of compliance. 
And though many CIOs reported efforts to reduce the costs associated 
with certifying and accrediting systems as secure, the survey’s summary 
report said some officials had not seen clear, measurable improvements.

 “Sometimes it does feel like they’re going overboard,” said Richard 
Westfield, CIO at the National Labor Relations Board. “But, where do you 
draw the line?”


Problems

Patrick Howard, chief information security officer for the Housing and 
Urban Development Department, said there is too much disconnect between 
what is required by OMB and what is necessary “right now.” For example, 
he said he wonders why there is so much emphasis on having tested 
contingency plans for all systems — including those that are considered 
low risk for managing sensitive information.

Such requirements, Howard said, may lead some CIOs to focus too much on 
achieving a good grade on the president’s management agenda (PMA) 
scorecard, which quarterly tracks how well agencies are doing in 
implementing policies in a number of areas including e-government, to 
the detriment of other agency projects.

“It kind of takes your ability to prioritize the use of your resources 
away from you and focuses it on someone else’s priority,” Howard said. 
This week, Howard becomes the new chief information security officer at 
the Nuclear Regulatory Commission.

Some CIOs complain that OMB demands are usually unfunded and that 
agencies are given little time to meet demands. They also say OMB has 
done little analysis of the costs and benefits of those directives. 
Westfield, who also serves as co-chairman of the federal CIO Council’s 
Small Agency Council, said many CIOs struggle to explain the importance 
of their projects to other agency management officials.

“The average, everyday user on our network and probably every other 
network thinks that my job is supposed to make their jobs more difficult 
to do,” he said.

With inadequate budgets — listed as one of the top five barriers to 
CIOs’ effectiveness in three of the past four ITAA annual surveys — 
several CIOs said they must make improvements to promote greater savings 
and efficiency and not just to get the best score on the PMA.

“When you go out and make a case for the budget and the need to do this, 
it can’t just be to get to green” on the traffic-light-style scorecard, 
NASA CIO Jonathan Pettus said.

Pettus brought in officials from the National Institute of Standards and 
Technology to help NASA comply with OMB and FISMA demands because of 
inconsistent interpretations among its own IT officials. As a result of 
that help, Pettus said NASA was able to identify possibilities for 
consolidating some systems and developed a more efficient model for 
certifying and accrediting systems. It also determined the need for a 
core group of consultants to work with each of its regional offices on 
future compliance efforts.

Still, just like having an established building code will not prevent a 
house from collapsing, being compliant with FISMA does not necessarily 
mean your agency’s information is secure, Pettus warned.


Solutions

Alan Paller, director of research for Bethesda, Md.-based SANS 
Institute, criticizes FISMA for that reason. Although he said he sees 
real results from OMB directives, FISMA is “wasteful” because compliance 
is increasingly being done by contractors who have little incentive to 
promote efficiency. And, too many people with the technical skills 
necessary to handle compliance reporting have left for better-paying 
jobs in the private sector, Paller said. His group provides 
certification and accreditation training and other resources to IT 
professionals.

“The solutions for most of these problems are common, but the agencies 
each hire different contractors for security,” Paller said. CIOs across 
agencies need to do a better job of communicating best practices to 
build “a common answer rather than everyone building its own answer,” he 
said.

But some CIOs said they are working to develop automated processes to 
help streamline compliance in such a way that cuts cost and staff time — 
and will share that across agencies.

When CIO Joseph Klimavicz joined the National Oceanic and Atmospheric 
Administration in January 2007, he developed a 500-day plan to 
streamline computer security and catch up with the backlogged 
certification and accreditation of 135 IT systems.

The agency established some common controls for certification and 
accreditation that has allowed it to begin piloting a cyber security 
assessment and management software tool that allows users to input 
information to determine if a system complies. It will eventually 
provide the service to the Commerce Department, of which NOAA is a part, 
Klimavicz said.

“This is a Turbo Tax equivalent for [certification and accreditation],” 
Klimavicz said.

Howard, NRC’s new chief information security officer, was a contractor 
in 2003 when he helped the Transportation Department certify and 
accredit about 200 systems — mostly in financial and administrative 
areas — over a two-year period. By identifying common controls across 
those systems, the agency was able to complete each for around $15,000 — 
much less than the $25,000 to $300,000 price tag that Howard said is 
often associated with such projects.

Howard said he approaches compliance as a risk management tool because 
of shrinking budgets for IT security.

“Compliance is not going to go away,” he said. “It’s a part of life.”

___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn

Prev by Date: [ISN] Asterisk mauled by buffer overflow bug
Next by Date: [ISN] Cybersecurity's New Guard
Previous by thread: [ISN] Asterisk mauled by buffer overflow bug
Next by thread: [ISN] Cybersecurity's New Guard
Index(es):
- Date
- Thread