The key to having good information technology security at government agencies is to make it subordinate to enterprise architecture, said Michael Castagna, chief information security officer at the Commerce Department.
For agencies to overcome security issues, they must integrate IT security into the architecture so that any problems can be seen in a wider scope and tackled agencywide, Castagna said.
"We have to have one architecture, and IT security has to be a part of that," he said today as part of a panel at the Enterprise Architecture 2007 conference, run by the E-Gov Institute. The institute is owned by 1105 Media Inc., the parent company of Federal Computer Week.
Security laws have made the scope of agency enterprises amorphous because agency information is distributed outside of the agency, Castagna said.
He cited the Federal Information Security Management Act, which requires agencies to protect and be held accountable for all their data, even when the data is moved to other agencies and private companies.
This makes the agency porous, Castagna said, because all hackers must do is exploit one issue and the entire agency suffers. To keep track of potential holes, he said agencies must integrate IT security into EA and focus on business and strategy rather than technology.
"There's one enterprise, there has to be one strategic vision," he said. "A union of IT security and EA is required to flush out [problems] and provide organizational and technology contacts."
