Search FCW

Advanced Search
Subscribe Now!
Table of Contents
Sprint
Business
BPM
CXOs
Columns
Columnists
Defense
E-Government
Elections 2008
Enterprise Architecture
Funding
Homeland Security
Health IT
IPv6
LOB
Management
Procurement
Privacy
Policy
Program Management
State and Local
Security
Technology
Telework
Training and Certification
Workforce

More Topics
resourcecenter
Home
Letters to the Editor
Current Issue/Download
Print/Online Archives
Editorial Calendar
researchstore
resourcecenter
Communications for Continuity Operations

Oracle Resource Center
Networking Communications
Security Directives and Compliance
Data Center Virtualization
Air Force ELSG Contract Guide
Security Management
DOD and Security Guide
Networx Contract Guide
SEWP IV Contract Guide
Priority Report: Virtualization
Priority Report: Networking Services

More >>


FCW.com BLOG

Latest News
ADVERTISEMENT




 
Letters to the Editor:

Letter: Overburdening program managers puts security at risk

Published on October 31, 2007 - 02:46 PM

Comment

Click here to comment on this blog

Newsletters

You might also be interested in these FCW newsletters:

Daily
Management
Security

To learn more, click here.

The title of “Program managers are also security managers” should scare anyone who is concerned about information security and privacy in the federal government because it is highly accurate. Information technology management is so distributed in the federal government that it frequently falls to the program manager to decide how much security to implement and how to implement it. This is yet another area we expect program managers to be experts in, despite a frequent lack of training, inadequate budget and rapid change in the state of the art of attacks. Most frighteningly, the systems program managers are responsible for are usually networked with other systems, managed by other program managers. In IT security, the chain is truly only as strong as its weakest link. The most serious network attacks find vulnerabilities in one network and then follow trust relationships between networks to discover valuable information.

 

I contrast this approach with the (unnamed) large (90,000 people) corporation where I was recently a chief information officer. At this corporation, a panel of security experts sets IT security policy for the company. CIOs are expected to implement that policy, and all of their networks are audited to determine compliance with the policy. The results of these audits are published to the chief executive officer and board of directors. Failing an audit gets the highest levels of attention and usually invokes the other meaning of CIO: Career Is Over.

Information security is a full-time job, not yet another responsibility for overloaded program managers to assume. Until the federal government implements a serious information security management structure, breaking down its sacrosanct agency, office and program independence, information compromise is inevitable. A chain is only as strong as its weakest link, and the federal IT system chain is tens of thousands of links long.

Anonymous

What do you think? Paste a comment in the box below (registration required) or send your comment to letters@fcw.com (subject line: Blog comment) and we'll post it.
View Comments

There is not an agency in the Federal Government that does not have explicit IT security and privacy policy. It is not left up to program managers to determine policy. They do not even implement ITSEC policy, they delegate this task - just like the CIOs delegate responsibility downward (and agencies have plenty of CIOs pushing policy down.) Systems are also audited for compliance with policy through the C&A process, mandated for all Federal IT systems on a continuous basis. Project managers do not have to be security experts, they just have to be aware of policy, make resources available for security and privacy, and hold people accountable when necessary.

Posted by barbwire on November 7, 2007 - 01:54 PM

Post a Comment

To post a comment, you must be a registered user of FCW.com and be logged in. Use one of the forms below to login or register for FREE to FCW.com. To protect your privacy, you can use an alias as your username.

Login to FCW.com

E-mail Address:
Password:
Forgot your password?
Register and Post Comment

* First Name:
* Last Name:
* E-mail Address:
* Password:
* Retype Password:
* Blog Username:
* Comments:


E-mail me when new comments are posted in this thread?


upcoming event

Transition 2009, Four Points Sheraton, Washington, DC
October 15, 2008

GCN Awards Gala, Hilton Washington in Washington, D.C.
October 22, 2008


 

head
fcw
issue
First Name State
Last Name Zip
Title Email
     

Home | About | Contact | Customer Help | Privacy Policy | Editorial Info | Advertise | Link policy / Reprints | Site Map


1105 Media, Inc.

© 1996-2008 1105 Media, Inc. All Rights Reserved.