“IT security is all about end users’ capabilities,
cultures and expectations. You need to know your risks, vulnerabilities
and threats and always deploy countermeasures to help you reduce your
losses,” explains Jim Litchko, senior information security
officer, strategic advisor and author of the book Know IT Security.
Litchko uses a business approach when doing a security assessment; that
way recommendations are based on a customer’s – in this case the government
– business or mission requirements.
“I find that management relates easier to facts rather than
fear,” says Litchko. “It’s much better
than using fear, uncertainty and doubt (FUD) to scare the client into
security solutions.”
CIAAA
Promotes B.S.
According to Litchko, good solutions are B.S. –
Business-based Security – that is effective, efficient,
user-accepted, practical and secure. They balance user acceptance and
common business sense in their deployment and require what Litchko
calls “CIAAA” – confidentiality,
integrity, availability, authentication and audit.
“You get a user’s ownership by leading them to
discover their solutions,” says Litchko. “IT
security is also about personnel, physical and procedural considerations. You need a written
security policy. And while insiders often post the largest threat to a
system, all IT systems do not need the same level of
security.”
“Technology is only about ten to twenty percent of the
solution,” says Litchko. “Review IT systems from
all directions, not just head on. And don’t forget to look up
and down.”
Litchko advocates reviewing the “Nine Ps” when
beginning a system’s security assessment.
1. Profit
(Mission) – the driver’s of a systems
security policy and solutions.
2. Policy
– the basis of all security decisions
3, 4, 5, 6. Procedures,
Physical, Personnel, Product – includes the
technology which are the sources of security solutions.
7. Promotion
– tells everyone of their security responsibilities and
management emphasis on the need for security.
8. Plan
– what are you going to do when there is an attack and
deployed security is not enough?
9. Practical
– the key to good security because if security solutions are
a burden they won’t be used or effective.
Certified
Pros
“We have enough technology to secure our IT systems. What we
don’t often have enough of are trained security
professionals.”
For Litchko that means having security professionals who have
certifications such as the CISSP (Computer Information Systems Security
Professional) or CPP (Certified Protection Professional). These
certifications are qualifiers for professionals who must be able to
apply their knowledge in real-life situations and have been tested and
vetted by a professional community.
“Senior management needs to demand that people in charge have
the certifications,” urges Litchko. “Security is
still a collateral duty in some agencies. We need to not make this a
collateral duty for a program manager or systems manager.”
Litchko believes these security professionals should be part of the
CIO/CISO/ISSO (Information Systems Security Officer) function.
“Put an ISSO in charge of several systems in same area,
instead of trying to have an ISSO for every system. Take the
appointment of the ISSO away from the program manager and put it with
the CISO. Bundle systems and you’ll save money and
time.”
“The technology is there, the certifications are there, the
procedures are there, the processes and products are there,”
notes Litchko. “What they need to do is apply them smartly
and to do that we need to have these individuals.”
It is senior management’s responsibility to set the risk and
the priorities, understanding that 100% security is not possible in
today’s government where mobility and collaboration are facts
of life.
Easy
Improvements
Threats come from inside and outside the organization. Wherever there
is value people are going to take advantage of it. Often security
breaches are just simple mistakes; human error was the culprit when a
VA laptop loaded with private information was stolen. If the
information had just been encrypted, damage to both the data and
VA’s reputation would have been limited.
“To reduce risk, compartmentalize the systems and the
employees,” recommends Litchko. “Limit physical and
virtual access. People make mistakes because of lack of awareness and
knowing simple security capabilities readily available to
them.”
Take encryption for example. “Encryption is made easy with
Microsoft products,” says Litchko. “Go to Tools,
then to Options and in the dialogue box, go to Security and you can
encrypt everything you just built in that program. This can be
acceptable for unclassified but sensitive information.”
According to Litchko this is acceptable in many areas of Energy, DOD
and DHS. “But it takes someone who is senior to put the
policy out. Then you have to educate people and check it. The
technology is there.”
With telework and mobile computing gaining momentum in government,
there are good encryption methods (such as SSL – Secure
Socket Layer) out there for both wire and wireless networks according
to Litchko.
Someone has to be in charge and keep security in the forefront.
“At every meeting, senior management should be asking
‘how is the security of the system
doing’,” urges Litchko. “This needs to be
ongoing not just when there is a virus attack. Keep checking the
security posture and put people in charge who are qualified and take
FISMA (Federal Information Security Management Act) seriously.
FISMA
– Yes!
Litchko is an advocate of FISMA. “The best thing for IT
security was FISMA,” says Litchko. FISMA identifies systems and vulnerabilities, what needs to get fixed and puts a process
in place that is connected to the budget.
“With OMB in charge, FISMA ties risk to funding using POAMs.
NIST provides guidance,” adds Litchko. “This is not
a paperwork drill. FISMA reporting is a way to assess and manage risk
and fix what is wrong. Security is not a ‘one year
problem’, it is ongoing.” Litchko warns that some
in senior management complain and still view FISMA as a paperwork
drill.
With a security assessment of an average system costing $150,000
according to Litchko, he advises that because systems need to be certified every three years, it is better to do a
complete job on 1/3 of systems and do that every year than try to do
all at once and make them incomplete.”
Eye On
The Ball
So, what more can a manager do?
First of all have a security/and or technical advisor you have
confidence in.
For Litchko that means having a technical advisor that is a government
employee. “The CISSP should be a government
employee,” suggests Litchko. “The government
employee has the same goals as their boss. Vendors have their own
philosophy, goals, directives and relationships.”
“Don’t hire the same company to do the C&A
(certification & accreditation) for your system (required by
FISMA), that is already your security vendor,” advises
Litchko. “Make them separate. You can’t audit your
own stuff.”
Keep senior management engaged. “When there was an attack, I
would go to senior management and tell them we were vulnerable to this
and they need to fix this and fund this now,” explains
Litchko. “They did, but if I didn’t do that right
then, then nothing would happen, they would lose interest in a week. I
used this as a ‘smoking gun’ to get what I
needed.”
KISS
Principle: 10 Keys To “Keep Information Security
Simple”.
1. Good security decisions are based
on the organization’s mission or business.
2. IT systems can never be 100% secure. There is always risk, so always
have a recovery plan. Knowing your risks allows you to improve your
job.
3. The most practical security solutions are a combination of all the
security disciplines, not just technology.
4. Senior management should demand those in charge of IT security have
security certifications. Review the “Nine
Ps” when beginning a system’s security assessment.
5. Promote security frequently. Look beyond your walls for the most
practical solutions. The most obvious solution is not always so obvious.
6. Security applications are not plug
and play; they must be tailored for each application by a trained
person.
7. Look for products that have been tested by certified third parties
and come from vendors’ with security reputations.
8. Some security solutions provide a very profitable ROI.
Provide a good business justification when you are promoting
security products and solutions.
9. Deploy anti-virus countermeasures on all computers. Update
anti-virus definitions frequently.
10. Off-site data backups are a necessity, not an option. Backup
frequency is based on mission requirements.
