|
home
Your
Best Friend
No one
likes to be measured and have a report card, but the IG audit can help
you in many aspects.
“The IG can be your
best friend,” explains Rebecca C. Leng, Assistant Inspector
General for Financial, and Information Technology Audits at
Transportation.
“No one likes to be measured and have a report card, but the
IG audit can help you in many aspects,” Leng told government
managers at last Fall’s IT Security Conference in Washington,
DC. “You may laugh, but the IG audit highlights where you
need help. No one can do the job 100%, especially with competition for
resources and management attention.”
Leng knows that first hand, because Transportations FISMA scores have
risen and fallen teaching what Leng calls two valuable lessons.
“DOT made a concerted effort to establish and enhance our IS
program,” said Leng. “That’s evidenced by
our raising grades. But we also learned we don’t have a
mature IS program; that’s why our scores are all over the
place.”
Leng added, “If you score is good it doesn’t mean
you have a good IS program, because you are only focusing on what
Congress and OMB is measuring you on. While there is nothing wrong with
focusing on what Congress and OMB want us to focus on, you have to go
beyond that.”
“You can’t stop, that’s why we fell off
the platform. Climbing to top is hard, but staying on top is harder.
And we did not have a mature program,” notes Leng.
“We must stay focused from now on because a good grade one
year doesn’t mean anything for the next year.”
Interior
Design
“Our FISMA challenge is to make sure we are collecting the
same information,” declared Kathryn Saylor, CISSP, Office of
the Inspector General, Information Security Division at Interior.
“We emphasize coordination and consistency of that
effort.”
Collecting the same information is not easy because of the nature of
DOI, which is a large and decentralized agency whose bureaus operated
autonomously in past. “It is a difficult cultural change to
get them back together,” said Saylor. “Plus our
results are consolidated into one grade, so we can have good parts and
not so good parts. Those that aren’t good pulls our overall
FISMA grade down.”
| While there is nothing
wrong with focusing on what Congress and OMB want to focus on, you have
to go beyond that. |
Saylor says the challenge is to establish metrics so they can really
evaluate the efficiency and effectiveness of a program; further 2/3 of
DOI systems were up for re-accreditation posing an even larger test.
“There are a number of standardized approaches to FISMA and
we are going to try to use them and pull from them.”
Change
Agent
“We view our position as an agent of change and want to
improve the security of systems,” said Saylor.
Concrete examples include identifying threats of an insider to system
and what can they do according to Saylor. “We tested to
validate controls are in place and we did this without purchased tools;
done with stuff available on Internet to mirror what average user might
do.”
“We also identified practices and procedures that were weak
and actually went into server rooms and helped folks actually solve
those problems,” Saylor added. “That helped us gain
a mutual respect from those who may view IGs as only those who point
out problems, but really do nothing to solve them.”
FIPS 200 controls also have been implemented. It started with policies
and procedures. “If they are not in place then you
can’t have significant impact on technical security posture
of the system,” advises Saylor. Then you can put in baseline
controls to establish metrics.
When information is not secured it is most often due to user
unawareness says Saylor, which points to the ongoing need for user
awareness and role based training for those responsible for the IT
security.
Like other agencies, Saylor says DOI faces challenges with ongoing
C&A documentation. “One thing we are looking at as we
began to implement real-time, continuous security monitoring is: since
this is a process how can we make sure the documentation is updated and
consistent so a reader could actually use it if necessary.”
“Agencies need to have a strategy showing they know where the
weaknesses are and a strategy of moving forward to get to end goal,
even though they may never get there,” adds Saylor.
“This is our situation, this is our challenge, this is what
we are trying to accomplish and this is how we are prioritizing within
the resources we have.”
|
|
|
|
|
|
