[ISN] The federal computer security report card: Lessons from Uncle Sam

From: InfoSec News (isn@private)
Date: Mon Apr 12 2004 - 01:00:11 PDT

  • Next message: InfoSec News: "[ISN] OS X Trojan Horse Is a Nag"

    http://www.computerworld.com/securitytopics/security/story/0,,91899,00.html
    
    Opinion by Marc Gartenberg
    APRIL 08, 2004
    COMPUTERWORLD
    
    For the fourth year in a row, the federal government released its
    "Report Card on Computer Security at Federal Departments and Agencies"  
    (download PDF) [1]. The average grade for fiscal 2003 was a D (65).  
    The overall average grade in 2002 was an F (55); in 2001, it was also
    an F (53). Since 2000 was the first year that any measurements were
    taken, that year's score was "Incomplete" with a letter grade of D-.
    
    Looking at the situation through the lens of an eternal optimist (and 
    realist), maybe, just maybe, agency heads, the Office of Management 
    and Budget and Congress will start looking for ways to get these 
    agencies where they should be. An empire in the age of technology can 
    and should be able to get passing grades in information security.
    
    As an alternative to looking at the trends and drawing the conclusion 
    that things aren't really that bad since, after all, the overall score 
    is improving, let's examine instead the underlying factors that led to 
    these scores. Then we can see why our dear Uncle Sam needs some help, 
    and we can offer some suggestions.
    
    Through this analysis, it will become clear that the issues are 
    related to establishing, maintaining and measuring enterprise security 
    management strategy as part of the systems development life cycle so 
    that no government agency or company ever has to settle for a D.
    
    Why the bad grades?
    
    To answer that, we need to examine the factors upon which the 
    scorecard is based. These include certification and accreditation 
    processes and recognize subtle distinctions in the categories of IT 
    systems, namely general support systems and major applications (a.k.a. 
    mission-critical applications), and realize that there are still many 
    legacy systems long overdue for retirement. Ready?
    
    First, here's the process, which sounds simple. The National Institute 
    of Standards and Technology (NIST), a component of the U.S. Department 
    of Commerce, publishes and updates its policy guidance for information 
    security. Federal agency security chiefs are supposed to see that 
    these guidelines are followed within their agencies. The problem is 
    that the NIST guidance isn't very concise regarding implementation. It 
    also isn't an operational procedure manual. Rather, to a great extent, 
    it's a higher-level management policy document. This creates a gap 
    between knowing what to do and how to do it. Yet the scorecard rates 
    an agency on how well it implements the guidelines.
    
    Then there's the reporting scheme, which is handled by each agency's 
    own Office of the Inspector General. These offices are designed as 
    semi-autonomous bodies operating within and under the jurisdiction of 
    each agency head.
    
    Another factor is that this year agencies had to meet the requirements 
    of the Federal Information Security Management Act (FISMA). This law 
    expands on the information-security evaluation and reporting 
    requirements enacted in 2001 under the Government Information Security 
    Reform Act (GISRA). Under FISMA, agencies must demonstrate their 
    progress in areas including risk management, contingency and 
    continuity procedures to ensure that their mission-critical and 
    general-support systems are protected. This includes annual IT 
    security reviews, reporting and remediation planning on systems at all 
    stages of the systems development life cycle.
    
    So while agencies in previous years were showing improvements on the 
    standards according to GISRA, the fact that the regulations changed 
    midstream caused many agencies to have a problem meeting the new 
    mandates.
    
    When all these dependent variables are synthesized, you can see that 
    getting an A isn't all that easy.
    
    Is it fission or fusion?
    
    Interestingly, though, FISMA has been a long time coming, and the 
    federal security chiefs had fair time and warning before the sun set 
    on GISRA. It's also noteworthy that the grades in previous years 
    weren't much better -- how could they get any worse? Last year's grade 
    average was an F. This year it's a D. So, maybe things are getting 
    better. It's hard to say, since each agency, regardless of size, is 
    given an equal weight in determining the overall average, so a couple 
    of A's such as for the National Science Foundation and the Nuclear 
    Regulatory Commission (whew!) helped improve the scores a bit overall.
    
    The ROI of security
    
    Federal and industry chief security officers will agree that it's hard 
    to build a tangible case for increased security appropriations. This 
    is primarily because it's hard to quantitatively justify increased 
    spending on IT security because there's little tangible immediate 
    return on investment.
    
    That's what makes IT security policy development all the more 
    challenging. Namely, proving that the need exists and that a properly 
    formed strategy can mitigate risks, protect critical information 
    assets and ensure confidentiality, integrity and availability.
    
    One way to increase appropriations, though, is to fail a security 
    audit and place the blame on inadequate funding, which is essentially 
    what's happening. The fiscal 2005 federal budget increases IT spending 
    by about 10% over fiscal 2004, to close to $60 billion.
    
    A company, especially a public one, has to maintain solid earnings 
    while building equity. Meanwhile, it takes leadership and vision to 
    recognize the value of a solid IT enterprise security policy. Much has 
    been written on demonstrating ROI for IT security, so I won't get too 
    granular here. Suffice it to say that it doesn't take too much effort 
    to perform a solid risk assessment and produce a risk-level matrix 
    that clearly demonstrates the risk thresholds of any enterprise.
    
    The tough part is gaining support and momentum for developing a solid 
    set of plans (contingency, continuity of operations, training and 
    education) and to ensure that these plans get the critical 
    executive-level support within the organization.
    
    Lessons learned - the "P word"
    
    That would be policy, and that's just what NIST provides. But that's 
    not enough. The federal government - and this applies to industry as 
    well - needs guidance but also needs procedures to follow. The average 
    IT professional needs a set of standards to subscribe to and a set of 
    guidelines on how to meet those standards. That's the missing piece, 
    which I hope will be recognized and developed sometime soon.
    
    It was another year of dismal federal IT security grades, and the 
    complexities and threats in the world aren't diminishing. Government 
    agencies and related organizations have their work cut out for them, 
    but the pieces are there. By optimizing talent, focusing on embedding 
    security into the systems development cycle and including further 
    refinement of continuity planning, along with the continual retirement 
    of legacy systems, the overall grades should show improvement next 
    year.
    
    
    [1] http://public.ansi.org/ansionline/Documents/Standards%20Activities/Homeland%20Security%20Standards%20Panel/ComputerSecurity.pdf
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Mon Apr 12 2004 - 04:52:40 PDT