Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 06/16/03 issue

Dacey: Agencies need smarter, stronger security management

By Richard W. Walker, GCN Staff

Robert F. Dacey is the General Accounting Office’s director of information security. He’s been working on IT security for GAO since 1991. Before that, Dacey worked for the accounting firm Deloitte & Touche LLP. He has a degree from George Mason University Law School. Associate editor Richard W. Walker interviewed Dacey in his office in Washington.

GCN: What is the role of GAO, as the investigative arm of Congress, in assuring information security in the government?

DACEY: GAO reviews information security, both for major agencies and governmentwide, in response to specific congressional requests and to fulfill various statutory requirements, such as reviewing information security as a critical part of financial statement audits.

In 2002, the Congress enacted the Federal Information Security Management Act—commonly referred to as FISMA—to permanently authorize an overall framework for managing information security at federal agencies, including annual review, independent evaluation, and reporting requirements.

FISMA also requires GAO to periodically evaluate and report to the Congress on federal information security and implementation of the act.

GCN: What do you think are the biggest threats right to information systems?

DACEY: There are a number of sources of external threats, including terrorists, criminals and hackers. One of the reasons that level of threat is likely increasing is that hacker tools are more readily available. They’re relatively easy to use and can be used to both scan for vulnerabilities and exploit them. A few years ago, such tools were really reserved for very computer-savvy individuals.

While you do ultimately have to be concerned about the nature of the cyberthreat—whether it’s really an attack upon our country as opposed to an attack by a hacker—it’s building that security regardless of the source of attack that’s important.

That’s a little different than the model traditionally used on the physical threat side, where you’re worried about who’s doing what. Here you’re saying, “There’s a whole multitude of people that could attack; I need to protect my system against common ways that systems are attacked.”

More news on related topics: Enterprise Architecture, Homeland Security, IT Infrastructure, Management, IT Security



GCN Popup