William Jackson | A path to better practices
Cyberye: Security through compliance?
DURING THE LAST YEAR OR SO, a raft of reports from the Government Accountability Office has detailed the shortcomings of federal information security. Weaknesses in security policies and practices have exposed sensitive data, and an Internet threat report from Symantec found that one-fourth of personal data breaches in the first six months of 2007 occurred in the government sector.
'What has really changed for 2008? Not a whole lot,' said Jim Russell, Symantec's public sector vice president.
The problem, as he sees it, is piecemeal implementation of best practices for securing information in an enterprise. The tools and knowledge to do the job exist, but despite legislation and mandates requiring a basic level of security controls, they are not being routinely applied.
Symantec sells security, of course, and the company has an interest in seeing that people buy it. But the best practices the company lays out for securing information make sense.
In fact, they sound an awful lot like what already is in the Federal Information Security Management Act: '
- The first step is to understand the environment. Identify your critical assets, and assess the level of risk from each.
- Create, monitor and enforce a security program based on the vulnerability assessment, and do penetration testing to determine where your weaknesses are.
- Put continuity-of-operations and disaster recovery plans in place, and routinely test them to ensure they are up-to-date and functional.
- Finally, do it all over again. Information technology environments are constantly changing and must be continually monitored and evaluated, and policies must be adjusted accordingly.
In broad terms, this is what FISMA already requires, and agencies that have moved past the paper chase of FISMA compliance and used the data they have collected to produce policies and assign security controls are more likely able to address threats in the ever-changing security landscape.
That is not to say than regulatory compliance or any set of best practices will provide complete security and eliminate all risks.
'If all the agencies were compliant with all the regulations,' Russell asked, 'would all the problems be solved? No.'
But it would provide a baseline of security and situational awareness that could let administrators deal with emerging threats proactively rather than constantly playing catch-up.
Some complain that regulatory compliance and security is poor in some agencies because FISMA, Office of Management and Budget guidance and other information security requirements lack teeth. Symantec and other companies are pushing Congress to enact legislation to make these requirements more stringent. But this is not necessary. Shortfalls in regulatory compliance are not the result of a lack of will. They are the result of a shortage of manpower, money and other resources as they juggle compliance with an increasing number of unfunded mandates. Agencies already are being monitored and audited, and budgets are being tied to FISMA compliance.
An added layer of enforcement with the associated costs could make the problem worse.
Agencies already know what they need to do, and I believe they are willing to do it. What they need is the money and manpower to accomplish their jobs. IT security can then become a routine and not a crisis.