Security ' How do you know you have it if you don't measure it?
- By William Jackson
- Oct 25, 2006
Achieving IT security goals requires more than information technology. It requires a set of metrics to tell you how close you are to reaching your goals.
'You get what you measure,' Postal Service IT governance manager James L. Golden said Wednesday at the Federal Information Assurance Conference being held at the University of Maryland.
USPS, which has one of the nation's largest IT infrastructures with 7,000 networked sites and 175,000 users in every corner of the country, uses 130 metrics to track its daily, weekly and monthly security posture, said IT program manager Kenneth Nesper Jr. Doing this requires cooperation throughout the organization, he said.
'It has to be something that operational management buys into,' he said.
Getting that buy-in can require pressure from senior management.
Metrics can be an effective tool in getting the support of senior management, said computer security officer Marc H. Noble of the Federal Communications Commission.
'It does help focus their attention,' Noble said. But, 'you have to know what interests your management.'
At FCC, which has just 2,800 workers concentrated in the Washington area, the interest was primarily regulatory compliance, Noble said. 'Their first question was, 'What's our FISMA score?''
USPS has been aggressively tracking its security posture for about 18 months. In that time, it has upgraded all its Windows XP workstations to Service Pack 2, Nester said. 'By July of this year we believe we got all of that done.'
The service is running at about 80 percent on daily updates of antivirus signatures for desktops and more than 80 percent for properly configured personal firewalls. In September, it reached 100 percent on its goal of three-day data backups for its servers, although Nester does not expect that figure to be constant because of the difficulties of doing some backups over remote connections.
'The number of change requests is too high,' he said.
The service is averaging two or three unscheduled emergency changes of software or configurations each day, or about 50 to 70 each month. Beginning in 2007, USPS plans to limit that to just one emergency change each day.
But disappointing results also can be used to advantage, Noble said. FCC had a poor rate of getting its minor applications certified and accredited as required by FISMA.
'That caught management's attention very quickly,' he said.
He was able to leverage that attention for management support in improving the program. To justify that support, he must have a plan of action and show improvement.
Metrics also can provide useful feedback to IT staff to help it become more efficient and effective, Noble said.
Metrics can also work against you, Golden warned.
'Be careful what you measure,' he said, because if you measure the wrong thing it can encourage unwanted behavior.
Golden said that when USPS was measuring the percentage of problems that were being resolved in just one call to the IT help desk, customer satisfaction actually went down. He found that help desk workers were focused on clearing a problem on the first call, whether or not the problem was really resolved.
William Jackson is a Maryland-based freelance writer.