Dacey: Agencies need smarter, stronger security management

 

Connecting state and local government leaders

Robert F. Dacey is the General Accounting Office's director of information security. He's been working on IT security for GAO since 1991. Before that, Dacey worked for the accounting firm Deloitte & Touche LLP. He has a degree from George Mason University Law School. Associate editor Richard W. Walker interviewed Dacey in his office in Washington.

Robert F. Dacey is the General Accounting Office's director of information security. He's been working on IT security for GAO since 1991. Before that, Dacey worked for the accounting firm Deloitte & Touche LLP. He has a degree from George Mason University Law School. Associate editor Richard W. Walker interviewed Dacey in his office in Washington.DACEY: GAO reviews information security, both for major agencies and governmentwide, in response to specific congressional requests and to fulfill various statutory requirements, such as reviewing information security as a critical part of financial statement audits.In 2002, the Congress enacted the Federal Information Security Management Act'commonly referred to as FISMA'to permanently authorize an overall framework for managing information security at federal agencies, including annual review, independent evaluation, and reporting requirements. FISMA also requires GAO to periodically evaluate and report to the Congress on federal information security and implementation of the act.DACEY: There are a number of sources of external threats, including terrorists, criminals and hackers. One of the reasons that level of threat is likely increasing is that hacker tools are more readily available. They're relatively easy to use and can be used to both scan for vulnerabilities and exploit them. A few years ago, such tools were really reserved for very computer-savvy individuals.While you do ultimately have to be concerned about the nature of the cyberthreat'whether it's really an attack upon our country as opposed to an attack by a hacker'it's building that security regardless of the source of attack that's important.That's a little different than the model traditionally used on the physical threat side, where you're worried about who's doing what. Here you're saying, 'There's a whole multitude of people that could attack; I need to protect my system against common ways that systems are attacked.'At the same time, there is a significant threat from insiders. That's been identified in a number of studies as a significant area of concern, particularly since insiders likely are already authorized users on the systems at some level and have a significant amount of knowledge about those systems and how they operate.DACEY: Insider risks could include everything from theft or misuse of assets to disclosure of sensitive information and disruption of processing capabilities. [Internal risks] also include poor configuration of systems, which is really a management issue. It's as much a management issue as a technical issue.DACEY: One of the unique challenges in cybersecurity is that attacks can be launched from virtually anywhere in the world and be disguised to make it very difficult, if not impossible, to identify the sources of the attacks.So in response to that, it's important that agencies develop effective information security to prevent, detect and respond to those types of attacks, particularly in areas where there are known vulnerabilities or configuration errors that could be exploited by commonly known techniques.Another involves critical infrastructure protection. The Office of Management and Budget now requires major agencies to identify their critical infrastructures, which are a subset of their information systems, and further identify their interdependencies on other government and private-sector infrastructures, such as power and telecommunications. They then must come up with a plan to remediate any vulnerabilities in those systems.DACEY: It's clear that agencies are making progress in improving information security, both from our reviews and from the Government Information Security Reform Act reports that OMB has received for the past two years. At the same time, those reports highlight the areas that agencies need to improve their information security.GISRA requires annual reporting to OMB by agency management and the inspectors general. We've identified implementation of GISRA as a significant step in improving information security in the federal government. The second-year GISRA reports indicate general progress across the various categories of performance measures that are reported to OMB.DACEY: Our most recent analyses of audit reports and evaluations indicate that there are significant weaknesses in all of the 24 major agencies we reviewed. The most prevalent relates to security program management, which is embodied in FISMA. Agencies should have in place programs to manage their information security across the organization.We've also identified weaknesses in a variety of areas besides security program management, including access controls, software development and service continuity.DACEY: A security management program has to have effective management support. It's important because one of the keys to successful information security is not to rely solely on the information security team to do everything. They really have more of the responsibility to coordinate information security.DACEY: There are several. One is ensuring that you've got a core information security management unit, a central group that coordinates information security across the organization.It's also important that you have policies and procedures for assessing your security risks. You also need to implement a program to routinely test the effectiveness of your security systems and promote user awareness about their responsibilities for information security.DACEY: I would discuss that in terms of short term and long term. Long term, they need to continue work at implementing FISMA, including developing systematic processes for managing security. FISMA has an annual reporting requirement, which serves as a tool for oversight by OMB and Congress. But agencies also need to have regular reporting processes to help managers monitor security and make adjustments on a day-to-day basis.In the short term, there are a number of actions that agencies can take, including making sure that patches are up-to-date on their systems and scanning their systems for vulnerabilities. Increasing security awareness overall is another.DACEY: Security architecture is an important component of enterprise architecture in that agencies need to lay out and describe the nature of security architecture they want to have in their target environment. They should also have a transition plan on getting from their current structure to that target environment.In the meantime, until these plans are developed and the transition plans are implemented, agencies need to work on improving information security today and complying with FISMA.It's important for agencies to continue to keep up efforts to improve security as the enterprise architecture is rolled out.DACEY: Technology is certainly part of the answer. I don't think there is any particular technology that's a silver bullet. I think more likely it will require a combination of technologies and human resources to have effective information security.We have many tools today that are very helpful in implementing information security, but it takes the interaction of people to make sure that they're working and that systems are secure. So you really need both.There are a couple of recent efforts that are intended to strengthen the ability of technologies to improve information security. One is the passage of the Cyber Security Research and Development Act, which provides funding to promote R&D on cybersecurity.The other is the formation as part of the Homeland Security Department of the Directorate of Science and Technology, whose responsibilities include both assessing current technologies and their applicability to cybersecurity.DACEY: Agencies should develop appropriate privacy policies and procedures consistent with applicable laws. That's an important aspect and certainly one that's in the current public eye.Security is the key tool for enforcing those privacy policies. So there is a relationship between security and privacy, but it's more to the effect of being able to enforce the privacy policies you have in place.DACEY: OMB has identified [security in outsourced services] as one of a common weakness governmentwide, and we've also reported similar concerns.The important thing about outsourcing is to make sure that there are provisions and processes for ongoing oversight of security related to that outsourcing. You need to make sure there is a common agreement on the level of security that's expected to be provided.You also need to consider as appropriate the need for security clearances of some of the [contractor] staff who work on the systems and handle the data.DACEY: I think that's an important effort, but again it gets back to the challenge that agencies have to put in place appropriate processes to manage and oversee outsourced operations from a security standpoint.DACEY: It's hard to predict what the future will hold in terms of challenges, but I think there are a lot of steps that agencies can take to better prepare themselves for eventualities that we can't perceive today.No. 1 is to provide appropriately layered security, where if one layer fails you have other layers to protect your systems below that.The second area is looking at improving intrusion detection, either in terms of actual implementation or further R&D into that area, so that you can identify unusual activities taking place in your system and respond to them.The third area that needs to be addressed is continuity planning. That's important because if everything else fails and there is a successful attack that does affect the performance of your systems, that you have a process in place to recover in a timely way.It's also important to test those plans on a regular basis to ensure that they are effective and can be implemented in an emergency.You'll never know exactly what the threats will be tomorrow, but there are things that can be done to help minimize or mitigate the impact.

Robert R. Dacey



GCN: What is the role of GAO, as the investigative arm of Congress, in assuring information security in the government?







GCN: What do you think are the biggest threats right to information systems?









GCN: What are the specific risks involving insiders?



GCN: What are the biggest challenges agencies face in meeting cyberthreats?









GCN: How well are agencies implementing security requirements?










GCN: What are the primary areas where agencies are weak on information security?





GCN: How crucial is upper management's role in this process?



GCN: What are the major elements of good security program management?





GCN: What are the most important steps agency managers should take to improve systems security?





GCN: OMB has mandated that agencies build IT security into their enterprise architectures. To what extent is that critical, insofar as most agencies are still in the early stages of building them?






GCN: To what extent is technology the answer to security hurdles? Are there any silver bullets?









GCN: Is finding a balance between security and privacy a larger issue now as we move toward transformational electronic government?





GCN: As agencies outsource more IT services to contractors, what are the implications for security?







GCN: The Federal Acquisition Regulatory Council is developing contract language to incorporate into future government services contracts. How much of an impact will that have?



GCN: What do you see ahead on the security front? How can agencies prepare for the unexpected?











X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.