Agencies see better ways to manage IT

The greatest security challenges facing IT administrators today are not intercepting viruses or blocking attacks but rather controlling the security infrastructure and managing processes.As vulnerabilities and threats expand, vendors have responded with a growing array of antivirus, intrusion protection and prevention systems; virtual private networks; scanners; and filters. The task, then, is to adequately identify network resources and manage this patchwork of security tools to get full value and performance from them.A roundup of promising security practices from federal, state and local agencies illustrates this trend. These 14 security initiatives were recognized at a recent GCN conference on cybersecurity held in Washington. Most of the programs below focus on solutions for managing security, networks and regulatory compliance processes rather than on implementing individual security tools. Here, alphabetically, is a quick look: How do you continue providing secure information services to city government in the midst of a staggering statewide budget deficit? Open-source operating systems and applications available at little or no cost.Using Red Hat Linux, the city was able to eliminate operating system licensing costs for more than 20 servers. The Snort open-source intrusion detection tool performs real-time traffic analysis and packet logging, and the Analysis Console for Intrusion Databases processes alert data. Clam Antivirus was obtained under an open-source general public license and Apache Spam Assassin handles spam.The software was obtained at no cost to the city and resulted in a savings of more than $50,000 for Snort and ACID alone. How do you securely share intelligence data from a variety of classified and unclassified networks? DOD Trusted Workstation.The trusted workstation program, based on technology from Trusted Computer Solutions of Herndon, Va., is the product of a DOD Intelligence Information System team that had to overcome cultural as well as technical hurdles to information sharing. It lets DOD intelligence analysts view and share data across multiple classified networks from a single desktop.Environmental Protection Agency accomplished through strong internal security management How do you better manage IT systems and monitor security risks?Solution: IT Governance Support System and Automated Security Self Evaluation and Remediation Tracking tool.ITGSS, developed by EPA's Office of Research and Development, is designed to handle collection, management and reporting of IT information and share the information with other tools supporting asset management, enterprise architecture and financial systems. It consists of a Web interface hosted on an agency portal.EPA also developed ASSERT for assessing risks and enforcing corrective action. ASSERT is now a government off-the-shelf tool offered to other agencies. The General Services and Social Security administrations use it to meet FISMA requirements.Along with ASSERT, EPA has started using scorecards to communicate security performance to management. How do you determine the criticality of information and IT systems and the level of security controls needed for each? A security program that focuses on people and the decision-making process rather than on technology.The security team uses a security requirements traceability matrix for each system, which is used for conducting required security compliance testing. Threat assessments are conducted based on the system operating environment and on internal and external threats, both natural and man-made. Vulnerability assessments are done with both manual checklists and automated scanning tools. How do you automate reporting of complete and consistent information to the Office of Management and Budget, as required under the Federal Information Security Management Act? Trusted Agent FISMA, a Web-based application from Trusted Integration Inc. of Alexandria, Va., provides a single point for data collection and reporting.Rather than gathering unverified data manually in a variety of formats, data is entered in Trusted Agent FISMA's database using drop-down menus to standardize format and content. TAF automatically generates quarterly and annual FISMA reports.Senior DHS management can access a Digital Dashboard through the department's in-tranet to get up-to-date information on IT security status and improve compliance with federal mandates. How do you automate the DOD IT Security Certification and Accreditation Process for four different classifications of Pentagon networks and more than 100 systems? IA Manager from Xacta Corp. of Ashburn, Va., an off-the-shelf product that guides analysts through the information gathering and entering process to produce the needed documentation.Equipment lists are imported from a regularly updated spreadsheet, then tests are generated for each piece of equipment and a risk analysis process analyzes the results. A workflow tool can route information automatically to the appropriate officials.Network Security Services-Pentagon has installed five production servers supporting 47 systems in 16 agencies. The first online accreditation submittal was in March. How do you perform regular network discovery scans during peak periods, identifying all connected devices without affecting network performance? IPsonar from Lumeta Corp. of Somerset, N.J.An NSS-P Network Scanning Project selected IPsonar based on a one-time scan performed by Lumeta. The tool performs network discovery identifying all connected devices, and a Network Leak Discovery feature ensures that all traffic enters and exits the network through structured control points and that unauthorized connection attempts are rejected.Because it uses a lightweight discovery process, scans can be done in a matter of hours during peak traffic periods without consuming excessive bandwidth. How do you provide strong authentication for both network and access? An enterprisewide e-authentication reference architecture.The architecture includes strong authentication and a public key e-forms engine. The e-forms are incorporated into the secure IT infrastructure and support rapid development and deployment of secure business processes.The software complies with OMB requirements for varying levels of assurance associated with both legacy and new IT systems.