HUD, Justice verify security, privacy profile

Lisa Schlosser and Vance Hitch didn't have to think hard when offered the opportunity to test the new Security and Privacy Profile for the Federal Enterprise Architecture.Schlosser, the Housing and Urban Development Department CIO, saw it as an opportunity to not only help the CIO Council's Architecture and Infrastructure Committee, of which she is co-chairwoman, but to dig deeper into one of her agency's 10 lines of business.For Hitch, Justice Department CIO and the CIO Council's Security and Privacy Committee chairman, it was an obvious fit, given the importance Justice places on IT security and his role with the council.'Both felt [validating the profile] would give them a leg up when the profile was issued,' said Sallie McDonald, who led the development of the profile. McDonald is on detail from the Homeland Security Department to George Mason University's critical infrastructure protection program in the university's law school. She is working on the intersection of cyber and physical security, and international work.The four-month pilot, which concluded in February, consisted of using the draft profile on one business system and bringing IT and business people together to make sure the document could be easily understood.McDonald's working group tweaked the profile based on HUD's and Justice's experiences. And HUD and Justice officials learned a lot about their organizations.'The validation exercise gave us a better perspective that we need to look across the enterprise and recognize there are common risks,' Schlosser said. 'For one common solution, we could mitigate 15 risks or weaknesses.'Kshemendra Paul, Justice's chief enterprise architect, said the agency found a bigger than previously known opportunity to reuse security services.'The big eye opener was the fact we were able to identify interesting cross cuts,' he said. 'If we standardize how we did the requirements analysis, we can build into the front end of the system the solutions that can be leveraged.'This is the third version of the Security and Privacy Profile the CIO Council released that complements the federal architecture methodology. The council issued the first one in August 2004 and the second in July 2005.This profile cuts across all five layers of the FEA'business, service component, performance, technical and data reference models. The CIO Council also has issued similar profiles for records management and geospatial information.The security and privacy profile moves the agencies toward addressing these issues from a 'business-centric, enterprise perspective.' The profile, the CIO Council hopes, will integrate 'disparate perspectives of program, security, privacy and capital planning into a coherent process, using an organization's enterprise architecture efforts.'The profile outlines 17 security and 17 privacy control areas, which provide a common terminology and framework. The security control areas includes risk assessment, planning, and system and services acquisition, while the privacy control areas include policies and procedures, monitoring and measuring, and acceptable use.HUD applied the profile to its housing operation and analyzed different subbusiness lines, including tracking mortgage insurance.Schlosser said her team, which included IT, architecture, business, privacy and security executives, identified the business rules and validated the security and privacy of the housing LOB.'We never had a methodology to look at privacy as a part of our business,' she said. 'We were able to look where sensitive information that needed to be protected was in the business line.'She added that they could see where the data existed, where it flowed to and where there were controls, and where there were holes that needed fixing.For instance, Schlosser said the exercise validated the need for a single-sign-on capability for applications and for programs to accept electronic signatures.Justice, meanwhile, tested the profile on its litigation case management system, which is used by all of Justice's litigation divisions and is a core LOB, Paul said.Justice, too, used a diverse team in the exercise.'The profile took us through a step-by-step process so you just don't address the system, but look at mission needs,' said Dennis Heretick, Justice's chief information security officer. 'The structure opened up some questions we hadn't answered before, including how much user involvement we had in our strategic plan.'By testing the profile, Justice officials found that they handle security and privacy pretty well for litigation case management, but that there were areas in need of improvement, Paul said.'The profile helped us ask questions we had not thought about, such as what performance metrics are used to determine success,' Heretick said. 'It is about how it relates to confidentiality, availability and integration of data. It also points to things you have gaps in and how you can address them.'McDonald said the fact that HUD and Justice tested the profile made the working group confident that it would help agencies.She said that, after the pilots, the working group changed the 'logical order' of the profile, and clarified certain paragraphs or sentences based on suggestions from the business officials.'This profile is a tactical piece of work [in which] an agency can sit down and follow the process and come out with a product at the end,' McDonald said. 'If you do the basic steps first and take a sincere look at what you have in the areas of security and privacy, you will find the value.'