IGs, CIOs team on IT security

IGs, CIOs team on IT security
IGs, CIOs team on IT security 

By Mary Mosquera
November 12, 2007

Inspectors general and chief information officers are on the same side 
when fortifying agency information security even though IGs are supposed 
to poke holes in system security while they search for weaknesses. IGs 
examine agencies documentation and sample systems to audit them for 
compliance with the Federal Information Security Management Act.
A relationship that is more collegial than combative can reduce problems 
in the FISMA process and fix vulnerabilities faster and more 
effectively, IGs say.

Working together, CIOs and IGs are improving the quality of agencies 
certification and accreditation (C&A) processes and plans of action and 
milestones, said Gwen McGowen, deputy assistant IG for information 
technology audits at the General Services Administration, speaking at 
the Federal Information Assurance Conference in Washington Oct. 24.

Relationships between IT employees and the IG are key, said Beth 
Serepca, leader of the security and information management team in the 
Office of IG at the Nuclear Regulatory Commission. Good relationships 
let CIOs discuss flaws and weaknesses with the IG so they can develop a 
corrective action, she said.

IGs want to be fair and accurate, said Charles Coe, assistant IG for IT 
audits and computer crime investigations at the Education Department. 
His relationship with Educations CIO is better than with previous CIOs 
he worked with because CIO Bill Vajda emphasized building communications 
when he arrived at Education, Coe said. At the same time, the IG and CIO 
cant be too close, he added.

As an auditor, you have to draw the line and keep independent, he said.

Many agencies struggle to make an antiquated infrastructure that has 
been patched together over years meet Office of Management and Budget IT 
security requirements, Coe said. Agencies can fix only systems they can 
identify, and thats done through an inventory. IGs examine only a sample 
of those systems in any single year. But all systems are tested in the 
course of three years.

In performing an audit, many examiners depend on results from scanning 
and penetration tests.

In a July 27 report, the Government Accountability Office highlighted 
major weaknesses that persisted in agencies IT security in access 
controls, segregation of duties and configuration management, despite 
having completed the C&A process for those systems. GAO said agencies 
needed standard measures to help them more realistically determine their 
state of security.

McGowen also is training auditors to develop better IT security skills 
and test procedures for FISMA evaluation, including using vulnerability, 
database and online applications scanning tools.

She said IGs are breaking new ground in the absence of standard methods 
for assessing information security programs and systems controls. When 
performing their C&A, agencies should consider internal and external 
security controls and the effect on agency operations through a 
risk-based approach that the National Institute of Standards and 
Technology published in its Risk Management Framework.

In the NIST framework, the most important measure is the continuous 
monitoring of security controls by agencies, said Tyler Harding, senior 
manager of federal advisory services at KPMG. Other changes during the 
past year, such as OMBs guidance for a common desktop configuration and 
reporting of breaches of sensitive information and notification, will 
help agencies comply with FISMA.

There has been too much emphasis on FISMA paperwork versus security 
controls testing and too much emphasis on inspecting quality in 
operations after they are deployed rather than building security and 
control processes into system, Harding said. Harding said he expects the 
FISMA audit process to move toward an emphasis on program controls and 
performance measures.

Meanwhile, as ag ncies struggle to meet FISMA standards, they also face 
serious attacks that target federal operations and assets, Harding said. 
The attacks are often motivated by financial gain and frequently 
directed at applications, so it is not enough to simply patch operating 
systems, he added.

Agencies face a challenging technology environment, he said. They have 
large complex IT infrastructures to defend and many information systems 
to manage. Agencies must deal with cross-platform distributed computing 
and dynamic operational environments with changing threats, 
vulnerabilities and technologies, he said.

Visit InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods