By Mary Mosquera
November 12, 2007
Inspectors general and chief information officers are on the same side
when fortifying agency information security even though IGs are supposed
to poke holes in system security while they search for weaknesses. IGs
examine agencies documentation and sample systems to audit them for
compliance with the Federal Information Security Management Act.
A relationship that is more collegial than combative can reduce problems
in the FISMA process and fix vulnerabilities faster and more
effectively, IGs say.
Working together, CIOs and IGs are improving the quality of agencies
certification and accreditation (C&A) processes and plans of action and
milestones, said Gwen McGowen, deputy assistant IG for information
technology audits at the General Services Administration, speaking at
the Federal Information Assurance Conference in Washington Oct. 24.
Relationships between IT employees and the IG are key, said Beth
Serepca, leader of the security and information management team in the
Office of IG at the Nuclear Regulatory Commission. Good relationships
let CIOs discuss flaws and weaknesses with the IG so they can develop a
corrective action, she said.
IGs want to be fair and accurate, said Charles Coe, assistant IG for IT
audits and computer crime investigations at the Education Department.
His relationship with Educations CIO is better than with previous CIOs
he worked with because CIO Bill Vajda emphasized building communications
when he arrived at Education, Coe said. At the same time, the IG and CIO
cant be too close, he added.
As an auditor, you have to draw the line and keep independent, he said.
Many agencies struggle to make an antiquated infrastructure that has
been patched together over years meet Office of Management and Budget IT
security requirements, Coe said. Agencies can fix only systems they can
identify, and thats done through an inventory. IGs examine only a sample
of those systems in any single year. But all systems are tested in the
course of three years.
In performing an audit, many examiners depend on results from scanning
and penetration tests.
In a July 27 report, the Government Accountability Office highlighted
major weaknesses that persisted in agencies IT security in access
controls, segregation of duties and configuration management, despite
having completed the C&A process for those systems. GAO said agencies
needed standard measures to help them more realistically determine their
state of security.
McGowen also is training auditors to develop better IT security skills
and test procedures for FISMA evaluation, including using vulnerability,
database and online applications scanning tools.
She said IGs are breaking new ground in the absence of standard methods
for assessing information security programs and systems controls. When
performing their C&A, agencies should consider internal and external
security controls and the effect on agency operations through a
risk-based approach that the National Institute of Standards and
Technology published in its Risk Management Framework.
In the NIST framework, the most important measure is the continuous
monitoring of security controls by agencies, said Tyler Harding, senior
manager of federal advisory services at KPMG. Other changes during the
past year, such as OMBs guidance for a common desktop configuration and
reporting of breaches of sensitive information and notification, will
help agencies comply with FISMA.
There has been too much emphasis on FISMA paperwork versus security
controls testing and too much emphasis on inspecting quality in
operations after they are deployed rather than building security and
control processes into system, Harding said. Harding said he expects the
FISMA audit process to move toward an emphasis on program controls and
Meanwhile, as ag ncies struggle to meet FISMA standards, they also face
serious attacks that target federal operations and assets, Harding said.
The attacks are often motivated by financial gain and frequently
directed at applications, so it is not enough to simply patch operating
systems, he added.
Agencies face a challenging technology environment, he said. They have
large complex IT infrastructures to defend and many information systems
to manage. Agencies must deal with cross-platform distributed computing
and dynamic operational environments with changing threats,
vulnerabilities and technologies, he said.
Visit InfoSec News