Put some bite behind the bark

The most successful security policies are those that agencies can enforce

When the Defense Department writes new information security policies, it’s often a case of the tail wagging the dog, one security administrator said.

Long before news of the Department of Veterans Affairs’ stolen laptop PC became public, DOD’s lack of a data encryption policy meant its employees’ personal information and pay data were in jeopardy when employees transferred data from a mainframe to a backup tape, said the security officer, who requested anonymity because he was criticizing DOD policy and practice.

“We were transmitting files in the clear, and some of it would end up going over the Internet,” he said. “I felt an obligation for military members to protect their data.”

So, well before he learned of a new departmentwide information security policy, the security officer said he purchased encryption software from PKWARE, a company based in Milwaukee. When employees saved data to a target other than a mainframe, the software scrambled that data to make it unreadable to unauthorized users.

“We are just now starting to get specific procedures on what we have to do to protect laptops and transmissions of data,” the security officer said. “Up until that point, there was nothing.”

Information technology security has been a hot topic for several years, but vulnerabilities exposed by AWOL laptops in recent months sent many agencies scurrying to renew their efforts. Adding to the pressure, many federal agencies received poor grades on report cards from the House Government Reform Committee for failing to comply with the Federal Information Security Management Act (FISMA).

When the committee issued report cards this past spring, more than half of the 24 evaluated agencies received a C or worse for security. Eight, including DOD, received Fs. The Government Accountability Office is studying whether DOD and other large agencies struggle to meet FISMA requirements because of their size.

Many agencies say the federal security policies require so much auditing and documentation that they sap resources and might detract from agencies’ efforts to secure their information systems. Several best practices related to security policies can help the government improve security and compliance, experts say.

Security gaps
FISMA requires agencies to develop policies that address core security issues, including implementing procedures that reduce risks to acceptable levels and providing security testing and training for employees and contractors. Guidance from the National Institute of Standards and Technology can help agencies prioritize their information systems based on whether a security breakdown would have a high, moderate or low impact.

FISMA law and NIST guidance give agencies a framework for developing policies. But security gaps and enforcement problems often make those policies ineffective. “A number of our audits have found that some agencies are very good at developing comprehensive information security policies and procedures, but problems come into play when they try to start implementing them,” said Gregory Wilshusen, GAO’s director of information security issues.

For example, agencies with low security ratings might inconsistently apply policies across geographically dispersed data centers, leaving some divisions more vulnerable to attacks. In addition, when agency leaders don’t demonstrate their commitment to security policies, junior staff members may consider compliance a choice rather than a necessity.

Poorly defined policies for user authentication and access control lead to security breakdowns, GAO auditors found. One common weakness is a lack of policies and enforcement systems to systematically replace vendor-supplied passwords when agencies install new software.

Similarly, many security policies don’t specify how agencies should ensure that administrators install all necessary security patches. “In many cases, they may have the policies in place, but they are not being effectively implemented,” Wilshusen said.

New tactics
Funding sources also play a role in the successful adoption of security policies. If an agency’s divisions have their own funding sources, they might also have their own IT infrastructure, which complicates the implementation of agencywide or departmentwide policies.

Such problems don’t have to be intractable, however. Many agencies are learning to synchronize policies and practices. Experts say new security policies should emphasize the data rather than focus on protecting infrastructure vulnerabilities such as Internet access points and local-area network gateways.

“The VA incident and others have shown these old approaches are necessary but not totally adequate,” said Dennis Hoffman, vice president of information security at vendor EMC, who has testified at congressional hearings on information security. “Agencies are moving from protecting the perimeter to managing and securing information,” he said.

Such policies set strict guidelines and specific enforcement systems to minimize how much data leaves a secure perimeter. They dictate what information users can download to portable devices, including laptops and personal digital assistants. In addition, the policies and guidelines help administrators decide what information they should routinely encrypt.

Consistency is another essential characteristic of successful security policies. “The most important thing is to get everyone marching in the same direction with a common set of standards,” said Steven Newburg-Rinn, director of the Civil Government Information Assurances Division at SRA International. “The more dueling policies you have, the more likely it is that people will throw up their hands and say, ‘I don’t know what they want out of me.’ Policies have to be ones that people can live with,” he said. “And that’s a challenge.”

The Treasury Department created a security group that addresses such challenges almost daily. It develops security and enforcement policies with help from members of a security group that is part of a departmentwide chief information officer council. The security committee consists of officers from Treasury’s 13 bureaus. They meet formally once a month and communicate regularly via phone calls and e-mail messages.

The group often focuses on how to update departmentwide security policies. Last year, it conducted a comprehensive review of all security policies.

The group also decides which policies apply agencywide and which ones require local coordination. For example, Treasury mandates system backups but lets organizations determine frequency and procedures according to the sensitivity of the data they manage, said Ed Roback, Treasury’s associate CIO for cybersecurity and chief information security officer. “We don’t write a departmentwide policy about where to store the backups and how to create them. That’s all locally dependent on the local hardware” and other individual factors, he said.

Enforcement bite
Enforcement is another top concern of Treasury’s security group. Its members ask bureaus whether they have fully implemented policies, such as contingency plans, and whether others need additional work. The group might ask for samples of their plans.

“Once we get them, we look at them in terms of quality against the NIST guidelines or departmental policy,” Roback said. “If there’s room for improvement, we provide feedback to the bureaus.”

Agencies also add enforcement bite to their bark in the form of system audits, said Beau Hutto, federal director for advanced security technologies at Juniper Networks, which offers hardware, intrusion-detection and -prevention systems, and virtual private networking products. “Being able to see what is running on your network will help you define your policies as a whole,” Hutto said. Besides conducting network traffic audits, some organizations also monitor individual applications, including file attachments sent via instant messaging systems, which can cause security breaches, Hutto said. Collecting such use statistics can help agencies identify areas that a new security policy needs to address, he said.

For attaining similar security goals, security information and event management systems are one of the fastest-growing segments of the security technology industry, Hoffman said. Such systems collect data from servers, routers, storage devices, databases and applications. Managers can analyze that data in real time and create compliance reports that show any unusual activity. “The audits look at anything that can be logged — for example, when user X logged in, what he did and when he logged off,” Hoffman said.

Another valuable tool to assess policy compliance is the Automated Security Self-Evaluation and Reporting Tool (ASSERT), software originally developed by the Environmental Protection Agency, Newburg-Rinn said. The Web-based tool helps agencies compare their security performance against NIST’s guidelines and automatically create compliance reports.

“Agencies can look across the entire enterprise and say, ‘Here is the status of my systems, here are the areas where we have weaknesses,’” he said.

But he added that tools such as ASSERT require business processes that support effective security policies. “No matter how good your tool is, you may not succeed” without that policy foundation, he said.

Successful policies must also be financially feasible. “No organization can afford 100 percent security; it just isn’t feasible from a financial perspective,” said Judy Carr, vice president of research for public-sector governance and sourcing at consulting firm Government Insights.

Agencies need to balance security and budgets by undergoing a process that evaluates the critical information and systems that need protection within their organizations. Those criteria should identify information that requires the greatest confidentiality, data integrity and availability safeguards. “Then agencies can make strategic decisions about what they purchase,” Carr said.

“If agency executives do a real business case exercise,” she added, “they will make better security decisions in light of their limited budgets.”

Joch is a business and technology writer based in New England. He can be reached at ajoch@worldpath.com.

Security regs: A burden for policy developers?Federal agencies must adhere to scores of security policies and write reports throughout the year to demonstrate their compliance. But do those policies make information technology systems safer?

No, said Alan Paller, director of research at the SANS Institute, a security training organization, and manager of the Internet Storm Center, which issues early warnings of cyberattacks. In an interview, Paller explained why he believes security regulations, Office of Management and Budget reviews and annual Federal Information Security Management Act audits sap federal resources, and he tells what the federal government should be doing to better protect its IT systems.

Do you think federal security requirements are making agencies safer from cyberattacks?

Paller: They aren’t safer. How many pages of different laws do agencies have to follow, whether or not those laws are consistent and whether or not they enable agency effectiveness? Nobody has a budget big enough to meet all of the requirements. So it’s really quite impossible the position you put security people in inside the government.

What should we be doing to increase security?

Paller: Agencies need to do exactly what’s done on airplanes or in chemical plants. They need to implement continuous monitoring and continuous fixing [when problems arise]. So they’re watching every system, every penetration point all of the time. Whatever needs to be done to protect against a new attack should be done in real time.

That is one of the really cool things the government is starting to do. We used not to watch [infrastructures] very carefully. We used to have junky intrusion-detection systems. But those have [improved] at a couple of agencies. There’s a program at the Homeland Security Department called Einstein, and it is free to federal agencies. It finds places where agencies are being attacked.

Does that imply a larger trend toward centralizing security procedures and perhaps taking more security responsibilities away from users?

Paller: We are seeing a massive shift [to central control]. Not so much because the [security managers] want it, but because users don’t want [the responsibility]. They are under such pressure to do all these things to their computer, and they are saying, “You run the darn thing.”

Will that mean more thin clients and similar architectures in the future?

Paller: You will see more thin clients. You will see more application servers. Anything that makes it more efficient to centralize will grow. You are not going to get rid of [Microsoft] Windows — this trend is not tolling the end of Windows or anything like that. You are just going to see more of the other alternatives.

7 strategies for syncing security policies and practicesAgencies can use security policies to protect their sensitive information by:

  • Drafting policies for protecting data and infrastructure. Information-scrambling encryption technologies, for example, would have mitigated the risk caused by a Department of Veterans Affairs employee who disregarded the agency’s data-handling policies for laptop PCs.

  • Establishing strict rules and enforcement mechanisms to control when data can leave secure locations and under what circumstances.

  • Evaluating security policies for consistency. Conflicting rules frustrate users and often cause compliance lapses.

  • Creating committees of security officers from bureaus or departments. Encourage members to meet several times a year and communicate regularly to discuss policy updates as the need arises.

  • Considering security information and event management systems to monitor data from servers, routers, storage devices, databases and applications. Reports can alert security managers to unusual activities and identify areas where new policies might be necessary.

  • Evaluating the Automated Security Self-Evaluation and Reporting Tool (ASSERT) and Einstein, two government-developed software applications that can help agencies secure their information systems and general compliance reports.

  • Building business cases to help prioritize security spending and balance tight budgets and security needs.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above