IGs, CIOs team on IT security
Collaboration — instead of antagonism — improves outcome for FISMA compliance
Inspectors general and chief information officers are on the same side when fortifying agency information security — even though IGs are supposed to poke holes in system security while they search for weaknesses. IGs examine agencies’ documentation and sample systems to audit them for compliance with the Federal Information Security Management Act.
A relationship that is more collegial than combative can reduce problems in the FISMA process and fix vulnerabilities faster and more effectively, IGs say.
“Working together, CIOs and IGs are improving the quality of agencies’ certification and accreditation (C&A) processes and plans of action and milestones,” said Gwen McGowen, deputy assistant IG for information technology audits at the General Services Administration, speaking at the Federal Information Assurance Conference in Washington Oct. 24.
Relationships between IT employees and the IG are key, said Beth Serepca, leader of the security and information management team in the Office of IG at the Nuclear Regulatory Commission. Good relationships let CIOs discuss flaws and weaknesses with the IG so they can develop a corrective action, she said.
IGs want to be fair and accurate, said Charles Coe, assistant IG for IT audits and computer crime investigations at the Education Department. His relationship with Education’s CIO is better than with previous CIOs he worked with because CIO Bill Vajda emphasized building communications when he arrived at Education, Coe said. At the same time, the IG and CIO can’t be too close, he added.
“As an auditor, you have to draw the line and keep independent,” he said.
Many agencies struggle to make an antiquated infrastructure that has been patched together over years meet Office of Management and Budget IT security requirements, Coe said. Agencies can fix only systems they can identify, and that’s done through an inventory. IGs examine only a sample of those systems in any single year. But all systems are tested in the course of three years.
In performing an audit, many examiners depend on results from scanning and penetration tests.
In a July 27 report, the Government Accountability Office highlighted major weaknesses that persisted in agencies’ IT security in access controls, segregation of duties and configuration management, despite having completed the C&A process for those systems. GAO said agencies needed standard measures to help them more realistically determine their state of security.
McGowen also is training auditors to develop better IT security skills and test procedures for FISMA evaluation, including using vulnerability, database and online applications scanning tools.
She said IGs are breaking new ground in the absence of standard methods for assessing information security programs and systems controls. When performing their C&A, agencies should consider internal and external security controls and the effect on agency operations through a risk-based approach that the National Institute of Standards and Technology published in its Risk Management Framework.
In the NIST framework, the most important measure is the continuous monitoring of security controls by agencies, said Tyler Harding, senior manager of federal advisory services at KPMG. Other changes during the past year, such as OMB’s guidance for a common desktop configuration and reporting of breaches of sensitive information and notification, will help agencies comply with FISMA.
“There has been too much emphasis on FISMA paperwork versus security controls testing and too much emphasis on inspecting quality in operations after they are deployed rather than building security and control processes into system,” Harding said. Harding said he expects the FISMA audit process to move toward an emphasis on program controls and performance measures.
Meanwhile, as ag ncies struggle to meet FISMA standards, they also face serious attacks that target federal operations and assets, Harding said. The attacks are often motivated by financial gain and frequently directed at applications, so it is not enough to simply patch operating systems, he added.
“Agencies face a challenging technology environment,” he said. They have large complex IT infrastructures to defend and many information systems to manage. Agencies must deal with cross-platform distributed computing and dynamic operational environments with changing threats, vulnerabilities and technologies, he said.