Spotlighting the Future IT Security OutlookRegardless whether other nations wage war over the internet, or hackers strike to gain access to electronic records online, federal agencies and departments must remain vigilant to stay one step ahead in their efforts to ensure critical IT operations remain safe.
Industry observers agree overcoming IT security compliance challenges will require a more unified approach to security management. Fortunately, a transformation is in the works to force changes in the way federal organizations collect, manage and report information to comply with regulations, such as FISMA. The goal of the recently announced Consensus Audit Guidelines (CAG) is to identify the IT components that must be secured, and how to best apply automation and advanced analytics to achieve security and compliance.
A six-pronged effort is now under way to move the CAG toward government-wide adoption:
* Public review: Security professionals are reviewing the CAG. All suggestions will be filtered through the proposed controls, and must prove it stops or mitigates known attacks. Only additions that can be proven to strengthen defense will be added to the CAG.*Pilot implementation: Pilot tests are being conducted to test the CAG for value and cost compared with what would have been done under compliance practices currently used by federal agencies.*NIST/CIO Council Partnership: The federal CIO Council is also reviewing the CAG to determine how it could be used to further focus federal security expenditures. NIST has even provided a crosswalk between the CAG and NIST Special Publication 800-53, demonstrating that the CAG is a subset of the ‘high-level’ controls listed by NIST, and therefore is a good approach to meet FISMA requirements.*Inspector General Review: The Federal Audit Executive Council is reviewing the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of federal systems.*Automation Tools Workshops: Federal users using automated controls will present lessons learned. Results from the workshops will be used to help agencies quickly automate controls, using government procurement vehicles such as GSA’s SmartBuy program.*Global validation: The CAG will be compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX to determine whether any of these regulations include controls and tests that do a better job of blocking or mitigating known attacks.Observers maintain security and compliance have been two separate disciplines. And as the VA, FAA and others have learned, compliance doesn’t always translate to an improved security posture. “By using automated tools and analytics technologies to more closely align the goals of compliance and security, government organizations will address gaps, and focus their valuable resources on high-value projects that meet both critical compliance requirements and provide a significant reduction in security risk,” said Alan Paller, director of research at the SANS Institute.
According to industry observers, by consolidating single-purpose solutions into a more integrated platform in which a broad range of security data - events, configuration, performance, vulnerability and others - is shared, organizations can reduce the number of products used, lower maintenance and support costs and simultaneously gain a more holistic view of security and compliance.
At the same time, “virtual desktops will help the government access data from remote locations while keeping the actual data locked in secure facilities instead of on local hard drives of laptops, desktops and thumb drives that tend to get compromised,” said Rue Moody, Strategic Products Technical Director, Citrix Government Systems.
Ultimately, organizations should start by identifying what information must be protected, assessing the value of that information, and recognizing the viable threats. “In the future,” according to Doug Chabot, Vice President and Senior Solutions Architect, QinetiQ, McLean, Va., “security will increasingly be informed by a clear understanding of mission and environment, and will be structured by a clear, methodical analysis of what we’re protecting, its value, and the threats to that value.”