People problems still dog security

Toward a Framework for Action

Related Links

It has become a cliche to say that people are the problem in securing information systems. But now industry experts are hoping they have a model for educating those who are less experienced with technology.

The Business Software Alliance's Information Security Governance Task Force released its security management framework Oct. 8. It is intended to be the first step toward getting managers into a security mind-set.

"Clearly, if you're going to get on top of cybersecurity, you're going to have to do it by managing a system [or] an organization, but it's amazing how often the discussion reverts back to the technology," said Dan Burton, vice president of government relations at Entrust Inc. and one of the leaders on the task force. The framework should help by making people outside the technology organization understand how they fit into the security picture, he said.

The document, titled "Information Security Governance: Toward a Framework for Action," is meant to help companies comply with federal laws and alleviate increased consumer security concerns. It is modeled after international standards and the structure outlined for government agencies in the Federal Information Security Management Act of 2002.

"We in industry have long been focused on working with governments to combat" security incidents, said Robert Holleyman, president and chief executive officer of BSA. "With this task force, we hope to build upon those efforts and provide a framework that helps companies and organizations effectively secure their networks."

The framework outlines governance and business drivers, roles, responsibilities and metrics for chief executives, business unit leaders, program managers and other managers.

The BSA task force is already talking with other industry groups, including the Information Technology Association of America, but the immediate goal is to get groups from other sectors involved, Burton said.

The current white paper presents only an outline of what is considered important — asking questions such as what each level of management is required to do, what they are afraid not to do and how to accomplish those goals. Detailed metrics with examples from many different sectors are also needed "so that a company can open this up and say, 'This is a toolkit that can start me off,' " Burton said.

Companies' need for a governance structure is particularly strong because there are several federal regulations and laws that require security and privacy measures, according to BSA officials. These include the Health Insurance Portability and Accountability Act and the Graham-Leach-Bliley Act, which focus on the health care and financial services industries, respectively.

Much more discussion must occur before the white paper turns into something that company executives can actually use, but it is an important first step, said Bruce McConnell, president of McConnell International LLC, the consulting firm supporting the BSA task force's work.

"It puts on the table that information security is a top management issue," said McConnell, who also served as chief of information policy and technology at the Office of Management and Budget during the Clinton administration. "CEOs and boards haven't been paying enough attention to it, and this helps them learn to do that."

The Bush administration, through the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate, has launched a major push to encourage the private sector to increase its security capabilities.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group