A model for security
- By Diane Frank
- Mar 09, 2000
The CIO Council last week unveiled a tool that federal agencies can use
to improve security practices and that Congress can use to assess their
progress.
The Information Technology Security Maturity Framework is intended to
provide agencies with a road map for incorporating security practices into
their everyday IT operations, said John Gilligan, co-chairman of the CIO
Council's security subcommittee and CIO at the Energy Department.
The model describes six levels of "security maturity," ranging from
Level 0, in which organizations have no security programs, to Level 5, where
organizations are constantly improving their security programs, either
to improve their effectiveness or to counter new threats.
The framework currently provides only a general description of each
level, but the council is working with the General Accounting Office and
Software Engineering Institute to refine the framework so that it can serve
as a "checklist guide" for agencies, said Gilligan, speaking last week to
the House Government Reform Committee's Government Management, Information
and Technology Subcommittee.
The CIO Council is developing the framework to help agencies that have
been under pressure to improve security practices but that have not had
any clear ideas of where to begin. The council is encouraging all agencies
to work toward Level 2 (documented security programs) for now, Gilligan
said.
The framework also can serve as a way to "grade" an agency's security
practices — something the subcommittee has been interested in as a way to
spur agencies to improve security practices. In fact, Rep. Stephen Horn
(R-Calif.), who used a grading scale in assessing agencies' Year 2000 progress,
is looking at the security model as a way to measure agency security efforts,
a Horn staff member said.
The framework is based on the concept of the "Capability Maturity Model"
developed over the years by SEI, a federally funded research and development
center at Carnegie Mellon University. Agencies across government use a similar
SEI model for software engineering to assess the capabilities of potential
contractors.
Gilligan also said the CIO Council is working with two other groups,
the CFO Council and the Information Technology Association of America, to
develop benchmarks for assessing the security of common electronic services,
such as electronic financial transactions and World Wide Web-based benefits
inquiries.
"Our goal is to provide a sufficiently robust set of examples, or a
framework, that managers could use to assist them in addressing the question
of what is adequate security," he said.