Creating good security habits
- By Diane Frank
- Jul 10, 2000
A method to ensure that agencies are using the right security technology
also turns out to be a great way to establish security standards for personnel.
Agencies use metrics — the measurement of performance and capability
during a period of time — to ensure that programs and policies are working
the way they were intended. Now, systems administrators and program managers
are discovering that metrics are useful in creating and enforcing rules
For example, when William Hadesty headed the Internal Revenue Service's
information security operations, he found that systems security problems
were fairly easily solved. However, one of the biggest problems — what Hadesty
calls the "challenging the suits" factor — was harder to fix. He found that
people could walk into secure areas without anyone stopping them for clearance.
In a test performed by Hadesty's team, a man walked into a secure area
wearing a suit, a hat and carrying a ladder. He walked around the room,
set up the ladder and walked out without being stopped or questioned.
The root problem was that none of the em-ployees felt personally responsible
for the agency's security, Hadesty said. Sending IRS employees to three
hours of security awareness training each year was not doing the job. So
Hadesty not only improved the impact of training through continual spot
"suit" tests that showed how security applies to each individual, but he
also tied physical and systems security to the performance evaluations of
After setting specific metrics to measure the reaction of employees
to the tests, Hadesty was able to show an improvement during the years he
served at the IRS. And that, he said, is the key — not just using metrics
to find problems, but using metrics to show whether you've found a solution.
Recognizing a good thing, Agriculture Department chief information officer
Joseph Leo made Hadesty the department's associate CIO for cybersecurity
At the U.S. Agency for International Development, employees are encouraged
to come up with their own security solutions and best practices, and rewards
range from public recognition to bonuses. "People really respond to positive
feedback," said James Craft, information systems security officer at USAID.
Competition among organizations also encourages agencies to improve.
The CIO Council is moving toward finalizing its Information Technology Security
Maturity Framework, which is based on Carnegie Mellon University's Capability
Maturity Models. The council's security committee started work on the framework
after Rep. Stephen Horn (R-Calif.) said he was looking for a way to grade
agencies' security progress the way he graded their Year 2000 progress.
During the grading of Year 2000 fixes, agencies worked hard to keep
from receiving a lower grade than another agency. The same principle could
be used for security, said John Gilligan, CIO at the Energy Department and
co-chairman of the security committee.
The Defense Department also is working on a set of metrics that measures
the readiness of every DOD component in three areas, including the proficiency
of information assurance operations personnel.
While the top two levels both meet the "green" criteria, the competition
factor could push DOD components to reach for "excellent" rather than "acceptable,"
according to Terry Bartlett, readiness assessment team leader at the Defensewide
Information Assurance Program.