Security: It's a management thing
- By Diane Frank
- Dec 11, 2000
Best Security Practices
Federal agencies are making the same mistake when it comes to security viewing it as something that can be fixed with technology and not recognizing
it as a management issue, officials said Monday.
"We have a tendency to turn [security] into a technical problem, rather
than a management problem with technical aspects," said Marty Wagner, associate
administrator of the General Services Administration's Office of Governmentwide
Policy, speaking Monday at the Defending Cyberspace conference in Washington,
The CIO Council's Security,
Privacy and Critical Infrastructure Committee is working on several initiatives
to help agencies get a handle on the management aspect of the federal security
problem, said John Gilligan, deputy chief information officer at the Air
Force and co-chairman of the committee. Some pieces already are available,
including a Web-based repository of security best practices and the Information
Technology Security Assessment Framework that the council released last
But the biggest problems and the best solutions come from line managers
and program leaders, Gilligan said. Getting the word out to these people
and getting them to understand the importance of their role in the security
of federal systems and programs is one of the challenges the council is
trying to solve right now, he said.
For the most part, the council's efforts involve providing newsletters,
sample policies and conferences, but the council is also partnering with
the U.S. Chief Financial Officers Council and others, Gilligan said.
In the immediate future, the committee's efforts are focused on two
areas: risk management and funding.
Many agencies do not know how to assess their level of risk or how to
manage that risk throughout a program's life cycle. Although the General
Accounting Office has issued an executive guide presenting risk management
best practices from industry and government, the security subcommittee is
trying to develop additional guidelines and processes to help, Gilligan
Agencies struggle to fund problems relating to federal requirements
under Presidential Decision Directive 63, which calls for agencies to protect
systems that run the nation's critical infrastructure. President Clinton
signed PDD-63 in May 1998, but agencies have trouble getting funding for
programs that often cross agency lines.
Gilligan said the critical infrastructure protection subcommittee is
developing guidelines for agencies on how to prepare budget submissions
and how to work on those submissions with the Office of Management and Budget
and the appropriations committees in Congress.