FISMA forces business leaders to pay attention

For one of the best examples of the impact of the Federal Information Security Management Act in the past five years, look no further than the State Department’s reaction to a hacker attack from a foreign country in 2006.Instead of instantly shutting down the affected networks, the department performed a risk analysis and discovered that the hack involved reconnaissance rather than data theft, said Donald Reid, senior coordinator for security infrastructure at State’s Bureau of Diplomatic Security.“We saw there was no malicious activity, so we worked with the chief information officer to develop a set of tripwires of when we needed to pull the host networks,” Reid said today at a FISMA breakfast discussion sponsored by Government Executive magazine. “As soon as we saw an exfiltration of information, we would pull the networks off-line.”Reid said he and his team evaluated the business impact of taking 45 networks off-line and waiting up to two months for the software patch to arrive.“We found two vulnerabilities in our Microsoft software. “One was known and one wasn’t,” he said.State’s ability to determine the business impact of shutting down systems is a clear example of how far FISMA has come since it became law in 2003.“We have raised awareness of [information technology] security among senior business leaders because of FISMA,” said Ed Meagher, deputy CIO at the Interior Department. “FISMA grades are a general evaluation of how mature our processes have become, but it only takes you so far. We need to look at tools that show how ready we are to repel hackers and viruses.”Meagher said FISMA continually reminds businesspeople why IT security is important, but agencies also need to constantly monitor their networks.Michael Castagna, chief information security officer at the Commerce Department, said the department’s move to a standard Microsoft desktop PC configuration is a significant step toward secure networks.“The great majority of exploits come from misconfigured systems or missing patches,” he said. “The secure desktop will help us close these exploits.”But he also warned that because the baseline configuration is public, hackers will find exploits so the standard should only be a starting point for securing desktop computers.Commerce is moving to real-time network monitoring, Castagna added, and officials chose the Justice Department’s FISMA reporting tool under the IT Security Line of Business for that purpose. Commerce is scheduled to finish deploying the tool by March 2008.Meagher and others said the best approach to IT security still comes from selling the business benefits to program people.“We have to explain why we need to spend money on security beyond the reasoning ‘so nothing bad will happen,’” Meagher said. “We need to explain it on a business level and discuss the disruption of the business processes and mission goals. When we do that, the businesspeople take you more seriously.”Castagna added that IT security must be seen as a tool for helping agencies achieve their missions, and therefore, the CISO must understand the chief financial officer’s language.