The most successful security policies are those that agencies can enforce.
When the Defense Department writes new information security policies, it’s often a case of the tail wagging the dog, one security administrator said.
Long before news of the Department of Veterans Affairs’ stolen laptop PC became public, DOD’s lack of a data encryption policy meant its employees’ personal information and pay data were in jeopardy when employees transferred data from a mainframe to a backup tape, said the security officer, who requested anonymity because he was criticizing DOD policy and practice.
“We were transmitting files in the clear, and some of it would end up going over the Internet,” he said. “I felt an obligation for military members to protect their data.”
So, well before he learned of a new departmentwide information security policy, the security officer said he purchased encryption software from PKWARE, a company based in Milwaukee. When employees saved data to a target other than a mainframe, the software scrambled that data to make it unreadable to unauthorized users.
“We are just now starting to get specific procedures on what we have to do to protect laptops and transmissions of data,” the security officer said. “Up until that point, there was nothing.”
Information technology security has been a hot topic for several years, but vulnerabilities exposed by AWOL laptops in recent months sent many agencies scurrying to renew their efforts. Adding to the pressure, many federal agencies received poor grades on report cards from the House Government Reform Committee for failing to comply with the Federal Information Security Management Act (FISMA).
When the committee issued report cards this past spring, more than half of the 24 evaluated agencies received a C or worse for security. Eight, including DOD, received Fs. The Government Accountability Office is studying whether DOD and other large agencies struggle to meet FISMA requirements because of their size.
Many agencies say the federal security policies require so much auditing and documentation that they sap resources and might detract from agencies’ efforts to secure their information systems. Several best practices related to security policies can help the government improve security and compliance, experts say.
FISMA requires agencies to develop policies that address core security issues, including implementing procedures that reduce risks to acceptable levels and providing security testing and training for employees and contractors. Guidance from the National Institute of Standards and Technology can help agencies prioritize their information systems based on whether a security breakdown would have a high, moderate or low impact.
FISMA law and NIST guidance give agencies a framework for developing policies. But security gaps and enforcement problems often make those policies ineffective. “A number of our audits have found that some agencies are very good at developing comprehensive information security policies and procedures, but problems come into play when they try to start implementing them,” said Gregory Wilshusen, GAO’s director of information security issues.
For example, agencies with low security ratings might inconsistently apply policies across geographically dispersed data centers, leaving some divisions more vulnerable to attacks. In addition, when agency leaders don’t demonstrate their commitment to security policies, junior staff members may consider compliance a choice rather than a necessity.
Poorly defined policies for user authentication and access control lead to security breakdowns, GAO auditors found. One common weakness is a lack of policies and enforcement systems to systematically replace vendor-supplied passwords when agencies install new software.
Similarly, many security policies don’t specify how agencies should ensure that administrators install all necessary security patches. “In many cases, they may have the policies in place, but they are not being effectively implemented,” Wilshusen said.
Funding sources also play a role in the successful adoption of security policies. If an agency’s divisions have their own funding sources, they might also have their own IT infrastructure, which complicates the implementation of agencywide or departmentwide policies.
Such problems don’t have to be intractable, however. Many agencies are learning to synchronize policies and practices. Experts say new security policies should emphasize the data rather than focus on protecting infrastructure vulnerabilities such as Internet access points and local-area network gateways.
“The VA incident and others have shown these old approaches are necessary but not totally adequate,” said Dennis Hoffman, vice president of information security at vendor EMC, who has testified at congressional hearings on information security. “Agencies are moving from protecting the perimeter to managing and securing information,” he said.
Such policies set strict guidelines and specific enforcement systems to minimize how much data leaves a secure perimeter. They dictate what information users can download to portable devices, including laptops and personal digital assistants. In addition, the policies and guidelines help administrators decide what information they should routinely encrypt.
Consistency is another essential characteristic of successful security policies. “The most important thing is to get everyone marching in the same direction with a common set of standards,” said Steven Newburg-Rinn, director of the Civil Government Information Assurances Division at SRA International. “The more dueling policies you have, the more likely it is that people will throw up their hands and say, ‘I don’t know what they want out of me.’ Policies have to be ones that people can live with,” he said. “And that’s a challenge.”
The Treasury Department created a security group that addresses such challenges almost daily. It develops security and enforcement policies with help from members of a security group that is part of a departmentwide chief information officer council. The security committee consists of officers from Treasury’s 13 bureaus. They meet formally once a month and communicate regularly via phone calls and e-mail messages.
The group often focuses on how to update departmentwide security policies. Last year, it conducted a comprehensive review of all security policies.
The group also decides which policies apply agencywide and which ones require local coordination. For example, Treasury mandates system backups but lets organizations determine frequency and procedures according to the sensitivity of the data they manage, said Ed Roback, Treasury’s associate CIO for cybersecurity and chief information security officer. “We don’t write a departmentwide policy about where to store the backups and how to create them. That’s all locally dependent on the local hardware” and other individual factors, he said.
Enforcement is another top concern of Treasury’s security group. Its members ask bureaus whether they have fully implemented policies, such as contingency plans, and whether others need additional work. The group might ask for samples of their plans.
“Once we get them, we look at them in terms of quality against the NIST guidelines or departmental policy,” Roback said. “If there’s room for improvement, we provide feedback to the bureaus.”
Agencies also add enforcement bite to their bark in the form of system audits, said Beau Hutto, federal director for advanced security technologies at Juniper Networks, which offers hardware, intrusion-detection and -prevention systems, and virtual private networking products. “Being able to see what is running on your network will help you define your policies as a whole,” Hutto said. Besides conducting network traffic audits, some organizations also monitor individual applications, including file attachments sent via instant messaging systems, which can cause security breaches, Hutto said. Collecting such use statistics can help agencies identify areas that a new security policy needs to address, he said.
For attaining similar security goals, security information and event management systems are one of the fastest-growing segments of the security technology industry, Hoffman said. Such systems collect data from servers, routers, storage devices, databases and applications. Managers can analyze that data in real time and create compliance reports that show any unusual activity. “The audits look at anything that can be logged — for example, when user X logged in, what he did and when he logged off,” Hoffman said.
Another valuable tool to assess policy compliance is the Automated Security Self-Evaluation and Reporting Tool (ASSERT), software originally developed by the Environmental Protection Agency, Newburg-Rinn said. The Web-based tool helps agencies compare their security performance against NIST’s guidelines and automatically create compliance reports.
“Agencies can look across the entire enterprise and say, ‘Here is the status of my systems, here are the areas where we have weaknesses,’” he said.
But he added that tools such as ASSERT require business processes that support effective security policies. “No matter how good your tool is, you may not succeed” without that policy foundation, he said.
Successful policies must also be financially feasible. “No organization can afford 100 percent security; it just isn’t feasible from a financial perspective,” said Judy Carr, vice president of research for public-sector governance and sourcing at consulting firm Government Insights.
Agencies need to balance security and budgets by undergoing a process that evaluates the critical information and systems that need protection within their organizations. Those criteria should identify information that requires the greatest confidentiality, data integrity and availability safeguards. “Then agencies can make strategic decisions about what they purchase,” Carr said.
“If agency executives do a real business case exercise,” she added, “they will make better security decisions in light of their limited budgets.”
Joch is a business and technology writer based in New England. He can be reached at email@example.com.
NEXT STORY: Commerce loses more than 1,100 laptops