Put some bite behind the bark

The most successful security policies are those that agencies can enforce.

When the Defense Department writes new information security policies, it’s often a case of the tail wagging the dog, one security administrator said.

Long before news of the Department of Veterans Affairs’ stolen laptop PC became public, DOD’s lack of a data encryption policy meant its employees’ personal information and pay data were in jeopardy when employees transferred data from a mainframe to a backup tape, said the security officer, who requested anonymity because he was criticizing DOD policy and practice.

“We were transmitting files in the clear, and some of it would end up going over the Internet,” he said. “I felt an obligation for military members to protect their data.”

So, well before he learned of a new departmentwide information security policy, the security officer said he purchased encryption software from PKWARE, a company based in Milwaukee. When employees saved data to a target other than a mainframe, the software scrambled that data to make it unreadable to unauthorized users.

“We are just now starting to get specific procedures on what we have to do to protect laptops and transmissions of data,” the security officer said. “Up until that point, there was nothing.”

Information technology security has been a hot topic for several years, but vulnerabilities exposed by AWOL laptops in recent months sent many agencies scurrying to renew their efforts. Adding to the pressure, many federal agencies received poor grades on report cards from the House Government Reform Committee for failing to comply with the Federal Information Security Management Act (FISMA).

When the committee issued report cards this past spring, more than half of the 24 evaluated agencies received a C or worse for security. Eight, including DOD, received Fs. The Government Accountability Office is studying whether DOD and other large agencies struggle to meet FISMA requirements because of their size.

Many agencies say the federal security policies require so much auditing and documentation that they sap resources and might detract from agencies’ efforts to secure their information systems. Several best practices related to security policies can help the government improve security and compliance, experts say.

Security gaps
FISMA requires agencies to develop policies that address core security issues, including implementing procedures that reduce risks to acceptable levels and providing security testing and training for employees and contractors. Guidance from the National Institute of Standards and Technology can help agencies prioritize their information systems based on whether a security breakdown would have a high, moderate or low impact.

FISMA law and NIST guidance give agencies a framework for developing policies. But security gaps and enforcement problems often make those policies ineffective. “A number of our audits have found that some agencies are very good at developing comprehensive information security policies and procedures, but problems come into play when they try to start implementing them,” said Gregory Wilshusen, GAO’s director of information security issues.

For example, agencies with low security ratings might inconsistently apply policies across geographically dispersed data centers, leaving some divisions more vulnerable to attacks. In addition, when agency leaders don’t demonstrate their commitment to security policies, junior staff members may consider compliance a choice rather than a necessity.

Poorly defined policies for user authentication and access control lead to security breakdowns, GAO auditors found. One common weakness is a lack of policies and enforcement systems to systematically replace vendor-supplied passwords when agencies install new software.

Similarly, many security policies don’t specify how agencies should ensure that administrators install all necessary security patches. “In many cases, they may have the policies in place, but they are not being effectively implemented,” Wilshusen said.

New tactics
Funding sources also play a role in the successful adoption of security policies. If an agency’s divisions have their own funding sources, they might also have their own IT infrastructure, which complicates the implementation of agencywide or departmentwide policies.

Such problems don’t have to be intractable, however. Many agencies are learning to synchronize policies and practices. Experts say new security policies should emphasize the data rather than focus on protecting infrastructure vulnerabilities such as Internet access points and local-area network gateways.

“The VA incident and others have shown these old approaches are necessary but not totally adequate,” said Dennis Hoffman, vice president of information security at vendor EMC, who has testified at congressional hearings on information security. “Agencies are moving from protecting the perimeter to managing and securing information,” he said.

Such policies set strict guidelines and specific enforcement systems to minimize how much data leaves a secure perimeter. They dictate what information users can download to portable devices, including laptops and personal digital assistants. In addition, the policies and guidelines help administrators decide what information they should routinely encrypt.

Consistency is another essential characteristic of successful security policies. “The most important thing is to get everyone marching in the same direction with a common set of standards,” said Steven Newburg-Rinn, director of the Civil Government Information Assurances Division at SRA International. “The more dueling policies you have, the more likely it is that people will throw up their hands and say, ‘I don’t know what they want out of me.’ Policies have to be ones that people can live with,” he said. “And that’s a challenge.”

The Treasury Department created a security group that addresses such challenges almost daily. It develops security and enforcement policies with help from members of a security group that is part of a departmentwide chief information officer council. The security committee consists of officers from Treasury’s 13 bureaus. They meet formally once a month and communicate regularly via phone calls and e-mail messages.

The group often focuses on how to update departmentwide security policies. Last year, it conducted a comprehensive review of all security policies.

The group also decides which policies apply agencywide and which ones require local coordination. For example, Treasury mandates system backups but lets organizations determine frequency and procedures according to the sensitivity of the data they manage, said Ed Roback, Treasury’s associate CIO for cybersecurity and chief information security officer. “We don’t write a departmentwide policy about where to store the backups and how to create them. That’s all locally dependent on the local hardware” and other individual factors, he said.

Enforcement bite
Enforcement is another top concern of Treasury’s security group. Its members ask bureaus whether they have fully implemented policies, such as contingency plans, and whether others need additional work. The group might ask for samples of their plans.

“Once we get them, we look at them in terms of quality against the NIST guidelines or departmental policy,” Roback said. “If there’s room for improvement, we provide feedback to the bureaus.”

Agencies also add enforcement bite to their bark in the form of system audits, said Beau Hutto, federal director for advanced security technologies at Juniper Networks, which offers hardware, intrusion-detection and -prevention systems, and virtual private networking products. “Being able to see what is running on your network will help you define your policies as a whole,” Hutto said. Besides conducting network traffic audits, some organizations also monitor individual applications, including file attachments sent via instant messaging systems, which can cause security breaches, Hutto said. Collecting such use statistics can help agencies identify areas that a new security policy needs to address, he said.

For attaining similar security goals, security information and event management systems are one of the fastest-growing segments of the security technology industry, Hoffman said. Such systems collect data from servers, routers, storage devices, databases and applications. Managers can analyze that data in real time and create compliance reports that show any unusual activity. “The audits look at anything that can be logged — for example, when user X logged in, what he did and when he logged off,” Hoffman said.

Another valuable tool to assess policy compliance is the Automated Security Self-Evaluation and Reporting Tool (ASSERT), software originally developed by the Environmental Protection Agency, Newburg-Rinn said. The Web-based tool helps agencies compare their security performance against NIST’s guidelines and automatically create compliance reports.

“Agencies can look across the entire enterprise and say, ‘Here is the status of my systems, here are the areas where we have weaknesses,’” he said.

But he added that tools such as ASSERT require business processes that support effective security policies. “No matter how good your tool is, you may not succeed” without that policy foundation, he said.

Successful policies must also be financially feasible. “No organization can afford 100 percent security; it just isn’t feasible from a financial perspective,” said Judy Carr, vice president of research for public-sector governance and sourcing at consulting firm Government Insights.

Agencies need to balance security and budgets by undergoing a process that evaluates the critical information and systems that need protection within their organizations. Those criteria should identify information that requires the greatest confidentiality, data integrity and availability safeguards. “Then agencies can make strategic decisions about what they purchase,” Carr said.

“If agency executives do a real business case exercise,” she added, “they will make better security decisions in light of their limited budgets.”

Joch is a business and technology writer based in New England. He can be reached at ajoch@worldpath.com.

Security regs: A burden for policy developers?Federal agencies must adhere to scores of security policies and write reports throughout the year to demonstrate their compliance. But do those policies make information technology systems safer?

No, said Alan Paller, director of research at the SANS Institute, a security training organization, and manager of the Internet Storm Center, which issues early warnings of cyberattacks. In an interview, Paller explained why he believes security regulations, Office of Management and Budget reviews and annual Federal Information Security Management Act audits sap federal resources, and he tells what the federal government should be doing to better protect its IT systems.

Do you think federal security requirements are making agencies safer from cyberattacks?

Paller: They aren’t safer. How many pages of different laws do agencies have to follow, whether or not those laws are consistent and whether or not they enable agency effectiveness? Nobody has a budget big enough to meet all of the requirements. So it’s really quite impossible the position you put security people in inside the government.

What should we be doing to increase security?

Paller: Agencies need to do exactly what’s done on airplanes or in chemical plants. They need to implement continuous monitoring and continuous fixing [when problems arise]. So they’re watching every system, every penetration point all of the time. Whatever needs to be done to protect against a new attack should be done in real time.

That is one of the really cool things the government is starting to do. We used not to watch [infrastructures] very carefully. We used to have junky intrusion-detection systems. But those have [improved] at a couple of agencies. There’s a program at the Homeland Security Department called Einstein, and it is free to federal agencies. It finds places where agencies are being attacked.

Does that imply a larger trend toward centralizing security procedures and perhaps taking more security responsibilities away from users?

Paller: We are seeing a massive shift [to central control]. Not so much because the [security managers] want it, but because users don’t want [the responsibility]. They are under such pressure to do all these things to their computer, and they are saying, “You run the darn thing.”

Will that mean more thin clients and similar architectures in the future?

Paller: You will see more thin clients. You will see more application servers. Anything that makes it more efficient to centralize will grow. You are not going to get rid of [Microsoft] Windows — this trend is not tolling the end of Windows or anything like that. You are just going to see more of the other alternatives.

7 strategies for syncing security policies and practicesAgencies can use security policies to protect their sensitive information by:

  • Drafting policies for protecting data and infrastructure. Information-scrambling encryption technologies, for example, would have mitigated the risk caused by a Department of Veterans Affairs employee who disregarded the agency’s data-handling policies for laptop PCs.

  • Establishing strict rules and enforcement mechanisms to control when data can leave secure locations and under what circumstances.

  • Evaluating security policies for consistency. Conflicting rules frustrate users and often cause compliance lapses.

  • Creating committees of security officers from bureaus or departments. Encourage members to meet several times a year and communicate regularly to discuss policy updates as the need arises.

  • Considering security information and event management systems to monitor data from servers, routers, storage devices, databases and applications. Reports can alert security managers to unusual activities and identify areas where new policies might be necessary.

  • Evaluating the Automated Security Self-Evaluation and Reporting Tool (ASSERT) and Einstein, two government-developed software applications that can help agencies secure their information systems and general compliance reports.

  • Building business cases to help prioritize security spending and balance tight budgets and security needs.
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.