Agencies taking enterprisewide approach to IT security

Agencies are taking more of an enterprise approach to improve their cybersecurity instead of trying to fix problems as they come up on a bureau by bureau basis. Of course, chief information officers say their tactics received a huge lift from the rash of data breaches last year. “Security is not in isolation of anything else we do,” said Lisa Schlosser, CIO at the department of Housing and Urban Development. “Incidents keep the executive’s attention for a week or so, but the CIO must constantly take on the leadership role and explain why security important to the agency’s entire mission.” The Defense Department is one successful example of taking an enterprise approach to information technology security, said John Hunter, DOD’s director of operations in the Office of the Assistant Secretary for Defense Defensewide Information Assurance Program. Hunter said the mandated use of the Common Access Card to log into DOD’s network has made the military’s systems more secure, and another initiative to standardize the use of intrusion detection, intrusion prevention and asset management software from McAfee across all of DOD’s 5 million computers will provide additional benefits. “Information assurance, situational awareness and command and control are the real focus in DOD to increase our security posture,” Hunter said April 19 during a breakfast on cybersecurity and the Federal Information Security Management Act in Bethesda, Md., sponsored by the Armed Forces Communications and Electronics Association’s Bethesda chapter. Hunter said a command tasking order from the Joint Task Force Global Network Operations likely will be handed down to all military services and agencies in the next few months that would mandate the use of the McAfee software. “We are working on the implementation plan to start this summer DOD wide,” he said. DOD tested the software across all military agencies with 23,000 users from July to November 2006 and beyond a few minor issues, found it make a big difference in securing desktops and the network, Hunter said. Also, the Department of Veterans Affairs had to address its vulnerabilities agencywide. Robert Howard, VA’s CIO, said the agency has encrypted almost every laptop and now are moving onto mobile devices. “Centralizing the control of [information technology] no question helped ensure every laptop will be encrypted,” Howard said. “Without the central authority, encrypting laptops would have taken months, if not years.” The panelists also said VA’s move to centralized IT authority is the model most would like to reach. Ed Meagher, Interior Department’s deputy CIO, said the VA model is “the only one that makes sense.” Schlosser added that it is an “amazing thing to centralize IT” control. “The most important thing we have to do is get people out of the choice to do IT security,” he said. “We need to make it as automated as possible, especially in managing the desktops and servers.” Meagher said agencies still struggle with controlling their network environment.