Creating good security habits

A method to ensure that agencies are using the right security technology

also turns out to be a great way to establish security standards for personnel.

Agencies use metrics — the measurement of performance and capability

during a period of time — to ensure that programs and policies are working

the way they were intended. Now, systems administrators and program managers

are discovering that metrics are useful in creating and enforcing rules

for personnel.

For example, when William Hadesty headed the Internal Revenue Service's

information security operations, he found that systems security problems

were fairly easily solved. However, one of the biggest problems — what Hadesty

calls the "challenging the suits" factor — was harder to fix. He found that

people could walk into secure areas without anyone stopping them for clearance.

In a test performed by Hadesty's team, a man walked into a secure area

wearing a suit, a hat and carrying a ladder. He walked around the room,

set up the ladder and walked out without being stopped or questioned.

The root problem was that none of the em-ployees felt personally responsible

for the agency's security, Hadesty said. Sending IRS employees to three

hours of security awareness training each year was not doing the job. So

Hadesty not only improved the impact of training through continual spot

"suit" tests that showed how security applies to each individual, but he

also tied physical and systems security to the performance evaluations of

agency employees.

After setting specific metrics to measure the reaction of employees

to the tests, Hadesty was able to show an improvement during the years he

served at the IRS. And that, he said, is the key — not just using metrics

to find problems, but using metrics to show whether you've found a solution.

Recognizing a good thing, Agriculture Department chief information officer

Joseph Leo made Hadesty the department's associate CIO for cybersecurity

this year.

At the U.S. Agency for International Development, employees are encouraged

to come up with their own security solutions and best practices, and rewards

range from public recognition to bonuses. "People really respond to positive

feedback," said James Craft, information systems security officer at USAID.

Competition among organizations also encourages agencies to improve.

The CIO Council is moving toward finalizing its Information Technology Security

Maturity Framework, which is based on Carnegie Mellon University's Capability

Maturity Models. The council's security committee started work on the framework

after Rep. Stephen Horn (R-Calif.) said he was looking for a way to grade

agencies' security progress the way he graded their Year 2000 progress.

During the grading of Year 2000 fixes, agencies worked hard to keep

from receiving a lower grade than another agency. The same principle could

be used for security, said John Gilligan, CIO at the Energy Department and

co-chairman of the security committee.

The Defense Department also is working on a set of metrics that measures

the readiness of every DOD component in three areas, including the proficiency

of information assurance operations personnel.

While the top two levels both meet the "green" criteria, the competition

factor could push DOD components to reach for "excellent" rather than "acceptable,"

according to Terry Bartlett, readiness assessment team leader at the Defensewide

Information Assurance Program.