What We Can Learn from Fed's Cybersecurity
The federal government recently got its report card for cybersecurity, and it wasn't a pretty picture. What can corporate IT professionals learn from the feds' mistakes?
And things aren't looking all that good. The question is what can IT professionals in the corporate sector learn from this. And the answer is... quite a bit.
The annual study of the cyber security level at 24 government agencies is done by the Committee on Government Reform under the Federal Information Systems Management Act (FISMA). This year's report identified which agencies have made great strides in the implementation of their computer security, and which of the agencies have failed in their attempts to secure their information systems.
This year's study, much like last's, didn't paint a pretty picture.
Five of the 24 agencies, including the Department of Commerce and the Treasury Department, received D grades. Eight of them, including the Department of Justice, the Department of Defense and the State Department all failed. The Department of Health and Human Services also received an F.
On the other side of the grading curve, seven agencies, including the Department of Labor, the Social Security Administration and the Environmental Protection Agency, received A grades.
This year, 10 agencies showed improvement with the National Aeronautics and Space Administration, for instance, raising its score from a D- in 2004 to a B- in 2005.
Eight agencies received a worse grade this time around. The Department of Justice went from a B- in 2004 to a D in 2005, and the Nuclear Regulatory Commission dropped from a B+ to a D-.
Five agencies, including DHS, the Department of Veterans Affairs and the Department of Energy, maintained a failing grade year over year.
What Does This Mean for Us?
Does this really impact us as citizens?
Yes, it does. The information that FISMA was enacted to protect is ''our'' information. The Social Security Administration keeps track of our identifying numbers and our earning histories. The U.S. Department of Agriculture keeps information regarding the food we eat. The Department of Homeland Security keeps information key to safeguarding us. The Department of Health and Human Services would manage the country's response to the bird flu if it came within U.S. borders.
With these agencies in control of all of this information that is so important to our daily lives, we should stay abreast of the FISMA reports. But all of this may lead to another question... What is FISMA all about?
FISMA requires each agency to develop, document, and implement a program to provide security for the information and systems that support the operations and assets of each agency. FISMA provides for a risk-based approach to information security management.
To meet FISMA requirements, an information security program should have the following key elements:
Each security program should include procedures for detecting, reporting, and responding to security incidents;
The last key element to a successful security program is having documented plans and procedures to ensure continuity of operations. Any information system that supports the operation and assets of an agency must have a plan for survivability during a disaster.
As our federal agencies work to improve their security programs this year, perhaps we should review our own security programs.
The same elements that the government requires to protect information should be integrated into our corporate security programs. By ensuring that the above elements are part of our companies' security programs, we can rest assured that we are taking a risk-based approach to keeping our information protected.