GAO report tries to sort out risk-assessment confusion

Facing growing security threats to increasingly complex government computer systems, the General Accounting Office last week released a report to help federal agencies determine how vulnerable their systems are and how to make them more secure.

Although GAO's report, "Information Security Risk Assessment: Practices of Leading Organizations," does not present specific suggestions for agencies to determine how to secure systems from cyberattacks, it identifies seven critical factors of a successful ongoing security risk-assessment program, including defining and documenting procedures and results.

The report details programs put in place by four unnamed organizations, which included oil, financial and computer companies and one federal regulatory agency. GAO did not name the organizations because it feared that hackers might target them. The report also includes diagrams detailing the risk-assessment process for each organization and a description of how they made their decisions.

For example, the regulatory agency conducts risk assessments "to determine the applicable security controls," the GAO reported. "This is done by determining which of a pre-defined set of controls is appropriate for individual business operations and comparing what is appropriate to controls already in place to identify and address gaps."

The best practices outlined in the report will be helpful, especially at smaller civilian agencies that do not have the resources that department-level agencies have, said John Gilligan, chief information officer at the Energy Department and co-chairman of security on the CIO Council's Critical Infrastructure, Privacy and Security Committee.

"I think it will be useful for people who are charged with risk management to have examples of what others are doing," he said.

This is especially true because security and risk assessment are not one-size-fits-all concepts, said Mike Lortz, vulnerability assessment product manager at Internet Security Systems Inc. "The process needs to be different from agency to agency...but the agencies need to be able to use something as a guideline," he said.

GAO intends the report to be a supplement to last year's executive guide on information security management. Risk assessment is only one of the five areas outlined in last year's guide, but GAO decided to focus its latest guide on that area because it is what most people in government seem to be worried about, GAO said.

"When we did the original guide, during the exposure draft period we got some comments that [said] we should dig deeper into some of these areas, and more comments mentioned risk assessment than any others," said Jean Boltz, assistant director of governmentwide and defense information systems within GAO's Accounting and Information Management Division.

Agencies have been confused about how to conduct risk assessment and apply that to the security needs they have, Boltz said, especially after the Office of Management and Budget revised its computer security regulations in 1996 and eliminated the requirement to perform risk assessments. Agencies have been confused about what to do because, although OMB no longer requires risk assessments, it still requires agencies to measure their systems' vulnerability to cyberattacks and unauthorized access and then base their security architecture on that knowledge, Boltz said.

Agencies' confusion about risk assessment has heightened because of the increasing use of the Internet and because computer systems are becoming more interdependent, Gilligan said. "Risk assessment is a big deal because it has not been institutionalized," Gilligan said. "In the past, there had been great emphasis on doing risk assessment, but [it] tended over time to not be used or not be done well."