Feds short on security 'best practice' studies

The United States faces an uphill battle when it comes to protecting critical infrastructure, because government and industry groups have not developed best practice studies and guidelines to show the best way to do so, according to federal experts.

Without the guidance that can only come from detailed best practices, agencies and industry will have a hard time developing security architectures that will bring value to their organization, said Jeffrey Hunker, senior director for infrastructure protection at the National Security Council's Office of Transnational Threats. Hunker made the comments on Wednesday at the National Information System Security Conference in Crystal City, Va.

"I regard the development of best practices as the single most important element in what is actually a very broad area of protecting our information assetsebecause it leads toward establishing economic incentives," Hunker said.

Many organizations within the U.S. and abroad are developing security best practices toolkits that will enable organizations to pick and choose from a range of solutions to find the best fit. The key to all of these efforts, however, is making sure the toolkits are detailed enough to help organizations and broad enough to satisfy every need.

Under Presidential Decision Directive 63, which requires agencies to develop and implement plans to protect their critical infrastructure, the National Security Agency is heading up the interagency Best Practices and Standards working group. The framework developed by the group is in its final stages and should be available for general use soon, said Mike Flemming, co-chairman of the working group at NSA.

The CIO Council recently formed a Best Security Practices Task Force. That group has set a goal for itself to have a basic working plan developed, as well as a standardized format to compare best practices collected by the group, in place and ready for CIO Council approval by January.

"We're trying to get tangible results, step by step," said Jim Craft, chair of the task force and information security officer at the U.S. Agency for International Development.

In addition to culling data from other agencies, federal best practices groups are studying best practice documents from other countries, most notably the United Kingdom, whose British Standard 7799 for best security practices has been in place since 1995. They also are pulling information from industry, and in the future may depend on vendors to maintain and update the toolkits because administrations and priorities within the government change so often, Hunker said.