A model for security

The CIO Council last week unveiled a tool that federal agencies can use

to improve security practices and that Congress can use to assess their

progress.

The Information Technology Security Maturity Framework is intended to

provide agencies with a road map for incorporating security practices into

their everyday IT operations, said John Gilligan, co-chairman of the CIO

Council's security subcommittee and CIO at the Energy Department.

The model describes six levels of "security maturity," ranging from

Level 0, in which organizations have no security programs, to Level 5, where

organizations are constantly improving their security programs, either

to improve their effectiveness or to counter new threats.

The framework currently provides only a general description of each

level, but the council is working with the General Accounting Office and

Software Engineering Institute to refine the framework so that it can serve

as a "checklist guide" for agencies, said Gilligan, speaking last week to

the House Government Reform Committee's Government Management, Information

and Technology Subcommittee.

The CIO Council is developing the framework to help agencies that have

been under pressure to improve security practices but that have not had

any clear ideas of where to begin. The council is encouraging all agencies

to work toward Level 2 (documented security programs) for now, Gilligan

said.

The framework also can serve as a way to "grade" an agency's security

practices — something the subcommittee has been interested in as a way to

spur agencies to improve security practices. In fact, Rep. Stephen Horn

(R-Calif.), who used a grading scale in assessing agencies' Year 2000 progress,

is looking at the security model as a way to measure agency security efforts,

a Horn staff member said.

The framework is based on the concept of the "Capability Maturity Model"

developed over the years by SEI, a federally funded research and development

center at Carnegie Mellon University. Agencies across government use a similar

SEI model for software engineering to assess the capabilities of potential

contractors.

Gilligan also said the CIO Council is working with two other groups,

the CFO Council and the Information Technology Association of America, to

develop benchmarks for assessing the security of common electronic services,

such as electronic financial transactions and World Wide Web-based benefits

inquiries.

"Our goal is to provide a sufficiently robust set of examples, or a

framework, that managers could use to assist them in addressing the question

of what is adequate security," he said.