Federal, business officials cautiously praise Security Act

A Senate bill that will hold agencies responsible for the management of

their information security practices drew praise from government and private-sector

officials yesterday, but they emphasized the need for specific security

standards and controls.

The Government Information Security Act (S. 1993) is designed to strengthen

agencies' accountability in security practices and management, and not just

the technology.

It creates governmentwide goals for information security by:

* Bringing control of national security and civilian information management

under the Office of Management and Budget.

* Requiring an annual independent audit of agency security programs

and practices to reinforce accountability.

* Emphasizing the need for security awareness and training for all federal

employees.

Past legislation has left it to agencies to determine the level of security

to implement, but this approach is not working, said Jack Brock, director

of governmentwide and defense information systems at the General Accounting

Office's Accounting and Information Management Division, in testimony before

the Senate Governmental Affairs Committee.

That's apparent in the number of GAO audits that have found the same

security weaknesses at every agency reviewed, he said.

"After doing many of these [audits] and doing the same report over and

over, we said, "There has to be a better way,'" Brock said.

In response to GAO reports, agencies have fixed the specific weaknesses

mentioned while not addressing the underlying management issues. The bill

is an effort to hold agencies accountable for fixing these issues, but more

specific guidance also is necessary, Brock said.

GAO suggested, and the committee members agreed, that the bill should

establish a ranking system classifying the levels of sensitivity and risk

to agency information systems. GAO also recommended that the ranking system

should include minimum-security requirements for each level.

Brock also suggested creating a position, such as national chief information

officer, that would provide "higher visibility and more effective central

leadership of information security," he said. James Adams, chief executive

officer of Infrastructure Defense Inc., supported this idea.

NASA Inspector General Roberta Gross said that if the bill is to fulfill

its promise, Congress must also do something to strengthen CIO authority

within agencies. Agency CIOs are often seen as "paper tigers" by inspector

generals, without the leverage and control of resources necessary to develop,

implement and evaluate their agencies' security programs, she said.