Security: It's a management thing

Best Security Practices

Federal agencies are making the same mistake when it comes to security — viewing it as something that can be fixed with technology and not recognizing it as a management issue, officials said Monday.

"We have a tendency to turn [security] into a technical problem, rather than a management problem with technical aspects," said Marty Wagner, associate administrator of the General Services Administration's Office of Governmentwide Policy, speaking Monday at the Defending Cyberspace conference in Washington, D.C.

The CIO Council's Security, Privacy and Critical Infrastructure Committee is working on several initiatives to help agencies get a handle on the management aspect of the federal security problem, said John Gilligan, deputy chief information officer at the Air Force and co-chairman of the committee. Some pieces already are available, including a Web-based repository of security best practices and the Information Technology Security Assessment Framework that the council released last week.

But the biggest problems and the best solutions come from line managers and program leaders, Gilligan said. Getting the word out to these people and getting them to understand the importance of their role in the security of federal systems and programs is one of the challenges the council is trying to solve right now, he said.

For the most part, the council's efforts involve providing newsletters, sample policies and conferences, but the council is also partnering with the U.S. Chief Financial Officers Council and others, Gilligan said.

In the immediate future, the committee's efforts are focused on two areas: risk management and funding.

Many agencies do not know how to assess their level of risk or how to manage that risk throughout a program's life cycle. Although the General Accounting Office has issued an executive guide presenting risk management best practices from industry and government, the security subcommittee is trying to develop additional guidelines and processes to help, Gilligan said.

Agencies struggle to fund problems relating to federal requirements under Presidential Decision Directive 63, which calls for agencies to protect systems that run the nation's critical infrastructure. President Clinton signed PDD-63 in May 1998, but agencies have trouble getting funding for programs that often cross agency lines.

Gilligan said the critical infrastructure protection subcommittee is developing guidelines for agencies on how to prepare budget submissions and how to work on those submissions with the Office of Management and Budget and the appropriations committees in Congress.