Infiltrating agency ops

Including security as a basic feature of every system and program isn't as easy as it sounds.

"Our philosophy has been — and our key objective for the cybersecurity program — is to improve executive management of the program by integrating [information technology] security controls into all the major business processes of the department," said Lisa Schlosser, assistant chief information officer for IT security at the Transportation Department.

This approach is outlined in a diagram that shows how all the components of the agency's security strategy build on one another — including the security management programs, technical framework and governance structure. Without any one piece, the entire structure could collapse, Schlosser said.

Building on the President's Management Agenda score cards — which grade an agency's status on e-government, financial management and other priorities — DOT and other agencies are putting security at the forefront for every manager.

"I'm a very strong believer in performance metrics and accountability through performance metrics. So, we integrated security metrics into the e-government component of the president's management score card, and that got briefed at the senior team management meetings within the department on a quarterly basis," Schlosser said. "That got a lot of visibility."

Identifying the right performance metrics is not an easy task. But agencies already are required to use the minimum metrics outlined in the Office of Management and Budget's guidance for the Government Information Security Reform Act of 2000.

Those metrics are not just for the performance of systems and programs, but also for the performance of the people overseeing them, said Mark Forman, OMB's associate director for IT and e-government, testifying late last month at a House committee hearing.

Metrics provide the best way to demonstrate that security is not just a black hole where money goes in and a solution never comes out, Schlosser said.

You've succeeded "when you can demonstrate through a strong performance measurement system that you are decreasing your risk through tracking of metrics," she said.