EPA improves security compliance
A new system helped the EPA dramatically improve its ability to follow information security regulations.
Environmental Protection Agency officials dramatically improved their ability to follow information security regulations by spending half a million dollars on a compliance system.
Several companies and government agencies have contacted the EPA to learn about its increased compliance with the Federal Information Security Management Act of 2002, said Mark Day, the EPA's deputy chief information officer. Since buying software from BindView Corp. more than a year ago, the agency's FISMA technical compliance has risen from 35 percent to 95 percent, attracting interest inside and outside of the federal government., Day said.
In an Office of Management and Budget report, "Budget of the United States 2005; Analytical Perspectives," officials stated that the EPA "excelled at protecting their information security assets."
BindView's product, BindView Report Packs, is designed to help information technology administrators target and eliminate security vulnerabilities in information systems. The software cost the agency about $500,000, Day said.
As with many new IT strategies, particularly ones that involve intensified oversight, initial hesitancy among agency staff members gave way to broad-based approval, Day said.
"There were a couple brave souls who took this on and proved that it could be done," he said. "Then later, when someone said, 'It's too hard. It can't be done,' the answer was easy: 'Everyone else is doing it.' "
The BindView system gave managers the tools to give instructions and check compliance, which helped the EPA chart and publish its compliance.
"It's amazing how these charts went from being something very disliked in the first couple months to now most of the IT professionals saying to their boss, 'Here's independent proof that I am doing my job.' "
Officials ensured that the EPA's compliance reports were widely published, lending to system-critical transparency and credibility, Day said. And managers didn't have to be technical experts to address their IT problems. "The typical problem a manager gets is a report saying a password isn't set up. What can they do? They don't know how to fix that. Well, now they say get me green."
EPA isn't endorsing BindView's product, Day said.
NEXT STORY: Task force urges security collaboration