In-Depth

Private Lessons: Public Sector Notes on Security

Although the spotlight tends to shine on the poor grades federal agencies receive for their information security efforts, notable security successes in government are often overlooked.

• By Linda Briggs
• 05/15/2007

It's discouraging for anyone concerned about security when federal agencies like the Departments of Homeland Security, Defense, Treasury, and State all score Ds and Fs on their yearly congressional compliance grading for security. The House Government Oversight and Reform Committee announced annual grades for 2006, based on agencies' compliance with the Federal Information Security Management Act of 2002 (FISMA). The grades look at information security, plans of action, and how federal agencies detect and react to security breaches.

What tends to be lost amidst the outcry is that some federal agencies have actually either improved their scores considerably—the Department of Labor moved from an F in 2001, the year first evaluated, to an A+ in 2006—or have managed to get and maintain a favorable grade over the past several years. For example, the US Agency for International Development (USAID) garnered an A+ for the third year in a row.

Although FISMA scores don't tell the whole story, some agencies have done well in implementing data protections and getting a handle on managing security. And at least some of their efforts can apply to the private sector's struggles with some of the same compliance and security issues.

There's definitely crossover between public and private entities in terms of security, according to Gregory Wilshusen, acting director of IT at the Government Accountability Office (GAO). The GAO, which serves as a Congressional watchdog of sorts over the executive branch, including federal agencies, has issued plenty of its own reports critical of information security at federal agencies.

In an April GAO report titled "Persistent Weaknesses Highlight Need for Further Improvement," 21 of 24 federal agencies showed significant weaknesses in information security controls. In scolding comments that could just as well be addressed to many private corporations, the report cited a general lack of enterprisewide security controls, rather than piecemeal solutions.

"In terms of the weaknesses that we identify, the types of controls, and certainly the threats that confront the federal government," says Wilshusen, who issued the report, "private companies need to face those as well." He cites personal identifiable information as a clear example of data that needs the same sort of tight security protection regardless of whether it's public or private.

In the GAO's report, the three agencies that did well—the Social Security Administration, National Sciences Foundation, and USAID—also did well on their FISMA report cards. Three federal agencies that have pulled themselves up from grades of D and F when FISMA was first applied for the year 2001—when most agencies received failing grades—are the aforementioned USAID, the Social Security Administration, and the Office of Personnel Management.

The successes of those agencies carry clear lessons for security in the private sector as well, according to Forrester analyst Khalid Kark: work with your internal auditors, and make real efforts to tie compliance to security, rather than just checking boxes.

Work with internal auditors

Wilshusen points out that information in the April GAO report was drawn from audit work done by each agency's inspectors general (IG). IGs serve roles analogous to internal auditors in the private sector. The report focused on a required audit of an agency's financial statements, which is generally conducted by the IG. Among other things, the auditor reviews the effectiveness of information systems controls over in financial statements.

The GAO's reliance on inspector generals for its report points up a lesson for the private sector: There's no substitute for a good relationship with your internal auditors. In determining FISMA compliance, each agency in government has an Office of Inspector General (OIG) that interprets its adherence to FISMA. "If you have a good relationship with the OIG office within your agency," Kark says, "I can predict that you'll get good [FISMA] grades."

Whether in public agencies or private, security officers that work closely with auditors and educate them on controls do much better in annual reviews. "Auditors often aren't security people," Kark says, and thus might not be aware of security controls, or understand them. "Keep them in the loop on controls so they're aware of those things… If you're able to sit down with them and define your controls upfront… you're halfway there."

Tie compliance to security

In the FISMA rankings, the good grades of a few agencies tend to be offset by the poor performance of some of the largest departments in government. The Department of Homeland Security earned a D in the latest report, up from three Fs in a row; the Department of Defense earned another F. But even those abysmal grades carry lessons for the private sector, Kark argues—that there isn't a clear correlation between spending on security training, and good compliance scores.

In 2005, for example, the DOD spent a respectable $15.57 per employee in security training. The problem: the agency is so huge, sprawling and diverse that achieving any kind of consistent security across its 2.7 million employees may be virtually impossible, at least for a long time to come.

"Throwing money at the problem does not seem to increase the probability of receiving a better grade," Kark says. The Department of Energy spent $75.22 per employee on security training in 2005, but still received an F. USAID, in contrast, spent just $9.30 per employee that year and received an A+.

Those same patterns can be found in the private sector, where the same disconnect between compliance and real security often exists. Simply put, checking off boxes on a list of compliance goals—whether to comply with FISMA or PCI—doesn't equate to good security.

Unfortunately, a disconnect between compliance and security spending persists in both public and private entities. Kark says that one federal Chief Information Security Officer said that his agency's security budget the previous year was $1 million; in contrast, compliance spending was a whopping $5 million. A better approach, Kark says, would be to realize the overlap between the two and leverage it, yielding a total of $6 million to spend on security and compliance initiatives.

"What happens a lot of times, in the commercial sector [as well as government]," Kark says, "is there are deadlines you need to meet, so you say, let's just check the items off." While that focus may lead to a good compliance score in the short term, he argues, it's largely a waste of effort and money in your long-term security efforts. A better approach melds the two efforts, yielding gains on both the compliance and security fronts.