JOnline: Evolution of Federal Cybersecurity—From Individual Controls to Systems of Control 

Download Article

The legal progression of the integration of cybersecurity requirements within the US, European and Asian federal governments has steadily increased to keep pace with both the progress in technology and the evolution of common vulnerability exposures. From the growing offenses addressed in the US Computer Fraud and Abuse Act and European Union Data Protection Directive 95/46/EC, to the inclusion of security management processes with capital IT acquisition under the US Clinger-Cohen Act of 1996 and the subsequent requirement for federal system security certification and accreditation under the US Federal Information Security Management Act (FISMA) of 2002, cybersecurity is finally reaching a level of maturity that can almost keep pace with the 21st century’s operational challenges.

This shift in approach can best be seen in the US with the 3 August 2009 release of Revision 3 to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations. IT and, more important, the system of control applied to information systems (IS) are now being recognized as interrelated systems of control based on both inherent risk and interoperability among management, operational and technical controls. The need for the integration of data and system security as a program-level initiative is further substantiated by the Directorate for Science, Technology and Industry Committee for Information, Computer and Communications Policy Working Party on Information Security and Privacy’s release of DSTI/ICCP/REG(2005)1/ Final, The Promotion of a Culture of Security for Information Systems and Networks in OECD Countries. The challenge to private and public sectors globally is in the acceptance and incorporation of this premise within their daily operations. This new paradigm for the second decade of the 21st century focuses on the following key elements:

  • Program-level integration and management of cybersecurity risks and controls
  • Prioritization of security controls based on effectiveness to address common vulnerability exposures
  • A focus on the dynamic nature of information transport, processing and presentation, and continual adaptation of controls to address emerging threats and vulnerabilities

Looking at the current issues and challenges, what is needed not only to address the recent NIST SP 800-53 requirement changes, but also to start on the road for global organizations to build greater value delivery and extract more cost-effective management controls from a truly integrated program-level information assurance and enterprise risk management approach?

Issues and Challenges (Opportunities)

Since 1996, the US Government Accountability Office (GAO) has reported on the effectiveness of information security and the high-risk issues in reports to the US Congress. The July 2009 GAO report, Agencies Continue to Report Progress, But Need to Mitigate Persistent Weaknesses, identifies five top deficiencies within control families that affect most, if not all, 24 major US agencies covered in the report (see figure 1).

Figure 1

Since February 2005, and with the release of NIST SP 800-53 Revision 3, government agencies and their contractors have had consistent guidance as to the required controls and their enhancements. However, even with four years of experience, the results of the GAO reports on effectiveness of information security indicate systemic control deficiencies related to many of the same areas found throughout all sectors, public and private. Moreover, it is interesting to note that similar issues are found within the DSTI/ICCP/REG(2005)1/Final report, indicating that these are challenges facing all information assurance and risk management professionals.

Access Control

According to the GAO,

At least 23 major federal agencies had access control weaknesses during fiscal year 2008 with 48 percent of information security control weaknesses pertaining to access controls. The primary root causes of these issues are related to faults within people, processes or technologies that result in the following failure modes:

  • Failure to establish sufficient boundary protection mechanisms
  • Inadequate identification and authentication of users to prevent unauthorized access
  • Failure to force least privilege—need-to-know
  • Failure to use or use of inadequate encryption to protect sensitive data on networks and portable devices
  • Inadequate log creation, monitoring and response of security-relevant events
  • Inadequate restriction of physical access to information assets

These recurring issues beg the question—with a barrage of testing driven by ISO 27001, the US Sarbanes–Oxley Act, Attest Standard-501 (AT-501) and FISMA, on information assurance and enterprise risk management processes—why is the focus not on the implementation of key controls over access control? Both testing and analytic automated tools have matured—from client server to mainframe. Therefore, expectation also must mature from access control monitoring and assessment being the domain of the auditor to now being the responsibility of information assurance and enterprise risk management (ERM) professionals charged with managing and monitoring IS.

Configuration Management

The GAO identified 21 agencies with weaknesses in configuration management controls. As existing systems and newly developed systems are continuing through the certification and accreditation (C&A) process, this is becoming one of the more difficult areas for all organizations (agencies and contractors alike). Operational and schedule pressures can often trump sound configuration management practices.

Whether due to operational or schedule pressures, configuration management failures stem from the following root causes of failure to:

  • Implement common secure configuration policies across the systems
  • Ensure that system software changes were properly authorized, documented and tested
  • Monitor system configurations
  • Implement adequate flaw remediation (patches and updates in a timely manner)

Secure configuration baselines are readily available to the information assurance and ERM professional, ranging from Defense Information Systems Agency security readiness review scripts, checklists for the National Vulnerability Database and many other trusted sources. Yet, these tools are not being consistently applied.

Segregation of Duties

Although not new to IT general controls, agencies have not been appropriately segregating IT duties. This extends beyond system administrators and superusers to those end users who obtain unnecessary roles, privilege and access either through their years of unvalidated access, by acquiring greater and greater access rights as they move through the organization, or through inadequate access request reviews and approval processes. Typical issues that are occurring include:

  • Individuals who enter an applicant’s data into a financial system who also have the ability to hire the applicant
  • System users who have the ability to both create and approve their own purchase orders without another person’s review or approval

This drives information assurance and ERM professionals to understand not only the IT operational segregation of duties issues, but also those related to the agency’s and contractor’s end-user access to mission and/or management support-processing systems (e.g., financial, manufacturing and industrial processing, supply chain, utilities).

Continuity of Operations

Even after recent terrorist attacks, Severe Acute Respiratory Syndrome (SARS), H1N1, ongoing global conflicts, data breaches and recent natural disasters, more than half of the agencies audited had not completely addressed continuity of operations and disaster recovery planning. For example, in some cases:

  • Planning was started and not completed
  • Plans were completed, but not tested
  • Business impact analyses in the contingency plan control were missing
  • Functional tests documentation was inadequate to support testing results

The threat environment continues to grow, and information assurance and ERM professionals must focus on assessing whether capital planning and investment requests include the resources needed to implement the information security program (including continuity of operations) and document all exceptions to this requirement.

Security Management

Last, but not least, a large majority of agencies and contractors “had not fully or effectively implemented agencywide information security programs.”1 Agencies did not often adequately design or effectively implement policies needed for their information security programs. As a result, there were challenges in the successful deployment and implementation of information security program activities, such as risk assessments, information security policies and procedures, security planning, security training, system testing and evaluation, and remedial action plans.

With the creation of the program management control family of common controls in SP 800-53 Revision 3, agencies and their contractors must not only address the IS-specific controls, but, more important, they must develop and disseminate an organizationwide information security program plan that embodies a true enterprise approach to information assurance and enterprise risk management that:2

  • Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements
  • Provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection of operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and provides a determination of the risk to be incurred if the plan is implemented as intended
  • Includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance
  • Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation
  • Revises the plan to address organizational changes and problems identified during plan implementation or security control assessments

These are now more than words in certification best practice guides; they are the expectations for US agencies and contractor information assurance and ERM processes. Management teams, process and data owners, and information assurance and ERM professionals will now need to fully coordinate, develop, implement and maintain a truly viable security program management process that reaches across their enterprise.

Next Steps in the Evolution of Information Risk Management—Security Program Management

As is evident through the years of US Office of Management and Budget (OMB) reviews, federal agencies and their contractors are making steady progress in incorporating the appropriate security controls within their enterprise operations. However, with the recognition of real-world operational security challenges after the terrorist attacks on 11 September 2001 in the US, regulatory requirements, and the desire to adopt and integrate industry best practices, SP 800-53 Revision 3 has not only created the program management family, it has further integrated US government agencies within the security control fabric. However, the information assurance and risk management professional working within other settings, such as private sector (publicly traded and privately held) and international entities, will also draw from the enterprisewide security program management approach (see figure 2).

Figure 2

The establishment of common controls and enterprisewide security program development, coordination, implementation and management is the maturation of IS security from a secondary activity to an executive-level operational concern. The key question is: Are not only US government agencies, but also other governments and businesses globally now going to use these new requirements as the impetus of change needed to accelerate the needed improvement in their security readiness and capabilities?

These new requirements bring US and international governments and businesses to a crossroads, leaving the past of siloed and disjointed security processes for a future that embraces an enterprise architecture product as well as service focus and information assurance principles in daily business operations. This starts with security assurance professionals becoming greater facilitators and initiators of change.

Facilitation and Integration—Keys to Success

It is important to have examined the many standards, regulations and issues that comprise the global challenges facing information assurance and risk management professionals. For organizations to truly embrace and incorporate DSTI/ICCP, Federal Enterprise Architecture (FEA),3 ISO 27001 and NIST guidance, they must realize both the external and internal business cases for operations and not only the regulatory requirements presented in international public laws and industry standards. When seeing the words “risk-based” appear within NIST SP 800-53, they mean that information assurance and risk management professionals must apply proper consideration of each organization’s unique operational environment and those risks to stakeholders (the public, process and data owners, and support personnel).

Success-driven security will always win over brute-force mandates. The key is using a structured approach to bring all affected parties to the table and develop, integrate, implement and maintain the information assurance practices as the normal course of business—practices that lead, not impede, success.

Through the application of proven process improvement frameworks (Lean Six Sigma4 or Kaizen5), information assurance and risk management professionals can not only bring their organizations together as a team but, more important, they can truly understand the business drivers for IS. This approach embodies the intent of both the FEA’s enterprise architecture product and service focus and the NIST SP 800-53 enterprisewide security program management approach.

The following are key elements that could be adapted to facilitate this process:

  • Define the business processes and security requirements and goals.
  • Measure the current IS security processes; identify business and risk-based outcome and performance measures; and collect relevant data, as they exist today, for future comparison.
  • To verify relationship and causality of factors, analyze control gaps and root causes for these gaps.
  • Improve or optimize the process (process controls implemented).
  • Ensure regular reassessment of the process to provide reasonable assurance that the implemented process controls remain in place, are relevant and address process variances before they result in defects.

These are high-level descriptions of proactive and productive methods and techniques for ensuring that the appropriate and correct security controls are integrated within an organization’s IS and business processes. This approach, when supported by top management, can readily address IS confidentiality, integrity and availability risks, and business operational needs, while also driving processes to greater efficiency.

The IT assurance and risk management professional can no longer be just a technical security subject matter expert. These professionals must also be informed students of their business operations both today and tomorrow. The next steps are theirs to take. It is important to be the catalyst of change, the innovator, the driver for excellence, for without these initiatives, business will hold onto the failing status quo, instead of moving to make information assurance and risk management a normal course of daily operations.


1 Government Accountability Office, GAO-09-546, Information Security Agencies Continue to Report Progress, But Need to Mitigate Persistent Weaknesses, USA, July 2009
2 National Institute of Standards and Technology, Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Program Management 1—Information Security Program Plan, USA, 3 August 2009
3 Federal Enterprise Architecture describes an integrated concept that systems architects “can use with stakeholders to deliver value to the business and improve results in agency mission areas.” Federal Enterprise Architecture Program Management Office, Office of Management and Budget, FEA Practice Guidance, USA, November 2007
4 Lean Six Sigma processes strive to improve quality and maximize resource utilization through structured and objective measurement, analysis and control implementation.
5 Kaizen can be defined as process improvement processes designed to eliminate waste or activities that add cost but do not add value.

Jeff Roth, CISA, CGEIT
is a director with the Technology Risk Management Services group of RSM McGladrey Inc. He has more than 23 years of internal audit experience in industries ranging from aerospace, chemical production, power generation and health care to petroleum exploration and manufacturing. Roth was a contributor to the fourth major revision of COBIT and is on the ISACA CGEIT Certification Committee. He frequently speaks at industry conferences worldwide.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.