--DHS and OMB Paper on Data Security Risk and Mitigation for Federal Agencies (July 2007)
[in SANS NewsBites Vol. 9 Num. 57 of July 20,2007]
The US Department of Homeland Security (DHS) and the Office of
Management and Budget (OMB) have released a paper called "Common Risks
Impeding the Adequate Protection of Government Information." The "paper
identifies common risks or 'mistakes'" agencies make when protecting
sensitive data. Each risk is accompanied by a list of best practices
to avoid the pitfalls and a list of resources from which agencies can
draw support and obtain concrete information.
http://www.fcw.com/article103240-07-17-07-Web&printLayout
http://csrc.nist.gov/pcig/document/Common-Risks-Impeding-Adequate-Protection-Govt-Info.pdf
[Editor's Note (Kreitner): This document contains solid guidance for
managing the security of information, but it's implementation and
effectiveness will be unknown without tracking a few well-chosen
enterprise performance metrics, particularly results-oriented metrics .
I hope OMB and DHS will follow this up with an effort to devise some key
metrics. Metrics that highlight the root causes of security incidents
are a good place to start. Examples: Percent of incidents that
involved third parties; Percent of intrusions for which security
controls were known but not implemented that would have prevented the
intrusion. If enterprise management knows what is causing its security
incidents, it can apply its attention to eliminating those causes.
Several years ago, a sub-committee convened the Corporate Information
Security Working Group (CISWG) that developed a pretty good set of
information security metrics that provide some suggestions. See
http://www.cisecurity.org/Documents/BPMetricsTeamReportFinal111704Rev11005.pdf
(Honan): While this may prove to be an excellent resource, I always
worry when people title reports outlining recommendations with the word
"Adequate". I prefer my security, like my steak dinners, to be more
than "adequate".]
