Video | Business Headlines | Internet | Science | Scientific Ethics | Technology | Search


Cyber Security: The Status of Information Security

Cyber Security: The Status of Information Security and the Effects of the Federal Information System Management Act at Federal Agencies

Bruce Morrison, Acting Chief Information Officer Testimony Before Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Washington, DC June 24, 2003

As Delivered

Good Morning Mr. Chairman and Members of the Committee. I am honored to be here and appreciate the opportunity to discuss information security at the Department of State. With your permission, I will submit my written testimony for the record.

While we are not yet where we would like to be in cyber security, I would like to take this opportunity to report on the initial stages of improving our program.

I would like to state that we at the State Department have the highest level of support from Secretary Powell and Under Secretary for Management Green. Secretary Powell considers Information Technology [IT] and Security to be a strategic component in implementing U.S. foreign policy.

Let me summarize of IT Security at State

We have long established a strong perimeter defense with technical, physical, and personnel controls, anti-virus, firewalls, intrusion detection, and incident reporting.

However, we realize that a sound cyber security program is built upon a defense-in-depth strategy that includes management controls as well as technical and operational measures. What we have lacked in the past is a comprehensive management structure and a serious Systems Authorization program.

A New Day

It is a new day at State, with the convergence of several events bringing a fresh approach and commitment to cyber security. First, GISRA [Government Information Security Reform Act] and then FISMA [Federal Information System Management Act] focused top management attention on cyber security. Second, we have new cyber security leadership at State I stepped into the position of acting CIO [Chief Information Officer] six months ago. Additionally, there is a new Assistant Secretary for Diplomatic Security with whom we collaborate closely. Finally, OMB [Office of Management and Budget] very helpfully mandated that we authorize all systems by 4th Quarter FY 2004.

Our new organization is giving birth to a new cyber security culture, and is producing results. We have a new Office of Information Assurance headed by a senior officer reporting directly to me. This office handles IT security policy, program management, performance measures, risk management, and reporting.

There is increased Department-wide cyber security focus as all offices are now involved to some degree in cyber security through the Plans of Actions & Milestones (POA&Ms) process and awareness programs. As I mentioned, there is excellent rapport and collaboration between the CIO and the Bureau of Diplomatic Security on all aspects of cyber security. A similarly cooperative partnership exists with the Chief Financial Officer on Critical Infrastructure protection and the information technology budget.

We have a senior-level, multi-disciplinary Cyber Security Advisory Group. There is a close working relationship with the Office of the Inspector General [IG]. In bi-weekly meetings with the IG, we discuss a variety of cyber security issues with FISMA requirements and systems authorization taking center stage.

Security and Capital Planning and Investment Control (CPIC)

State has recently established an E-Gov Program Board chaired by Under Secretary for Management Green to manage all IT funds.

Information Assurance experts now review every IT system budget request to assure that appropriate security considerations are budgeted and executed.

Cyber security is represented at all levels of the budget process. We have initiated ongoing training for Systems Owners on completing the security part of budget submissions.

Systems Authorization

We have developed a new process for IT, which is a hybrid of NIACAP [National Information Assurance Certification and Accreditation Process] and NIST [National Institute of Standards and Technology] guidance and categorizes systems by type and security classification level. The plan was developed and submitted to OMB in March and budgeted in mid-April. We are on track with 10% of our systems done and with goals of 33% by August 2003 and 100% by August 2004.

Institutionalizing Cyber Security

We are taking specific steps to institutionalize cyber security management and practices. New systems are addressing security from the outset and will undergo C&A [Certification and Accreditation] so that they are authorized before being put into operation. In our future budgets, requests will include security costs. Regular awareness sessions for all users, establishing a cyber security corps and mandatory training for the security practitioner will assist in institutionalizing cyber security throughout the Department.

In summary, FY 2003 Progress

We are still in the early stages of creating a comprehensive cyber security program but we have made great strides over the past few months. This progress contributed to our PMA [President s Management Agenda] score of green for E-Gov progress.


© Scoop Media

Business Headlines | Sci-Tech Headlines


Watch This Space: Mahia Rocket Lab Launch Site Officially Opened

Economic Development Minster Steven Joyce today opened New Zealand’s first orbital launch site, Rocket Lab Launch Complex 1, on the Mahia Peninsula on the North Island’s east coast. More>>


Marketing Rocks!
Ig Nobel Award Winners Assess The Personality Of Rocks

A Massey University marketing lecturer has received the 2016 Ig Nobel Prize for economics for a research project that asked university students to describe the “brand personalities” of three rocks. More>>


Nurofen Promotion: Reckitt Benckiser To Plead Guilty To Misleading Ads

Reckitt Benckiser (New Zealand) intends to plead guilty to charges of misleading consumers over the way it promoted a range of Nurofen products, the Commerce Commission says. More>>


Half A Billion Accounts, Including Xtra: Yahoo Confirms Huge Data Breach

The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. More>>


Rural Branches: Westpac To Close 19 Branches, ANZ Looks At 7

Westpac confirms it will close nineteen branches across the country; ANZ closes its Ngaruawahia branch and is consulting on plans to close six more branches; The bank workers union says many of its members are nervous about their futures and asking ... More>>

Interest Rates: RBNZ's Wheeler Keeps OCR At 2%

Reserve Bank governor Graeme Wheeler kept the official cash rate at 2 percent and said more easing will be needed to get inflation back within the target band. More>>


Get More From Scoop

Search Scoop  
Powered by Vodafone
NZ independent news