Part 3

Custom
Customsupplement
supplement
to to
Federal
Federal
Computer
Computer
Week
Week

GOVERNMENT
INFRASTRUCTURE
SECURITY M ANAGEMENT

Security Starts With You, page s2 • Endpoint Security Management Software, page s5
8 Keys to Securing Your Mobile Workforce, page s6 • The Security Roadmap, page s8
 Custom supplement to Federal Computer Week
Security Starts With You
Security is one of the only endeavors where success is measured by nothing happening.
And that nothing starts with you.
For those professionals in charge of government security
management, being proactive is a way of life.
As managers, they lead their organization’s efforts on a
variety of fronts. It starts with authenticating staff and
contractor identities so they can access agency sites,
systems and networks.
At the same time, these managers must make sure data
is secure both in motion and at rest; so there is a need
for more physical and cyber authentication, encryption
standards and procedures. This translates into security
policies and governance procedures that must work with
an increasingly mobile workforce.
Further, in this world where information sharing is
becoming the norm rather than the exception in
government, the need for authentication and security
between machine-to-machine communications is
paramount.
And, of course, these security managers must protect
your network.
The Goal Is Better IT Security
Now, as the transition to new leadership grows closer,
there is more and more focus on who now is going to
provide the strong executive leadership and vision that
supports CIOs and CSOs on IT security issues.
The government is finally responding to the cyber threat
with a major infusion in funding for cyber security efforts.
Cyber security is now a major initiative in intelligence
with DHS taking the lead.
And if you were able to talk with security pros off-the-
record during a “Networking Reception”, here is a sample
of what you might hear them talking about.
You might hear them talking about needing a better
understanding of what Identity Management really means.
After all, sound security starts with sound identity
management practices.
You might hear an idea such as that ID management could
s2
mean finding 10 attributes that can be shared across the
community and they become the universal core of focus.
You might get advice to not focus on the ID
management piece, but focus on the business of
establishing identity and then working the standards
which in turn causes your agency to deal with the ID
management piece.
The key to making that work is to separate the idea of
identity and personas. Use the attributes to establish a
universal core and then make rules about how to
handle attributes.
There is evolution happening moving
from protecting networks first to
protecting the data first.
At conference after conference, government security
leaders have talked about how our governance model
creates tension between access and security. And that
we do not have tools and technologies where security
is seamless.
That is where identity management has to be the
foundation. You need to know who is on your network
with strong authentication processes. If you have that,
then you can get into network access by attribute and
other network access control activities. The CAC card is
progress; it is a foundational element but governance and
ID management are the keys.
TIC and CAC
You would certainly hear talk of the TIC (Trusted
Internet Connection) implementation: OMB has mandated
the need to quickly reduce the amount of agency internet
connections. Plans for reduction are in progress.
You would hear about the need for stronger governance
when it comes to security issues. You can have all the
HSPDs and NIST standards you want, but it still comes
down to implementation.
continued on page s4
 Custom supplement to Federal Computer Week
Security Starts with You, continued from page s2
They would also talk about training and the need for
more and better education on how to use the CAC cards
and finding ways to make security seamless across all
agencies. They would talk about having a better
infrastructure that builds in a more secure physical and
logical access solution.
They would be talking about recent OMB FISMA
guidelines and NIST C&A guidance and talk about how
government is doing a better job on C&A and identifying
risks, while FISMA scores are also better in some cases.
You might also hear them say industry is doing a better
job of taking government requirements in house and
“working the issues”.
Protect The Data First
But you would also hear them talk about barriers that
still exist because some in senior management do not view
cyber security as a national security threat, despite the
hacking and the increased investment in cyber security.
You would hear them talk about the need for even
better encryption for laptops. Theft of laptops and
unauthorized remote access are two mobile workforce
issues that must be dealt with. Encryption is a big issue
especially with telework. Privacy is also big along with
web application security.
There also might be talk of how effective HSPD-12
really is. And what they are really supposed to do? Is there
a plan? Many look to GSA. It could be years before using
the card for physical and logical access control and to
leverage the benefits of using the card.
Finally, you might hear them talk about the ever present
need for more funding for specific security issues and needs.
The fact is: there is an evolution happening from
protecting networks first to protecting the data first. The
new administration needs to focus all the security on the
data. People need to get serious; and make sure data is not
compromised if a machine disappears.
Some would say that we need to radically adjust our
thinking because within the next 5 years data will become
the center of gravity for operations and networks won’t
be that important. The new concept could be the data
center is not a data warehouse, but the center of
computing. It is in the data center that the transactions
of government will be taking place.
s4
Manage the risk
Security risk is the likelihood that something bad will happen that
causes harm to an informational asset (or the loss of the asset).
A manager’s role in managing risk depends on his or her
organizational responsibility. IT infrastructure managers have a
different role than finance managers. But, both need to engage in
some level of organizational risk management assessment of one
or more of the following:
• Security policy
• Organization of information security
• Asset management, human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition
• Development and maintenance
• Information security incident management
• Business continuity management
• Regulatory compliance
Managers should identify the value of the IT and information
assets that might be impacted. Then a threat and vulnerability
analysis should be conducted to identify the potential effect of
an occurrence and the probability of that occurrence. This type
of analysis should rely on both quantitative and qualitative
measures. Finally, risk mitigation controls should be identified
and implemented in proportion to the cost and potential severity
of the risk.
Managers can accept, mitigate, transfer, or, some cases, deny
the risk. These decisions should be made in concert with a multi-
disciplinary team that includes finance, IT and security specialists.
Security risk management is not a one-time process. On-going
review of identified risks and periodic assessment of potential new
risks are essential for continued security risk management.
And proactively securing that data will be the security
manager’s Number One priority then as it is now. ❑
 Custom supplement to Federal Computer Week
What Your Endpoint Security
Management Software Should Do
There is a strong case for investing in as much automation as possible to manage and
perform everything related to endpoint data protection.
There are lots of security related tasks. There are not a
lot of people to do those tasks.
That’s a strong case for investing in as much automation
as possible to manage and perform everything related to
endpoint data protection.
Many of these security requirements can be met using
COTS solutions designed to mitigate evolving threats and
enable compliance. COTS solutions also are available for
mandated encryption of sensitive and classified data. So,
what are some other areas you should look for automated
help in addition to securing your endpoints? Look no
farther than:
• Secure Digital Communication – protecting mission-
critical data sent over high-speed WANs as well as
remote access VPNs.
• Secure Login & Authentication - providing authorized
users with secure access to sensitive information, appli-
cations and facilities while keeping the bad guys out.
• Application Security Solutions – providing the security
foundation for mission-critical applications. This
includes using PDF software that allows for electronic
delivery options that include certified documents,
multistep digital signatures and rights management.
The Evolving Endpoint
Defending the network perimeter – the endpoint – has
always been at the core of an organization’s security
strategy. Today the endpoint is no longer the desktop or
even the laptop. For today’s mobile workforce, portable
mass media (e.g. flash drives, cell phones, Blackberrys,
memory sticks and PDAs) represents the next generation
of endpoints; and new opportunities for data loss,
introduction of malware and data theft.
So, while fortifying the outer barriers of the network
remains a vital component to overall enterprise security
efforts, it is no longer an effective last line of defense.
Security managers are equipping themselves with
solutions designed to protect against attacks on PCs,
Security managers are taking a proactive
approach and developing a clear,
in-depth policy regarding the use of
devices within the enterprise.
laptops, servers and portable mass media endpoints.
They are shifting their enterprise endpoint security
efforts to address today’s realities by taking a proactive
approach and developing a clear, in-depth policy regarding
the use of devices within the enterprise.
And they are deploying proactive software solutions to
support these policies and help gain a decisive advantage by
taking an offensive approach to protecting their enterprise
endpoints, no matter how frequently they evolve.
Blacklist or Whitelist?
Take all the known threats and create your blacklist.
That’s what firewall, anti-virus software and intrusion
detection systems do. And they require constant updating.
You can do the same with device use. But every day a new
device comes on the market. Keeping an up-to-date
blacklist is tough. Some might say impossible.
You could do the opposite. Create a whitelist.
Your whitelist is a pre-defined list of devices or
applications that are allowed to run on enterprise hardware
while blocking everything else by default. This concept
shelters administrators from the laborious task of
maintaining blacklists of all known devices.
According to security provider Lumension, “while
blacklisting only accounts for devices that a company
knows it wants to deny, the whitelist approach prevents
even unknown devices from harming the network. With
a blacklist-based solution, any device that is not
continued on page s7
s5
 Custom supplement to Federal Computer Week
8 Keys To Securing Your
Mobile Workforce
You’ve got a mobile workforce and they are going to carry data with them. Here are 8
things you can do to get them to them work securely.
1. Embrace The Technologies, They Are Here To Stay
There are the smart phones, the PDAs and the
Blackberry and iPhone. They have become
indispensable. At the same time, removable storage
media is at the center of a variety of new ways we can
share and use information from the small cards used in
PDAs and cameras to the thumb drives used to move
files between PCs and personal entertainment devices,
such as iPods, which may have as much as 160 Gigabytes
of storage capacity. And most personal media devices
can be connected to a PC via USB connections. They are
going to be used to access agency resources. New devices
will be continually introduced. So who is going to have
access? Are you going to blacklist or whitelist devices?
2. Establish Realistic, Workable Governance Policies
Make a case for case for workable device and
application control polices which establish what
devices and applications can be used, by whom, when,
and how. Flexibility is needed to embrace personal
devices that have become the way a user personalizes
the way they work and share data.
Management buy-in is essential to succeed. Communicate
with stakeholders.
At the same time, establish a new security policy, or
modify an existing one, to encompass any new
authentication system. It should include policies related
to remote access by all parties: employees, contractors,
business partners, and customers. It should also cover
user privileges; encryp-tion; password and privacy
guidelines; and e-mail and instant messaging practices.
There is far more likelihood for minimal impact on end
users and infrastructure alike. Once policies are developed,
tuned and communicated, they must be enforceable.
If you don’t already have an enforcement plan for your
security policy, develop one. Enforcement practices should
detail what happens when individuals fail to comply with
company policies.
s6
3. Encrypt, Encrypt, Encrypt
If information must be encrypted at all times in a
steady state, this can be done with nearly all forms of
removable media. Some encryption mechanisms can tie
individual users directly to the data and/or to the media
itself, preventing anyone else from using it. When this
type of device management is paired with application
control, you’re not only securing the device itself, but
you’re also preventing those devices from launching
dangerous executables, which may endanger your data.
Encryption can be used in conjunction with enforement.
If you can track who had confidential data, how they
used it, and were assured that they could not share it
outside of the enterprise, then that fulfills the need for a
comprehensive audit trail that may be required.
4. Employ Two Factor Authentication
Usually, two-factor authentication involves “something
you have,” such as a CAC, and “something you
know,” such as a PIN or password. Most two-factor
authentication authenti-cates users of remote access
solutions such as VPNs, Citrix applications, Webmail,
Outlook Web Access and other Web applications, plus
Windows and Unix log-ins, for compre-hensive identity
and access management.
5. Educate Staff
Educate staff on the new security technologies and
processes. Keep in mind that remote users are likely
to need more extensive training than employees who
work in your office facility. Make sure everyone
understands that remote workers face greater risks from
security threats.
6. Maintain Your Identity and Access Management
(IAM) System
Keep track of vulnerability assessments, backup
requirements, and comprehensive incident response,
disaster recovery and COOP plans.
 Custom supplement to Federal Computer Week
7. Choose A Good Authentication Solution
Things to look for are: ease of installation and use; low
TCO; scalability; web-based self-enrollment capability;
the ability to manage user information with existing
Microsoft tools; no additional software needed on the
client’s workstation; minimal impact on end users; and the
system should not require altering user behavior in order
to achieve a successful log-on.
Management Software Should Do, continued from page s5
specifically listed as a threat will be able to connect to
the network, allowing users to pilfer data or inject
malware into the systems.”
What the whitelist approach does is place control of
policy squarely in the hands of the IT administration
staff. Only devices that are authorized as having a viable
business use will work on endpoints.
Software Solution
Two things your software should do are:
1. Provide policy-based application and device control
that proactively secures your organization from data
threats, including data leakage, malware and spyware.
2. Enable only authorized applications to run and only
authorized devices (portable mass media) to connect
to a network, laptop or PC – facilitating security and
8. Taking it a step further with digital signatures
Digital signatures are much more difficult to imitate or
forge because the technology authenticates the identity of
the sender or signer of an electronic document. Digital
signatures also add assurances that the content of an elec-
tronically delivered message or document hasn’t been
altered since its creation. ❑
Sources: Lumension, Adobe, Ziff-Davis
systems management, while providing necessary
flexibility to the organization.
As a result the software prevents data leakage via
removable media, malware or spyware; protects against
malware, viruses and spyware; safeguards against zero-day
threats; controls proliferation of unwanted applications
and devices; assures and proves compliance with regula-
tions governing privacy and accountability; and maxi-
mizes benefits of new technologies and minimizes risk.
The software should also be used to encrypt removable
media so that it can be safely used and transported without
the fear of exposing your confidential data to unautho-
rized users. ❑
Sources: Lumension, Adobe
s7
 Custom supplement to Federal Computer Week
The Security Roadmap
Should you get a certification? An advanced degree? What about specific training?
There are a wide range of options for security professionals.
As a manager, if you surveyed the trends in security
related academic degrees for those in government and the
private sector, you would notice three trends:
1. There are a lot of focused courses specifically targeting
Information Assurance and Homeland Security topics.
2. Many educational institutions are offering advanced
degrees with specific concentration in these areas.
3. Many courses are available that teach to certification
and software requirements such as A+, Network+,
SSCP, CISSP, GSLC, CISM, Security+, GISF, GSEC,
SCNP, SSCP SCNA, CISA and GSE.
In government that translates into DoD mandating
vendor neutral baseline IT security certifications; the State
Department mandating vendor neutral entry level certifica-
tions; providing incentives for, but not mandating, other
certifications; OPM surveying the federal government to
identify certifications being used; and DHS developing its
IT Security Essential Body of Knowledge to make sure
everyone in the 22 components is on the same page.
A large part of security management is providing a
roadmap for professional advancement and making sure
security professionals have a common body of knowledge.
In today’s security landscape, education can be divided
into three areas.
Certifications Test Professionals
What certifications (e.g. CISSP) do is to provide
established criteria and a benchmark from which to test
professionals. That means having a baseline of tested
knowledge/skills (validated minimal level of knowledge
in the functions required for a specific job).
These can be used to build organizational-specific
training, which can be used to leverage independent 3rd
party review of processes and procedures and maintain
current content.
Certifications can also establish baselines that can be
met across domains, e.g. DOD, NIST and private sector.
Certifications also provide a good tool for attracting and
retaining the best talent. They create a pool of knowledge
that boosts an organizations overall security posture.
s8
It’s Academic
More and more colleges and universities are developing
curriculum so that managers can attain an academic
degree (Master’s, Ph.D.). To attain the degree involves the
usual minimum of 2-4 years of college courses, taken with
a wide-range of general education credits that result in:
Academic Certificates 18 credit hours; 2-4 year degrees
with concentration in Information Assurance; and
Advanced Degrees (Master’s, PhD. and Doctorate).
Security management is focused on providing
a roadmap for professional advancement and
making sure security pros have a common
body of knowledge.
These courses are gaining popularity especially those
with focus on Homeland Security as candidates must
demonstrate skills such as human interaction skills,
research, problem solving and critical thinking skills.
Specific Training
The goal of training is to teach knowledge and skills
that allow a person to perform a specific function. Form is
usually topic based or role based. Different developers use
different delivery methods and can tailor existing courses
to meet specific needs.
The advantage of targeted training is that it allows
agencies to keep current on new areas of needed
knowledge and skills. There is more emphasis on this area
than the others when updating or maintaining skills and
knowledge that are job-related. Trends in training are
being driven by the tendency to use as a metric the
number of people provided training and the cost associated
with that training and not performance improvement.
A Symbiotic Relationship
Management and employees inevitably view the world
through different lenses. Each has expectations of the
other. When it comes to security and education, these
differences in expectations are what make the relationship
work for all.
 For management, certification means an employee who
has been “vetted” by a third party as to proof of ability,
thus reducing hiring risk. An academic degree means
the employee has demonstrated an ability to learn and
persevere – a foundation for all training. They also will
probably have a good knowledge of new technologies and
have a “bigger picture” view.
For management, training such as the VA’s role-based
training program is an expense/investment that has immedi-
ate payback and is tailored to the unique needs of VA.
For the individual, certification removes an entry barrier
and provides a license to operate. This license should
translate into increased pay and networking opportunities
with others holding similar certifications.
distribute and support information security solutions;
and leverage existing workforce resources and attract and
retain supplemental workforce resources.
Recently the ISS task force made these recommendations:
establish common solutions in 4 key areas; close security
gaps by establishing Shared Service Center (SSC) model
to drive better performance, increase expertise through
specialization and reduce cost by providing common
products and services.
The task force also recommended leveraging a
governance structure, use a phased implementation
approach and the update of NIST SP 800-16 “Information
Security Training Requirements: A Role- and
Performance-Based Model”.

For the individual, an advanced degree is the foundation Learn more about IT certification and training at
of a career which can greatly advance their domain www.fissea.org and www.nist.gov. ❑
knowledge and job track potential. Source: Federal Information Systems Security Educator’s Association (FISSEA)

For the individual, role-based training teaches them how

to do current job and can be used as a stepping stone for
advancement.

ISS LOB
A backdrop to all of this is OMB’s Information Security
Systems LOB, which was chartered to support the
President’s Management Agenda for expanded E-Gov. Its
value proposition is to improve the level of IS Security
across government; eliminate duplication of effort;
increase aggregate expertise; and reallocate resources for
missions. It initially identified common IS Security needs
across all branches of government.

Driving the ISS LOB are closing security training gaps;

defining Federal-wide standards for ISS skills; the lack of
common ISS career path; the lack of common criterion for
credentialing ISS professionals; and the duplication of
effort as agencies individually develop and procure baseline
content and sustaining distinct infrastructure to support ISS.

What this is supposed to do is support performance of

the government’s mission through improved information
systems security; establish a mechanism to acquire,

s9