The recent Federal Information Security Management Act report named the Department of Homeland Security as the top performer in an assessment of federal agencies’ compliance to IT security standards, GCN reported Thursday.
DHS’ continuous monitoring system, which is run by the department’s Office of the Inspector General, received a score of 99 for the second consecutive year, William Jackson reports.
According to OIG Chief Information Security Officer Jaime Vargas, the DHS system is shifting the focus from process to results and places a measure of accountability on each operational unit.
He said DHS practices both departmentwide FISMA compliance checks and per-office IT systems security management, with OIG playing a critical role.
“One of the challenges the IG has is that we don’t set our own policies, we follow the policies of the department at large. At the same time, we are expected to set an example in order to be credible.”
The system combines commercial solutions for vulnerability scanning, such as Tenable Network Security‘s Nessus and Microsoft‘s Active Directory, and open source tools for systems management that were initially met with resistance, Jackson writes.
“[When] you get some code and some smart people working on it, they can actually leverage it and get something that works,” Vargas said.
OIG schedules the vulnerability tests every 10 days, reports the results and speed of response and applies the risk management framework implemented by the National Institute of Standards and Technology.
However, Jackson notes compliance does not necessarily lead to security, another challenge faced by agencies alongside the changing security and reporting guidelines.
“Traditionally, security has been a tradeoff,” said Vargas, but he also believes the visibility into the systems that the tests provide has also helped boost security.