Department of Justice: Steps Toward Mitigating Risk

Dennis Heretick, Chief Information Security Officer with the Department of Justice, talks about information warfare, risk mitigation and infrastructure protection.

. What's this?

By Dave Gradijan

August 15, 2007CSOEric Green of the Infowar Broadcasting Network talks to Dennis Heretick, chief information security officer with the Department of Justice, about information warfare, risk mitigation and infrastructure protection.

Green: In such a multifaceted agency, how do you quantify, how do you categorize what you have to deal with as you approach the issue of security? What are the first steps you’ve been taking over there?

Heretick: The key to that is starting with our mission needs, looking at our mission objectives and the risks to those mission objectives. Then identifying the security controls that mitigate those risks or directly support a mission objective. Preventing terrorism is our number-one goal, one that we share with many federal agencies, and of course a big part of that is data sharing and preventing that information from getting into the hands of people it shouldn’t. Much of that information has to be protected by law; other [information has to be protected] just in support of your mission. So the ability to look at risk control requirements that would allow you to encrypt data, that could give you techniques for preventing it from being copied, gives you a great trust relationship with whoever you share that sensitive information. So you use both the mission need and the risk, and then prioritize requirements based on those two parameters.

And so I think the benefit is also the challenge, in that when you’re within your agency, you can kind of say, this is our guideline and this is what we’re going to be doing and you can only hope that the people who report up through you do it. Now we’re going to start crossing agencies and we’ve been talking about information sharing, and so if everyone is using a different risk-based structure and everyone is using different systems, forget about whether the systems can talk to each other; the security risks might not equate to the same levels. How do you deal with that?

That’s something that we’ve always had trouble dealing with because we have to share information across agencies. Mr. Meyerrose, the CIO for the director of national intelligence, has formed a group including key players DoD, NSA and NIST, and they are really integrating the intelligence community requirements into the 800-53 set of requirements from NIST. That set of requirements, when you continue to add other types of requirements such as financial system requirements from

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER