The results were less than sterling and represent a trend that is mirrored in private industry. The Ponemon Institute released a report (November 2009) commissioned by Lumension on the State of Endpoint Security. Metrics from both these reports demonstrate a continued lack of strategic focus for information security efforts that should be alarming. Some key metrics (some of the 19 criteria) from the GAO report are as follows: The following table illustrates the number of plans that fully, partially, and did not address each criterion (organized by key topic area). % Completed % Partially Completed % Not Touched Describe the agency’s long-term protective strategy to protect the cyber critical infrastructure identified in the plan 56% 0% 44% Summarize the agency’s ability to identify gaps in carrying out any of the activities discussed above 67% 0% 33% Describe any corrective actions identified for cyber-related issues and if follow-on actions were taken 72% 0% 28% Describe performance metrics for the CIP program 72% 0% 28% Discuss any specific management, technical, or operational challenges with regard to implementation of the plan. 72% 0% 28% Summarize locations and assets that support the primary functions 67% 17% 22% Describe the agency’s process for ensuring independent oversight of cyber CIP programs 78% 0% 22% Determine whether corrective actions for IT systems considered critical infrastructure were included in Federal Information Security Management Act (FISMA) plans of action and milestones. 78% 0% 22% Include a prioritized list of the agency’s cyber-related critical infrastructure 78% 0% 22% Describe milestones for the initiatives described and target dates for completing each milestone 83% 0% 20% Describe the agency’s current capabilities for prioritization of federal cyber assets 83% 7% 13% Describe the status of major initiatives that are underway or planned for addressing cyber-related deficiencies 89% 0% 13% The Ponemon study goes on to indicate the only about 38% of the annual security budget supports business objectives. When you review this against the GAO metrics of 44% of plans going untouched, it seems unlikely that the budgets in US agencies are aligned with agency missions if no strategic security plans are in place that should be crafted with agency objectives and government directives driving the themes.Another alarming number that may seem low to some is the asset information percentages: Summarize locations and assets that support the primary functions 67% 17% 22% If agencies don’t know the locations of their assets or don’t know what assets support primary functions of critical infrastructure, then there is no way they can secure them. In addition, you cannot have a plan to remediate what you don’t know you have and you cannot include this in a budget since it is unknown. Therefore it is difficult to provide alignment with agency objectives and government directives. A core components of any IT plan (not security) is asset management with configuration management being the twin sister. Combine this with the following metric: Include a prioritized list of the agency’s cyber-related critical infrastructure 78% 0% 22% and the asset discovery process aligned to critical systems and it certainly seems that we as a nation are at risk of penetration and data leakage since we do not know what we have and therefore don’t know what we don’t know. Keep in mind that this is 5 years now after the initial Presidential directive and guidance was released. Also keep in mind the millions of records lost that we know of, and the ingenuity of criminal and state sponsored elements to devise and execute penetration efforts against US critical infrastructures. There are many more metrics we could cover that describe the state of current agency efforts to security the nation’s critical infrastructure but I believe this is enough to demonstrate the current maturity of the efforts.Strategic plans should be in place as a core and standard component of any security program; constantly updated as the threat environment changes. Programs derive from the strategy as a tool to direct execution. The execution is managed using program and project management that drives gap analysis and remediation activities which should occur continuously and not once a year. Management, technical, and operational controls need to be established to enable continuous monitoring of critical infrastructures in order to provide an ‘anytime’ view of agency (or private corporation) security posture. Easier said than done and a completely different topic but this would remove the need for point-in-time C&A efforts.The metrics tell the story and they cross both public and private sectors. What I get from the metrics in brief is as follows:· Leadership needs to come from the topo Agency and Company heads should make information security a highly prioritized enterprise initiative· Strategic vision is required o Tactical must follow but it should not lead· Security must align to business and agency missions· Security and IT must meld together into a cohesive force· Assets must be discovered continuously · Assets must be monitored continuously· This needs to be done yesterdayWhat do you see? Related content opinion The Sandbox - RSA Conference 2014 - San Francisco By Jeff Bardin Feb 24, 2014 3 mins Technology Industry IT Leadership opinion NY Times Story on Snowden Way Off the Mark Snowden story worthless - Basic IT protocols ignored - By Jeff Bardin Jul 05, 2013 2 mins Data and Information Security Network Security opinion Maskirovka – Tactical, Operational, Strategic Deception "The Op is in Motion" By Jeff Bardin Apr 29, 2013 4 mins Physical Security IT Leadership opinion Is this gun smoking? Certified Unethical Training http://attrition.org/errata/charlatan/ec-council/eccouncil_emails.html By Jeff Bardin Mar 15, 2013 14 mins Social Engineering IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe