Federal security managers are wrestling with meeting the challenge of a rapid escalation in the number, severity and complexity of threats. Risk management is at the heart of their efforts to meet that challenge. Yet some cybersecurity mangers are struggling to implement the National Institute of Standards and Technology's Guide for Assessing the Security Controls in Federal Information Systems (Special Publication 800-53A) (.pdf), the government's official risk assessment guidance. The 200-page document can be dense and difficult. For some, a more concise and limited risk assessment framework may be a better place to start.
Peyton Engeltechnical architectCDW
With the concept of risk management in flux and under increasing scrutiny, Peyton Engel, a technical architect at CDW (whose team of engineers provides security services to government and industry), believes that there is no general list of "best practices" that will uniformly protect every government agency from a constant barrage of threats.
But a basic framework for risk assessment can help agencies formulate a security strategy and even make decisions about the need for continuous monitoring, he said.
"Clearly there is a need to change and adapt and when you have a new threat, you have to deal with it," Engel said. "But I don't think necessarily your method of analysis [of risks] needs to change and adapt so much. But the response that you come up with is definitely going to have to change and adapt over time."
He added, however, "assessment isn't something you do just once and you know for all time what your security priorities are. It's something that you want to engage in on some kind of regular basis."
There are five clear, simple straightforward steps that any organization can take to develop a rational foundation for its cybersecurity strategy, Engel said. Managers can follow this basic framework:
- Identify information assets within the primary types of information the organization handles
- Locate information assets based on where they reside within the organization
- Classify information assets in clear categories, such as public or regulated information
- Conduct a threat modeling exercise to rank threats that top-rated information will face
- Finalize data and start planning a groundwork for sensible security
The fourth step, the threat modeling exercise, also may help agencies to decide whether they should explore the need for continuous monitoring. "If you have, on the basis of your threat modeling, risks that justify [continuously monitoring] then you would do it," he said. "If you don't have risks that justify, then you might say, 'We'll revisit this next year and decide whether we need it.'"
According to Engel another major factor is cost in determining the whether to deploy continuously monitoring is cost. "Basically [continuous monitoring] is more expensive because you usually have to have a human being making at some level prioritization or response decisions," he said. "It's more expensive to do that than it is to put some technical or procedural control in place and then hope you're taken care of."
About the author: Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.