by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : July 2014
SECURITY MONITORING Over the past 18 months, the Homeland Security Depart- ment s Office of Inspector Gen- eral has established a system of continuous monitoring that has kept the multi-faceted agency at the top of the government s list of performers in federal IT security stan- dards compliance. DHS received the top score in the Feder- al Information Security Management Act report to Congress for fiscal 2013, the only agency to get a score of 99 two years in a row. The OIG uses commercial vulnerability scanning products and open source manage- ment tools in a platform that rou- tinely scans systems for compliance with FISMA metrics. "Our process was one of making security a part of the operational unit," and not just an IT function, said Jaime Vargas, the OIG s chief information security officer. Iden- tifying shortcomings quickly on an ongoing basis means persons can be held accountable for results. "We can ask very pointed questions. We are telling them not only that some- thing is broken, but what is broken." So DHS now is getting high marks for FISMA compliance. Is the department more secure? "That s always a difficult question," Vargas said, because compliance does not equal security. But the new system is help- ing his office move from a process-driven to a results-driven program that provides greater visibility into the systems. "I think we are moving in the right direction." Although the inspector general per- forms departmentwide evaluations on FISMA performance, each operational component in DHS -- including the OIG -- manages its own IT systems and is respon- sible for their security. That puts pressure on the IG s office, Vargas said. One of the biggest hurdles in FISMA compliance is the shifting metrics on which each agency is measured. Although the FISMA legislation has not been updat- ed since its enactment in 2002, the secu- rity guidance and reporting requirements change and mature each year, setting new targets for mitigating and managing risk, remediating vulnerabilities and reporting. And IT security itself is a work in process. "Traditionally, security has been a trade- off," Vargas said. Every advance in security comes at a cost, and every cut in resources results in more risk being accepted. To meet this challenge, the OIG lever- aged products already available to the of- fice, such as the Nessus vulnerability scan- ner from Tenable Network Security ("That is our workhorse," Vargas said) and Micro- soft s Active Directory tools, together with open source tools. Active Directory, which includes identi- ties of network devices, is the source of record for the scanning system. In setting the system up, a physical inventory of devices was created in conjunction with the office s ac- counting system, which matched IT assets with what has been bought. From this baseline inventory, com- pliance policies were developed for each type of device, which drives the imaging process for servers, workstations and other devices. A number of open source tools were also developed to work with Active Directory to identify every- thing that is active on the network during a scan and to direct the scan- ning process, ensuring that the ap- propriate policy is applied to each type of device. "By doing that we are able to get very accurate results," Vargas said. There was some resistance to adopting open source tools, Vargas said. But they are cheap and available. "Nothing is per- fect," he said. "But when you get some code and some smart people working on it, they can actually leverage it and get some- thing that works." • DHS s Inspector General s o ce has built a monitoring system that has made it a top performer in security compliance How DHS keeps topping the FISMA scorecard BY WILLIAM JACKSON Our process was one of making security a part of the operational unit. We tell them not only that something is broken, but what is broken. -- JAIME VARGAS, CHIEF INFORMATION SECURITY OFFICER, DHS OFFICE OF THE INSPECTOR GENERAL GCN JULY 2014 • GCN.COM 25