For those of you in the Federal IT community who are not engaged in the area of IT security as your primary pursuit, I thought you might be interested in hearing about some of the innovative tools and techniques that we employ at the Department of State to secure our worldwide wide network. This is the first of a series that will hopefully inform and enlighten the IT Federal community, resulting in an exchange of ideas.
In this fast-paced world of information technology, new threats appear daily that result in volumes of lost personally identifiable information and crimes including identity fraud. To enable the Department’s mission of foreign policy and diplomacy while protecting sensitive information, the Department’s IT security professionals are working non-stop to prevent cyber attacks and engage Department staff in actively thwarting efforts to hack systems.
Reporting directly to the Chief Information Officer at the Department of State, the Information Resource Management Bureau’s Office of Information Assurance (IRM/IA) has instituted several initiatives to proactively address cyber security risk and assist IT professionals in managing their bureau and post information system security. These initiatives include the Site Risk Scoring program, customer toolkits, and the Joint State-USAID Solution (JSAS) for cyber security awareness training.
Site Risk Scoring
The initiative known as Site Risk Scoring is helping the Department increase security awareness and reduce risk at sites connected to our global network. Site Risk Scoring monitors system vulnerabilities and compliance settings to alert system administrators as well as senior management of the risk associated with their network site. Notification of these system weaknesses prompt immediate attention where the need and risk is greatest. Since program inception, risk scores have steadily decreased across the Department by 50%.
IRM/IA developed online toolkits to assist IT professionals understand how best to complete IT security requirements designed to better protect Department information. These toolkits are organized in an easy-to-understand question-and-answer format, and are continually updated to reflect new policies and procedures. The toolkits aim to create secure, cyber-savvy environments throughout Department offices, thus making IT security more accessible, understandable, relevant, and timely. The topics covered by the toolkits include how to inventory information systems; the process of Certification and Accreditation; tracking and closing Plan of Action and Milestones; conducting Annual Control Assessments, and Site Risk Scoring.
JSAS – Providing Cyber Security Awareness Training
Selected by Office of Management and Budget as one of only three providers for the Information Systems Security Line of Business (ISSLOB) for information security awareness training, JSAS provides a joint State Department and USAID solution for cyber security awareness training. JSAS provides an automated, yearly cyber security awareness training course and a recurring cyber security “Tip of the Day” program. The annual cyber security awareness course provides real-world scenarios that help users understand how best to apply information security policies. The course annually tests users’ knowledge and understanding of policies and procedures to ensure comprehension.
The “Tip of the Day” application provides a recurring security reminder and can be implemented for all network users or specialized groups of users. Each time a user logs in, a pop-up window opens with a security question that must be answered in order to close the screen. Responses to the security questions are recorded along with user IDs, so that managers can track progress. Combining the data from the tip of the day questions and annual security awareness course allows management to detect and remediate weak spots in cyber security awareness.
Because technology changes daily and users need to be aware of new security requirements when they arise, not months later, the Tips of the Day tool provides the flexibility to insert tips on timely threats. Site Risk Scoring, customer toolkits, and the JSAS cyber security awareness training are all tools in the Department of State’s effort to educate users and reduce risk. One of the Department of State’s missions is to continually assess standards for improvement to protect Department information while supporting Department business needs.
I am about to embark on a two-week TDY assignment to Southern Africa to visit our missions and gain a better understanding of overseas posts’ operating realities and mission. During my visit to South Africa, Swaziland, Mozambique and Botswana I want to better understand how we can serve our diplomats in securing the Department’s information. Look for my reports from the field as I experience this wonderful journey!