While reading the details of the amusing cat fight between Google and Microsoft over the Chrome Frame plug-in, we noticed an interesting white paper available on Network World’s page. Seven Practice Steps for Federal Cyber Security FISMA Compliance has some interesting guidance and talks about an important point in security.
IT and digital security are NOT the focus of a business, unless the sole purpose of your business is to provide those two elements. The Federal Governments purpose is not IT services or cyber security and this misconception is the root problem surrounding many organizations today. IT and security personnel lose sight of the fact they are employed to support the business and help reach its goals. Every consulting engagement we have been involved with faced the terrible situation of overcoming IT organizational control, or perceived control.
Interviews conducted during process improvement initiatives support the IT control statement. Probably 9 out of 10 IT personnel interviewed would say they don’t know what their employers focus or goals were. Pre-school kids have a better understanding of strategic goals than most IT and security professionals, and I use the term professionals loosely. If you have a big drawing for a group of kids to color and assign each one a part to complete, they understand the bigger picture is to have completed drawing. Companies do a poor job of communicating their goals and initiatives to employees and ensuring they know the focus is reaching those goals. IT is a mechanism to reach those goals, not the goal or centerpiece itself.
The first step in this Seven Practice Steps for Federal Cyber Security FISMA Compliance white paper is phenomenal writing. The last contract we worked on involved application development, security risk analysis and process re-engineering for a Fortune 500 client. No one knew anything about the systems they ran, and that is an understatement. Responsibilities were passed from one group or individual to another the more involved we became. Ownership of data was a mystery and spread over multiple databases with no control. The best part came when no one wanted to give the green light to dissolve the mess and implement streamlined systems with assigned data controls and responsibilities.
In the end, we provided our services and solution to the problem this organization faced. Politics and spineless management intervened to help this problem persist and it still does today. The shareholders of this organization would be outraged if they learned of underlying problems, which are no doubt helping the stock price drop. Dog and pony shows eventually turn into slaughter houses.
Step 4: Integrate and Help Enforce Change Management Processes is a stretch in our opinion. Is it required? Yes. Will it be enforced long-term? Probably not. The same problem plagues change management programs no matter the organization or the situation. Red tape. Most of the incidents involving change management breach occur because someone or some group needs to test something quickly to meet a deadline. Or, they are directed by executive leadership to get something done and to hell with policy. Unauthorized access points are the main violation that comes to mind here. Change management is required by virtually ever compliance program, but it fails due to long winded and poorly written procedures. For it to be successful, it must allow for quick decision making, short approval or disapproval chain with alternates and be time sensitive. When we say time sensitive, the change will be for a specified time and cut off immediately without question when that time passes.
We have no affiliation with Trip Wire and never used their products.
