Even with the renewed scrutiny being given to government IT systems in light of the recent laptop theft at the Department of Veterans Affairs, officials working with the Environmental Protection Agency say the organization has significantly improved its security operations.
Guided by a seven-year contract granted to services provider Computer Sciences Corp. in 2002, the EPA maintains that it has applied a systemic approach to maturing its security operations, resulting in the agency being one of only five federal organizations that received a top ranking in a recent security scorecard issued by the House Committee on Government Reform.
At the heart of the EPAs project has been an ongoing effort to come into compliance with the U.S. governments Federal Information Security Management Act, or FISMA, which requires executive agencies within the federal government to secure their IT systems. Passed by Congress in 2002, FISMA specifically demands that government organizations ensure that they have appropriate officials designated to oversee IT security and that those workers periodically review security controls for all information systems while enforcing user and device authentication.
Under its deal with CSC, the EPA has outsourced its entire IT security operation to the service providers Raleigh, N.C., data center, including oversight of its WAN. The project directly handles security for 25,000 users in ten regions throughout the United States and also includes management by CSC of the EPAs data center, desktop management and call center operations, in addition to the security responsibilities.
CSC officials say the company employed a strategic plan to help the EPA that included the completion of security gap analysis, followed by several major projects. That work included centralization of the agencys security incident response center, creation of a governance board to oversee and drive its technology decisions, and work to increase support for IT worker certification for development of security policy and architecture.
By balancing its need to move quickly to improve security with a more comprehensive overall IT strategy, the EPA has been able to make strides that other, less-organized agencies have not, said John Kashishian, director of CSCs Network Information Assurance Solutions group.
"The EPA has taken a consistent direction on security with a sense of urgency, but they also understand the systematic approach and how to best pace themselves, and budget, so theres never been a crisis throughout the project," Kashishian said. "The main operational change theyve made is installing the security incident response center; that gives them the 24/7-type of protection that an organization of this size needs to respond to incidents and emerging threats."
While the EPA previously had a more de-centralized response system in place, having a single source of communications for security information throughout the agency has made a world of difference, according to CSC officials. When a virus outbreak or equipment theft challenges the organizations security, the EPA can respond much faster with the response center up and running, Kashishian said. Employing the center was also meant to improve the security of the information being handled by the IT group.
In responding to the epidemic of stolen laptops in the federal sector and elsewhere, the executive said that the EPA has progressively improved encryption on all its mobile devices, and that the group is even considering a move to more thin-client systems to take data protection even further.
"Theres an operational balance that needs to be evaluated, they understand that mobility is key, but it all comes down to risk," said CSCs Kashishian. "Were always looking to improve infrastructure and while were not in thin-client environment, the EPA is evaluating the pros and cons of moving toward a model where data is more centralized and people have fewer demands to carry the data in the device."
Among the security projects ongoing within the EPA is an increased emphasis on protecting systems from the so-called insider threat, or the notion of workers with legitimate IT privileges carrying out data theft or manipulation schemes. The agency will look to further improve its standing against such attacks by expanding its authentication systems and putting additional policies in place to govern the use of mobile devices, CSC officials said.