TECHNOLOGY AND THE BUSINESS OF GOVERNMENT

I use the term "mission security" as a synonym for what the military and intelligence folks call operational security. But in my experience, managers' eyes glaze when terms like opsec are uttered. Managers understand that their organization's mission is important and anything that interferes with that mission is a problem.

I'd like to see more discussion of mission security by OMB and Congress, because that would almost surely result in discussions about how employees necessary to the organization's mission are kept safe, how computerized and paper information files are kept secure, how unauthorized access to agency and contractor facilities is controlled, and how long the agency might cease certain operations without affecting its central mission.

I am lucky enough to have worked for a federal organization with a clear idea that (1) employees are its most important asset and (2) its mission, though important, was not so central to the country that it could not simply shut down for a while in case of a temporary emergency. What other federal organizations have even looked at these questions? Does the American Battle Monuments Commission need a continuity of operations plan? The U.S. Parole Commission?

Discussions about mission assurance happen only when managers insist they happen. The worlds of physical security, personnel security, document security and computer security seldom overlap. Indeed, the "not-my-job" ethos has evolved into "not-my-job-thank-God" in the federal security world. Every agency head should mandate a monthly one-hour meeting of everyone who has anything to do with mission assurance - COOP person, privacy person, head of police, information security officer, data center disaster recovery person, HSPD-12 coordinator, reinvestigation coordinator, head of contracting, records management person, training director ... everyone. The meeting should be chaired by the agency's chief operating officer (generally the deputy secretary or chief of staff) and should be confined to brief status reports from each area, directed to the question: "What sorts of things are my group doing that affect mission security?" No discussion, just quick questions to clarify. Follow-up meetings can iron out overlaps and improve coordination.

At a recent Security Dreamer forum to discuss the concept of physical security information management, Steve Hunt told the following story:

Immediately after the 9/11 attacks, the head of a large company in the New York area called his head of physical security and his chief information security officer together to discuss how the organization would improve its disaster readiness. At that meeting, he learned the two had never met before!

Do your CISO and physical security director know each other?

Another story from Steve Hunt:

One U.S. company spent $35 million on physical security upgrades after 9/11, and $4 million on IT security upgrades. [Then the company] failed their Sarbanes-Oxley audit because of poor security. How? Visitors were given a badge for the day, but they could still walk unescorted past cubicles with unattended computers logged into financial systems. At that moment the audit[or] no longer had confidence in the integrity of the [company's financial system].

Are your agency financial auditors going beyond "FISMA compliance" to look at the security controls that protect integrity of financial records and transactions? Do you hope they never do?