Federal Information Security

About This Presentation

Title:

Federal Information Security

Description:

DOT is responsible for one of the largest IT investment portfolios among ... Veterans Affairs. 1.3B. 851. 9. Energy. 1.1B. 906. Others. 6.2B. 1,940 $44.9B. 7,957 ... – PowerPoint PPT presentation

Number of Views:49

Avg rating:3.0/5.0

Slides: 10

Provided by: dho56

Category:

more less

Transcript and Presenter's Notes

Title: Federal Information Security

1

Federal Information Security Management
Act
Computer Security Audits Advisory Board
(ISPAB) PCIE Roundtable Meeting February
2004
Rebecca C. Leng, CPA, CISA Deputy Assistant
Inspector General for Information Technology
and Computer Security Department of
Transportation
2
INTRODUCTION

DOT Computer Systems Portfolio
DOT Computer Security Status
DOT/OIG Audit Approach
DOT/OIG Audit Report Focuses
Information Security and Privacy Advisory Board
(ISPAB)

3
DOT COMPUTER SYSTEMS PORTFOLIO
DOT is responsible for one of the largest IT
investment portfolios among civilian agencies,
which includes safety-sensitive air traffic
control systems, as well as financial systems
used to disburse over 30 billion of Federal
grants annually.
(Source OMBs FY 2002 Report to Congress on
Federal Government Information Security Reform)
4
DOT COMPUTER SECURITY STATUS

Good Stride Made.
Appointed a CIO and increased the CIOs
influence.
Enhanced defense against intrusions from the
Internet and reduced web vulnerabilities.
Developed a more reliable systems inventory.
Still A Long Way to Go
Reported the information security program as a
material weakness in the FMFIA report. Only 33
percent of DOT systems completed security
certification reviews as of September 2003
Continue experiencing problems with unauthorized
network connections and inadequate background
checks and key personnel.

5
DOT/OIG AUDIT APPROACH

Follow GAOs audit methodology (FISCAM) and NIST
standards in doing computer security audits
throughout the year.
Use OIG staff to review operational systems
security such as air traffic control systems
Use contractors to review financial management
systems security to support CFO audits.
In May, assess needs for performing additional
work to meet OMB reporting requirements.

6
DOT/OIG AUDIT REPORT FOCUS

Annual computer security reports contain two
parts
The report reflects accumulative results of OIG
work for the whole year and is written in plain
English with a focus on
Management Controls e.g., CIO authority,
oversight, other important E-Government
initiatives such as IT investment controls, etc.
Network Security keeping outsiders out
Systems Security securing individual systems
internally
Issues requiring special attention (can be
different every year e.g., personnel security,
web security, contingency planning, etc.
The attachment answers OMB questions.

7
INFORMATION SECURITY AND PRIVACY ADVISORY BOARD
(ISPAB)

Authorization
Established by the Computer Security Act of 1987
Reauthorized by the Federal Information Security
Management Act of 2002
Purpose to advise the Institute (NIST) and the
Director of the Office of Management and Budget
on information security and privacy issues
pertaining to Federal Government information
system, including through review of proposed
standards and guidelines.
ISPAB (http//csrc.nist.gov/ispab) is a Federal
advisory committee whose meetings are open to the
public.

8
INFORMATION SECURITY AND PRIVACY ADVISORY BOARD
(ISPAB)

Members appointed by the Director of NIST for
four year terms
Four members from the information technology
industry.
Four members from the information technology
industry, or related disciplines, but not
employed by or a representative of a producer of
information equipment
Four members from the Federal government who have
information system management experience
(currently represented by NSA, DHS, VA, and DOT
IG Community Representation
2003 2007 Rebecca Leng, Deputy AIG, Department
of Transportation
1996 1999 John Layton, IG, Department of Energy
1989 1994 Bill Colvin, IG, National Aeronautics
and Space Administration