Monday, February 29, 2016
A holistic perspective through which agencies govern their IT operations, based on sound IT risk management and addressing security and privacy concerns, will enhance agency effectiveness in implementing security and privacy across the enterprise.

Today, more than ever, with the increasing number of cybersecurity attacks on government organizations and threats of data breaches to the privacy of government officials and their staffs, and government contractor staffs, strong IT Governance based on sound IT risk management is critical to restoring confidence in the security and privacy protections provided by our Federal Government.  This is no longer purely an IT technology issue but an issue that must be addressed at the top layers of government – from the “overseers” of IT policy (e.g., Office of Management and Budget (OMB), National Institute for Standards and Technology (NIST), National Security Agency, etc.) to the auditors (e.g., Government Accountability Office, Agency Inspectors Generals, independent assessors, etc.) to the heads of Departments/Agencies and their top-level senior executives  (i.e., the C-Suite of government organizations).

Government stakeholders need assurances that this is being done to protect the security of key government systems (e.g., our military systems, tax systems, payment and entitlement systems, critical infrastructure systems, etc.) and protecting the privacy of information held by the government (e.g., healthcare and financial data which are currently prime targets for malicious actors).  In order to do this, a holistic approach is needed that embodies IT Governance, Security and Privacy based on IT Risk Management – all working in concert and all essential for success.  The government currently has many of these policies laid out in separate documents, several of which are identified below – key for moving forward is a framework that integrates the policies within an overall enterprise governance approach.

Enterprise Government and IT Governance

Each of these essential elements are briefly described below.

IT Governance – provides the consistency, processes, standards, and repeatability needed for effective IT operations at the lowest possible cost within compliance requirements.  IT Governance must be part of Enterprise Governance, a discipline that addresses all stakeholder needs, conditions and options to ensure they are evaluated for determining balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.[1]  Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them. Governance is about negotiating and deciding amongst different stakeholders’ value interests. By consequence, the governance system should consider all stakeholders when making benefit, risk and resource assessment decisions for IT operations. Increased IT Governance improves the effectiveness of security and privacy controls.  In fact, on October 21, 2008, OMB Memorandum M-09-02 required that each agency have in place an Information Technology Management Structure and Governance Framework, so not only is it the right thing to do but it is backed up by an OMB mandate.

IT Risk Management – identifies the alignment of critical business processes with supporting technology systems.  IT Risk Management serves to focus IT Governance and security and privacy investments in the areas contributing most to mission success.  IT Risk Management must be a part of Enterprise Risk Management (ERM), a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategi­cally aligned portfolio view. ERM contributes to improved decision making and sup­ports the achievement of an organization’s mission, goals, and objectives.[2]  NIST Special Publication (SP) 800-37, Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach is a Joint Task Force Transformation Initiative developed by anInteragency Working Group with representatives from the Civil, Defense, and Intelligence Communities in an ongoing effort to produce a unified information security framework for the federal government. This guide transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).

Information Security – a program is managed by the Department/Agency Chief Information Security Officer (CISO) according to Federal Laws and Directives such as Federal Information Security Modernization Act (FISMA), OMB directives and memorandums, the NIST standards and special publications.  Information security encompasses efforts to protect data and information systems from inappropriate access, manipulation, modification, and destruction.  NIST’s Framework for Improving Critical Infrastructure Cybersecurity focuses on using business drivers to guide cybersecurity activities while considering cybersecurity risks as part of the organization’s risk management processes, and includes technology, processes, policies, and people specified under the family of controls outlined in NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations.  NIST SP 800-53r4 was also issued by an interagency working group with representatives from the Civil, Defense, and Intelligence Communities.  In order for the information security program to achieve an acceptable level of risk to operate, IT Governance must incorporate a minimal level of maturity.

Privacy – within a secure enterprise, privacy controls allow only properly designated personnel to access information governed under privacy laws, and encompass efforts to protect an individual’s ability to determine how their personal information is collected, used, stored, and disclosed.  Information security and IT Governance directly impact the success of a privacy program. Privacy cannot exist without information security.  Privacy must be considered in all information security programs -- the NIST Cybersecurity Framework includes a “Methodology to Protect Privacy and Civil Liberties” (Section 3.5), which specifically addresses individual privacy and civil liberty implications that may result from cybersecurity operations. NIST SP 800-53r4 includes “Appendix J PRIVACY CONTROL CATALOG: PRIVACY CONTROLS, ENHANCEMENTS, AND SUPPLEMENTAL GUIDANCE”, which specifically provides a structured set of controls for protecting privacy and serves as a roadmap for organizations to use in identifying and implementing privacy controls concerning the entire life cycle of Personally Identifiable Information (PII), whether in paper or electronic form. Finally, privacy must be part of the organization’s IT Governance program to ensure that it is adequately addressed in all discussions where PII is involved.

Read my second blog on this topic.


[1] COBIT5®, ISACA, 2012

[2] Improving Government Decision Making through Enterprise Risk Management, IBM Center for The Business of Government, Douglas W. Webster and Thomas Stanton, 2015.


** Keyboard image courtesy of hin255 at