Risk management gaining ground

By Jason Miller
Executive Editor
FederalNewsRadio

WILLIAMSBURG, Va. — The federal government slowly is understanding what it means to manage the risk of its technology systems.

From the legislative update of the Federal Information Security Management Act to the expectations of federal auditors, risk management is a growing approach across government.

“The threats are substantial and the impact is real, but our job is to deal with the vulnerabilities,” says Alan Paller, director of research for the Sans Institute. “There are some essential things we need to do to secure our systems.”

Paller, who moderated a risk management session at IAC’s 19th annual Executive Leadership Conference, says the goal to recognize and block all known vulnerabilities to agency IT systems, and that would make a big difference.

He adds that agencies are coming under budget pressure to prioritize how they fix their systems. But they also are confused by the National Institute of Standards and Technology guidance that offers recommendations, but not mandatory steps.

Add to that the fact that federal auditors from the inspector general offices and the Government Accountability Office don’t agree on what risk is acceptable or how to measure how effective risk management is.

“We need to accept the notion of intelligent risk management,” says Greg Friedman, the Energy Department’s IG. “If oversight becomes such a blanket, we will push the government backwards.”

Friedman says IGs must deal with a number of challenges, including the continuous environment the government operates in, and the sometimes disparate needs of the executive and legislative branches.

“We have become risk averse and that will not help anyone,” he says. “We need to create an environment that promotes innovation. If you are risk averse, you will not innovate.”

Cathleen Berrick, director of GAO’s Homeland Security and Justice issues, says lawmakers are including risk management and mitigation in their requests. And many agencies have trouble managing risk.

GAO offers help to agencies to improve how they manage risk.

Berrick says GAO published a risk management framework detailing five steps:

1. Setting strategic goals and objectives, and determining constraints
2. Assessing risks
3. Evaluating alternatives for addressing these risks
4. Selecting the appropriate alternatives
5. Implementing the alternatives and monitoring the progress made and results achieved.

It also works as a consultant to agencies to help them manage risk of projects. Berrick says GAO has been helping the Homeland Security Department on its Secure Flight program and the IRS on its Business Systems Modernization project.

“GAO looked at the IRS’s efforts and risk management was not applied across the project,” she says.

Berrick adds that GAO also created an internal community of interest to share risk management best practices across different practices.

Paller says the IG, GAO and even lawmaker realization that risk management is important shows up in the FISMA legislation update.

The bill calls for agencies to use attack based metrics, have continuous monitoring of their systems and buy hardware and software with security built in.

—–
On the Web:

FederalNewsRadio – Ask the CFO-Enterprise Risk Management

Government Accountability Office – Strengthening the Use of Risk Management Principles in Homeland Security (pdf)

Government Accountability Office – Applying Risk Management Principles to Guide Federal Investments (pdf)

(Copyright 2008 by FederalNewsRadio.com. All Rights Reserved.)

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.