[ISN] GAO calls for security strategy

[InfoSec News]

http://www.fcw.com/fcw/articles/2005/0103/web-facilities-01-07-05.asp

By Dibya Sarkar 
Jan. 7, 2005

Congressional auditors say a federal interagency committee in charge 
of coordinating the protection of government facilities needs a 
strategic plan for identifying priorities and implementing security 
measures, including leveraging technology.

Such a plan would help the Interagency Security Committee (ISC) gain 
greater support within the federal government, provide detailed 
information on its needs, establish performance measures and propose 
strategies for challenges it faces, according to a recent report 
released Jan. 6 by the Government Accountability Office. [1]

Those challenges include getting officials at agencies to agree to a 
governmentwide risk management process for assessing facilities, 
developing a compliance process so agencies can measure progress, 
educating senior-level staff about ISC and integrating physical 
security initiatives for the entire federal government and 
implementing change, the report states. The committee also needs more 
financial resources and greater staffing, according to the report.

ISC officials have made some progress, especially in the past two 
years. They include issuing some security standards and guidance for 
agencies, developing a Web site for posting policies and guidance, 
developing a secure Web portal for members to exchange information, 
and creating standard operating procedures to improve the quality of 
information sharing. But they need to do more.

The report identifies several major practices that could provide a 
framework for agencies' initiatives. They include using a risk 
management approach, information sharing, performance measurement and 
testing, aligning assets to an agency's mission, strategic workforce 
management, and using technology.

The report states that GAO officials, inspectors general, facility 
security experts and agency officials agreed that security technology 
is crucial. But any technology should be carefully analyzed to 
determine whether the benefits outweigh the costs and effects on 
privacy and convenience. 

Some advanced technologies identified include smart cards and 
biometrics, detection and surveillance systems, X-ray scanners, and 
metal detectors. But sometimes other solutions, such as using trained 
dogs, may be more effective and less costly, the report states.

"It is important to note that focusing on obtaining and implementing 
the latest technology is not necessarily a key practice by itself," 
according to the report. "Instead, having an approach that allows for 
cost-effectively leveraging technology to supplement and reinforce 
other measures would represent an advanced security approach in this 
area."

ISC was formed after the 1995 Oklahoma City bombing to develop 
policies and standards, ensure compliance, oversee implementation, and 
share information. In 2003, the Homeland Security Department assumed 
responsibility of the committee from the General Services 
Administration.

ISC was designated last year to oversee agencies' physical security 
plans related to Homeland Security Presidential Directive-7, which 
requires agency officials to identify critical infrastructures and 
develop plans for prioritization, protection, recovery and 
reconstitution of systems or resources.

According to the report, DHS officials agreed with the overall 
conclusions and would implement GAO's recommendations.
 
[1] http://www.gao.gov/new.items/d0549.pdf