In a world of worms, viruses and the threat of cyber-terrorism, government departments and agencies are increasingly under the public microscope to ensure network information is secure. Information security is no longer optional. Or is it?

Despite legislation and heightened awareness of the negative impact of network breaches, many government organizations still lag behind in efforts to protect their networks — and comply with regulations. In the fourth annual “Report Card on Computer Security at Federal Departments and Agencies,” released earlier this year, government organizations did not fare well when it came to network security, averaging 65 percent (or a D grade level) for fiscal 2003.

Although marginally improved over past years, there is still much work to be done: in both 2001 and 2002, the overall grade was an F (53 percent and 55 percent respectively). Part of the problem can be attributed to the government's long-established practice of taking a reactive approach to network security.

Typical reactive technologies include firewalls, intrusion detection systems (IDS) and anti-virus tools. While they are necessary layers of security, they are not sufficient to secure today's networks.

In addition to containing damage once an attack occurs, organizations must be proactive in reducing or eliminating the risk of attack in the first place. To use an analogy: Waiting for a fire to start before taking action is nearly always too late.

Fortunately, laws such as the Federal Information Security Management Act (FISMA) passed in 2002 have further pushed information security to the forefront. Credited with making government agencies mindful of security vulnerabilities and their root causes, FISMA regulations provide specific policy guidelines and reporting instructions to ensure that all federal departments and agencies take a “risk-based, cost-effective approach to securing their information and systems, identifying and resolving current IT security weaknesses and risks, as well as protecting against future risk.”

Additionally, FISMA expanded and strengthened the information security evaluation and reporting requirements enacted in 2001 under the Government Information Security Reform Act. Under FISMA, agencies must demonstrate progress in areas such as risk management, contingency and continuity procedures to ensure their mission-critical and general support systems are protected. Required are annual IT security reviews and reporting and remediation planning on systems at all stages of the systems development life cycle.

To meet compliance requirements of FISMA, federal agencies must have systems that enable them to identify vulnerabilities and determine the impact those vulnerabilities will have on overall network security. In the process, organizations can effectively assess the risk of attack. Federal agencies also need systems that enable them to meet stringent FISMA reporting requirements.

Compliance with FISMA is a matter of national security, and as a result, it is the focus of continuous scrutiny at the highest levels of government. Federal departments and agencies, as well as organizations that work with federal information systems, need to adopt and refine information security management processes that ensure up-to-date and comprehensive risk assessments, measurable response management and detailed compliance reporting — all in a cost-effective and timely manner.

Technologies are available to enable organizations to address regulatory compliance issues. For instance, vulnerability management systems can help government agencies and departments automate many of the steps in the FISMA compliance process.

Complete lifecycle vulnerability management systems can conduct accurate and thorough assessments of potential risks and vulnerabilities to information systems on a continuous basis and manage the process of eliminating those risks.

Data captured from these risk assessments can then easily be created into compliance reports. By helping organizations to identify vulnerabilities and take necessary steps to resolve issues, vulnerability management helps to reduce the number of targets an attacker can exploit in a network. Unlike perimeter defense security solutions that focus on threats, vulnerability management systems harden the targets. In the fire safety analogy, it is the equivalent of making a building fire-resistant.

Abe Kleinfeld is president and CEO of nCircle, a San Francisco-based provider of enterprise-class vulnerability management solutions. He can be reached at abe@ncircle.com