The U.S. State Department is responsible for protecting computer networks for 400 U.S. embassies and offices across 24 time zones. To help protect these networks the State Department pioneered a risk scoring program to make it easier for managers to identify trouble spots, prioritize them, and resolve issues more quickly.
The program relies on continuous risk monitoring and threat-based response and has proven to be so effective that the program has become a model for more than 100 state agencies and many commercial organizations.[ Also Read: How to Use E-Governance to Deal with Corruption ]
The security program scans every computer, every three to four days, to detect security vulnerabilities and weak configurations, ensures the most important problems are fixed first and publishes monthly grades that celebrates the success of the units doing the best job of protecting their computers.
“We know anywhere in the world what our risk is,” says John Streufert, deputy CIO and chief information security officer of the department.[ Also Read: Keep Your Friends Close and CIOs Closer ]
The SANS Institute announced Monday that the U.S. Department of State Office of the Chief Information Officer has won the 2011 U.S. National Cybersecurity Innovation Award for improving the effectiveness of the nation’s cyber security for creating, deploying and sharing the Department of State’s risk scoring program.[ Also Read: “Google Cannot Meet Security Promises” ]
It continuously monitors more than 100,000 systems for vulnerabilities and provides daily prioritized security action plans for every Department of State system administrator in the U.S. and in more than 200 countries.
In the program’s first year, the number of security gaps detected fell about 90% and most embassies and offices were receiving A and B grades. The uniqueness of the program is its market-based approach creating incentives for fixing security gaps.[ Also Read: Cyber Education Programs for K-12 Schools ]
It quantifies a range of security risks and “monetizes” them into a “common currency” that assigns the most points to the highest priority security gaps. The point system helps to identify which gaps to repair first, allowing security managers to quickly fix the gaps responsible for the greatest impact on their office or embassy’s overall grade.[ Also Read: Facebook Users to Enjoy Websense Security ]
Each embassy or office is evaluated on its ability to mitigate those risks, and its performance is made public for the rest of the department to see. When a critical vulnerability arises, the scoring system provides a laser-like focus on correcting that problem first, resulting in the vast majority of State Department computers being protected long before the computers of other departments, says SANS Institute.[ Also Read: Knowledge Stories for Children ]
The U.S. Department of State Office of the Chief Information Officer wins the 2011 National Cybersecurity Innovation Award for eliminating security weaknesses that allow targeted cyber-attacks to succeed and for their ability to reduce risk, and quickly and effectively respond to new threats.
The SANS Institute was established in 1989 as a cooperative research and education organization. It is a source for information security training and security certification.
In the picture above: John Streufert, U.S. Department of State, receives a National Cybersecurity Innovation Award with White House Cyber Coordinator, Howard Schmidt, at the National Cybersecurity Innovation Conference in Washington, DC.