cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Exploring the Relationship Between Strong IT Controls and DoD Agency Performance

Level 11

By Paul Parker, SolarWinds Federal & National Government Chief Technologist

There is so much involved in improving agency performance that it can be difficult to pinpoint one thing—to make one recommendation—as a starting point toward performance enhancement.

That said, technology plays an enormous role, according to the 2017 SolarWinds Federal Cybersecurity Survey of 200 federal government IT decision makers and influencers. The results indicate that government agencies perform their missions more adeptly when they incorporate strong IT controls into their business processes.

Managing Risk

According to the survey, nearly 80% of respondents describe their agency’s ability to provide managers and auditors with evidence of appropriate IT controls as good or excellent. Additionally, well more than half of respondents say they have updated policies, procedures, and technology, and that reports are generated on a regular basis. That’s good news.

It turns out that being able to provide evidence of IT controls is a strong contributing factor to managing risk, which improves performance.

The study identified several other factors that contributed to an agency’s ability to manage risk. Those respondents that rated their agency’s ability to provide evidence of IT controls as “excellent” note that the following have helped contribute to their agency’s success in managing risk.

IT modernization (61%)

Tools to monitor and report risk (57%)

Network optimization (54%)

Data center optimization (48%)

Interestingly, significantly more defense than civilian respondents indicate IT modernization contributed to successfully managing risk—51% versus 37%.

In terms of the role regulations and mandates play in managing risk, more than half of respondents that indicate regulations helped with that effort cite both the Risk Management Framework and the NIST Framework for Improving Critical Infrastructure Cybersecurity as a positive contributing factor.

Enhanced Security

The presence of strong IT controls can also help federal IT pros more quickly identify security events and enhance network and application security—again, helping to improve performance.

According to the survey, of those respondents that described their agency’s ability to provide managers and auditors with evidence of appropriate IT controls as “excellent,” 59% are able to identify rogue devices on the network and inappropriate internet access by insiders within minutes. More than half are able to identify distributed denial of service attacks or a misuse/abuse of credentials within the same short timeframe.

A significantly greater number of respondents from DoD agencies—versus civilian agencies—said their agency can detect a misuse/abuse of credential within minutes.

Finally, 61% of those respondents that describe their agency’s ability to provide managers and auditors with evidence of appropriate IT controls as “excellent” rate the effectiveness of endpoint security software and network access control (NAC) solutions as “high.” Respondents describing their agency’s IT controls as good or poor reported these solutions as far less effective.

Other tools that federal IT pros from agencies with “excellent” IT controls identified as highly effective were:

Configuration management software (57%)

Web application security tools (56%)

Patch management software (54%)

File integrity monitoring software (52%)

SIEM software (52%)

Conclusion

The majority of DoD respondents credited IT tools that enabled them to monitor and report risk for improving how they managed and mitigated security threats. Three-fourths of respondents said federal agencies are more proactive today than five years ago concerning IT security—including an ability today to detect rogue devices on government networks within minutes.

While it can be difficult to pinpoint one thing that can help enhance agency performance, having strong IT controls and monitoring tools is certainly a great place to start.

Find the full article on SIGNAL.

7 Comments
Level 14

Thanks....interesting stats!

Level 13

Thanks for this.

Interesting stats reported here. 

One continues to imagine the groups/individuals/companies that profit from selling new tech and new detection and reporting solutions could be associated with released hacks and vulnerabilities that exploit systems and users, which drives a need for new tech and new detection & reporting solutions . . .  etc., etc. . . .

"Quis custodiet ipsos custodes":  Quis custodiet ipsos custodes? - Wikipedia

MVP
MVP

Nice write up

Level 15

Interesting article.  This matches with the same concepts that our ISO has been working with our Team for the past 3 years.  We are making improvements in our systems, and our biggest failing in not having everything documented. 

Thanks!

Level 20

It's all about managing risk and RMF - Risk Management Framework is the solution in the DoD space today... NISPOM is done and buried now today.  All new information systems go through RMF process and are required to going forward.  I have to admit security is better and more solid now than ever before.  It really does work but the downside is much more documentation, continuous monitoring, and frankly work.

MVP
MVP

When new controls are put into place so often there is pushback, but when they are properly implemented they do make an environment more productive. The key seems to get the team that will work with it to be on board and a part of the planning and implementation.

About the Author
Paul Parker, a 25-year information technology industry veteran, and expert in Government. He leads SolarWinds’ efforts to help public sector customers manage the security and performance of their systems by using technology. Parker most recently served as vice president of engineering at Infoblox‘s federal division. Before that, he served in C-level or senior management positions at Ward Solutions, Eagle Alliance and Dynamics Research Corp.