Agency improves security grades under CISO's watch

Every morning when 8,000 employees from 80 different countries log on to their computers, a security fact pops up on their screen. Employees of the U.S. Agency for International Development (USAID) must read it and answer the subsequent quiz before they can launch any of their applications.

This security awareness program is just one example of how CISO Philip Heneghan has made security a way of life for the agency, which on the eve of his arrival received an F on its 2002 Federal Information Security Management Act (FISMA) report card. "It certainly couldn't get any worse," laughs Heneghan. "But it made it an easier sell that we needed to change." The agency has received an A+ for the past two years, with a perfect score in 2005.

That's quite an accomplishment, particularly given the vast scope of USAID's mission and IT infrastructure. The agency supports economic development and provides humanitarian assistance and aid to such dangerous and remote places as Sierra Leone, Sudan, Afghanistan, Iraq, Haiti and Mongolia. As a result, the agency relies on connectivity from 55 Internet service providers, manages more than 16,000 network devices, 100 firewalls, 300 routers, and a slew of heterogeneous applications.

But Heneghan had a mission of his own: hold the government agency's business owners accountable for risk and provide them with metrics on which to base their decisions. Before Heneghan joined the organization, the security team worked in a vacuum. It was solely responsible for security fixes, but had no communication with other parts of the organization. What's more, the insular security team had little desire to let outsiders meddle with technical security affairs.

That's all changed under Heneghan's watch. He dismantled the agency's organizational silos and issued monthly vulnerability and risk report cards to the CFO, the head of human resources, country managers and other key executives. "There was a 75 percent reduction of the vulnerabilities in six months. The executives had not known there was a problem," says George Moore, deputy information security systems officer for USAID.

Heneghan also changed the accreditation process. While he committed to certifying systems, he put the onus on the business owners to accept or mitigate the risk associated with data in their departments. Soon, they were engaged in OS and database security, says Heneghan, who is now acting CIO for the agency. "He emphasized measurement and processes, and the outcome speaks for itself," says John Streufert, CISO for the U.S. State Department.

But it was easier said than done. Heneghan first needed to build up the security infrastructure so he could capture and present the correct data to the business executives in a way they could understand. To that end, Heneghan and his team brought in host and network IDSes, a vulnerability management system, and a SIM to collect and aggregate the data. In the end, USAID became the first government agency to roll out a security risk analysis solution that could prioritize vulnerabilities based on business risk--even if those risks were being assessed remotely.

"We needed all that data to make an informed risk management decision," says Bill Geimer, program manager for Open System Sciences at USAID. "[In the past] we would do vulnerability scans once every six months and it was a struggle to get any vulnerabilities fixed. At the time we really had a limited understanding of the technical risk we had accepted. Now we scan all network systems every two to three days."

The agency's ability came into play in December 2004 when the tsunami struck Southeast Asia, killing more than 200,000 and displacing close to 2 million people. USAID needed to establish a presence in the region immediately. Since much of the region was devastated and the traditional method of setting up networks was not feasible, Heneghan's security team needed to closely monitor the risk to systems.

"The networks established were in violation of all the rules. But as long as we could monitor the risk, we could get it under control. By February we were able to get the risk into acceptable limits," says Heneghan.

"I feel like we are always raising the bar," says Geimer. "Phil is unyielding--sort of a patriot making a difference."