FMS Web site bannerFMS Publications Banner Tab Read FMS Web site privacy policy Skip to Main Content Department of the Treasury Web site FMS Publications Main Page
 

transparent spacer graphicHometransparent spacer graphicFAQ'stransparent spacer graphicTraining & Eventstransparent spacer graphicPublicationstransparent spacer graphicProgramstransparent spacer graphicAbout FMStransparent spacer graphicA-Z Indextransparent spacer graphicNavigation Helptransparent spacer graphic
   
 
     arrow pointing right Advanced Search | RSSXML | Subscribe | Contact FMS Skip secondary navigation
  spacer graphic

white arrow Overview:
    "Financial Connection"

white arrow News Update

white arrow Current Issue

white arrow Back Issues

white arrow Subscribe Free

Financial Connection logo

FMS Stresses Strong Security in Data and Applications

By Mission Assurance Division, Information Resources

In the January/February issue of The Financial Connection, then-Commissioner Judith Tillman listed one of FMS’s overarching priorities as to “maintain strong security to include security of people, data, dollars, and physical locations.”
    
That’s not just lip service with trendy buzz words; it’s a clear commitment by FMS to its customers to build secure systems. FMS commits fully to crafting policy that is responsive to both business needs and security concerns. That commitment is evidenced in the FMS governance process and delivered applications; is demonstrated in the constraints and opportunities of software development; and starts with a thoughtful, disciplined, holistic process to developing security policy.
 
Before delving a bit into the FMS process for security policy development, it’s important to recognize several other significant efforts that reflect the various ways that FMS secures the data stored and the applications built, to include the disciplined governance process and a new library of re-usable Java code.
    
The FMS governance process has evolved nicely over recent years and now represents a thoughtful, thorough, disciplined mechanism that carefully watches for smart use of taxpayer dollars, efficiency of projects, assurance that all the right bases are touched as a project progresses, and that security is “baked into” the FMS governance process. Here is a brief overview of key components of the process:

• The Executive Board consists of the Commissioner, Deputy Commissioner, and all Assistant Commissioners (security is a constant focus);

• The Division Information Officer Council (DIOC) consists of the Chief and Deputy Chief Information Officers (CIO and DCIO) and the Division Information Officers from each of the Assistant Commissioner Areas (“operating centers” or “business lines”) and focuses generally on FMS investments, business line architecture, and policy, including security-related details and governance, Technical Reference Model compliance, software development methodology, and risk management. The DIOC has a DIO Policy Subcommittee that focuses on policy development (more on this subcommittee subsequently);

•  The Architecture Review Board (ARB) consists of the Deputy CIO, Chief Architect, and the Division Information Officers, and focuses generally on defining and enforcing both enterprise architecture and individual program architectures, considering such security-related details as the technical architecture, application interfaces, telecommunications impact analysis, and a security impact analysis;

• The Entity-wide Configuration Control Board (ECCB) assesses the readiness of new releases of applications and infrastructures, to include security, Certification and Accreditation (C&A), and Help Desk readiness;

•  C&A, Federal Information System Management Act (FISMA) reporting, and various third-party audits all help to ensure sufficiently robust controls in FMS systems;

•  The Java Code Library is a new mechanism that allows developers to search for and re-use code prior to beginning a development cycle; it stores code, supporting documentation, and testing artifacts for re-use of “tried and true”, vetted components.

At FMS, the establishment of security policy is accomplished by the DIO Policy Subcommittee, which pulls membership from all business areas, with subject    matter experts brought in to review and advise as needed. This broad participation helps to ensure that all business, risk, and strategic considerations are “baked in” from the start. The wide spectrum of opinion and perspective helps to craft a policy that is both responsive to business needs and relevant mandates, but also adequately addresses real world threats. 

Resultant policy benefits greatly from the wide and diverse range of business perspective and technical subject matter expertise brought by the various Subcommittee members and invited guest contributors. The value of having this vitally important group populated from business areas across the agency, as well as, subject matter experts from such areas as Threat Management, Platform Engineering, Mission Assurance, and Network/Telecommunications Engineering cannot be over-stated:it is this wide and broad collective perspective that helps to ensure properly focused, sufficiently robust policy that enables successful solutions that address the core FMS and agency business needs.

Whether the DIO Policy Subcommittee incorporates mandates and guidance from Treasury, the National Institute of Standards and Technology (NIST), or other government authorities, addresses changing real-world threats, or defines/refines policy to better meet business needs, its formulation of security policy ensures a comprehensive security program throughout FMS and throughout the applications that FMS builds and maintains for our customers’ use. 

When we speak of “policy”, we are actually referring to three types of documents: policy, standards, and procedures. The FMS Entity-wide Information Technology (IT) Security Policy Manual provides the high-level core principles that establish the foundation for the FMS IT Security Program. The FMS IT Security Standards Manual provides additional guidance for implementing the policies. Standards are mandatory and serve as the basis for the development and implementation of IT security procedures. Procedures document the activities and tasks developed to execute the standards and the assignment of the responsibilities at the individual level.

It is likely that in the near future, FMS will take a new look at the policies related to Public Key Infrastructure (PKI), multi-factor authentication, and identity management federation. Mandates such as these may require new or modified policy, and that, of course, may spawn new standards and procedures as well. It looks like the DIO Policy Subcommittee may be busy for some time to come enhancing data security for FMS, other federal agencies, citizens, financial institutions and other customers. 

    Viewing PDF files PDF logo requires the free Acrobat Reader.

    You can sign up for your free subscription to The Financial Connection [here].

   Last Updated:  Wednesday May 27, 2009

Accessibility
Privacy Policy 		Web Site Inventory &
Publication Schedule 		E-Government
Economic Recovery 		Freedom of
Information Act 		Information
Quality Act
Link to Treasury Department Web Site Link to Treasury No Fear Act Page Link to Recovery.gov: Your Money At Work. Link to Regulations.gov Link to USA.gov