EPA IT Security Creates a Can-Do MilieuInterview with Johnny E. Davis Jr., Senior Information Security Officer
In addition to its core oversight and compliance responsibilities, the program manages the agency's Computer Security Incident Response Capability, which supports proactively and reactively services associated with incident management life cycle that includes, but not limited to, patch and vulnerability management. Both major components are supported by the information security awareness, training and education activities that focus on maintaining compliance and effectiveness of Agency security practitioners and those with significant information security responsibilities.
Johnny E. Davis Jr., senior information security officer and acting director of EPA's Office of Technology Operations and Planning, answered by e-mail questions about the agency's IT security operation by GovInfoSecurity.com.
GovInfoSecurity.com: What are the primary information security challenges you face at the EPA, and how are you trying to resolve them?
Davis: The most significant challenge for the information security program is the need to mature the program from a compliance-centric focus to a resiliency-based program that truly protects our information and infrastructure assets with the mission in mind.
To begin overcoming this challenge, the agency has conducted a program appraisal to review the general practices and specific practices that are most important to facilitating the development of a transformation strategy. The effective socialization of this strategy throughout the business areas of the agency will be critical to establishing a focused information security governance board that begins to view and promulgate the information security program as the "Yes, if..." partners as opposed to the "No" group. When information security begins to be understood and appreciated beyond the value of a letter grade or a scorecard color, agency security postures across government will become more effective against today's and tomorrow's threats.
GovInfoSecurity.com: From your perspective, what elements of the Federal Information Security Management Act and Office of Management and Bbudget governance should be changed to help agencies better secure IT?
Davis: FISMA, OMB and the National Institute of Standards and Technology have established a sound foundation toward our ability to secure information and information technology. Moving forward, additional emphasis on business, program and operational metrics that measure the effectiveness of information security activities will provide a better assessment of our security posture while providing a more concrete road map forward.
Additionally, focus should be shifted from system-centric security to data-centric security within the continuance of layered security models. Groups such as the Information Security Identity Management Committee of the CIO Council are already making great progress with these and other optimization initiatives. We need to continue to consolidate our talent, ideas and initiatives to ensure the future Cyber Strategy's ability to move us ahead of tomorrow's threats and risks.
GovInfoSecurity.com: Is the EPA looking into employing new technologies securely, such as cloud computing?
Davis: By focusing on integrating the information security, program management, investment and system development life cycles, the agency is working toward a model that ensures all technologies are employed securely.