4: IT Lifecycle Security
Ensure that IT security is incorporated into the lifecycle of every IT investment. Other Information:
Secure One HHS – Emphasis on IT Security Department-Wide: Two fundamental trends exist within the Federal Government that
has a marked impact on IT at HHS. First, the drive for greater efficiency in Federal IT spending is forcing Federal departments
and agencies to look for shared infrastructures and services to support their operating divisions. The second trend is the
improvement of services to the public and other stakeholders facilitated by conducting business on-line. The result of these
two trends is that as HHS OPDIVs are becoming increasingly connected to one another; they are opening their networks to citizens,
businesses, academic institutions, and other stakeholders. As OPDIVs place more transactions on-line, the criticality of those
systems increases exponentially. Unfortunately, so do the risks to those systems. And as the OPDIVs move toward a shared infrastructure,
the security risk assumed by one is shared by all. The status quo security practices that currently protect OPDIVs at varying
levels today will not be enough. Baseline levels of security standards and practices need to be established to protect all
OPDIVs in this decentralized environment. In this changing world of new threats, instilling a culture of increased awareness
and mindsets toward preventive action is necessary. In a Federal agency, IT security cannot be an afterthought and must be
integrated into the Department's vision, mission, and business lines. In addition, HHS has taken on a new role in homeland
security and needs to improve its security practices to meet these obligations. It is critical that we incorporate security
into the daily activities of HHS employees at all levels. With this, all IT leaders in the Department must support the notion
of IT security as a way of life. These reasons prompted the HHS CIO and the HHS Chief Information Security Officer (CISO)
to develop an overarching IT Security Program. Understanding that HHS OPDIVs face unique business requirements, the challenge
was to develop an IT Security Program that allowed for both compliance and flexibility. Based on GAO best practice guidance,
HHS IG and OPDIV reviews, HHS has set up an overarching IT Security Program called Secure One HHS. The program’s goal is to
provide support and guidance, address OPDIV security needs and concerns, and meet HHS security responsibilities. The Secure
One HHS mission is to “foster an enterprise-wide secure and trusted IT environment in support of HHS’ commitment to improve
the health, safety, privacy, and well-being of the American people.” To meet the aggressive demands of an enterprise-wide
HHS IT Security Program, strong governance with clearly defined roles, responsibilities, and security expertise is required.
By establishing the program at the headquarters level, HHS will achieve a consistent IT security baseline across the OPDIVs
by supporting universal security requirements. The Secure One program will then be driven by close coordination and collaboration
with each OPDIV to ensure that their needs and expectations are identified and addressed. OPDIVs will then be responsible
for custom implementation at their level, based on each OPDIVs unique needs and goals. Further information on the Secure One
program can be found in the HHS Annual IRM and Performance Plan or by contacting the HHS CISO.
Indicator(s):
|
