• Deputy Director, Office of Information Assurance, U.S. Department of State

Innovative IT Security Tools and Techniques at the Department of State

By · February 5, 2009 · 12:00 pm

For those of you in the Federal IT community who are not engaged in the area of IT security as your primary pursuit, I thought you might be interested in hearing about some of the innovative tools and techniques that we employ at the Department of State to secure our worldwide wide network.  This is the first of a series that will hopefully inform and enlighten the IT Federal community, resulting in an exchange of ideas.

In this fast-paced world of information technology, new threats appear daily that result in volumes of lost personally identifiable information and crimes including identity fraud.  To enable the Department’s mission of foreign policy and diplomacy while protecting sensitive information, the Department’s IT security professionals are working non-stop to prevent cyber attacks and engage Department staff in actively thwarting efforts to hack systems.

Reporting directly to the Chief Information Officer at the Department of State, the Information Resource Management Bureau’s Office of Information Assurance (IRM/IA) has instituted several initiatives to proactively address cyber security risk and assist IT professionals in managing their bureau and post information system security.  These initiatives include the Site Risk Scoring program, customer toolkits, and the Joint State-USAID Solution (JSAS) for cyber security awareness training.

Site Risk Scoring

The initiative known as Site Risk Scoring is helping the Department increase security awareness and reduce risk at sites connected to our global network.  Site Risk Scoring monitors system vulnerabilities and compliance settings to alert system administrators as well as senior management of the risk associated with their network site.  Notification of these system weaknesses prompt immediate attention where the need and risk is greatest.  Since program inception, risk scores have steadily decreased across the Department by 50%.

Customer Toolkits

IRM/IA developed online toolkits to assist IT professionals understand how best to complete IT security requirements designed to better protect Department information. These toolkits are organized in an easy-to-understand question-and-answer format, and are continually updated to reflect new policies and procedures.  The toolkits aim to create secure, cyber-savvy environments throughout Department offices, thus making IT security more accessible, understandable, relevant, and timely.
The topics covered by the toolkits include how to inventory information systems; the process of Certification and Accreditation; tracking and closing Plan of Action and Milestones; conducting Annual Control Assessments, and Site Risk Scoring.

JSAS – Providing Cyber Security Awareness Training

Selected by Office of Management and Budget as one of only three providers for the Information Systems Security Line of Business (ISSLOB) for information security awareness training, JSAS provides a joint State Department and USAID solution for cyber security awareness training. JSAS provides an automated, yearly cyber security awareness training course and a recurring cyber security “Tip of the Day” program.
The annual cyber security awareness course provides real-world scenarios that help users understand how best to apply information security policies.  The course annually tests users’ knowledge and understanding of policies and procedures to ensure comprehension.

The “Tip of the Day” application provides a recurring security reminder and can be implemented for all network users or specialized groups of users.  Each time a user logs in, a pop-up window opens with a security question that must be answered in order to close the screen. Responses to the security questions are recorded along with user IDs, so that managers can track progress.  Combining the data from the tip of the day questions and annual security awareness course allows management to detect and remediate weak spots in cyber security awareness.

Because technology changes daily and users need to be aware of new security requirements when they arise, not months later, the Tips of the Day tool provides the flexibility to insert tips on timely threats.  Site Risk Scoring, customer toolkits, and the JSAS cyber security awareness training are all tools in the Department of State’s effort to educate users and reduce risk. One of the Department of State’s missions is to continually assess standards for improvement to protect Department information while supporting Department business needs.

I am about to embark on a two-week TDY assignment to Southern Africa to visit our missions and gain a better understanding of overseas posts’ operating realities and mission.  During my visit to South Africa, Swaziland, Mozambique and Botswana I want to better understand how we can serve our diplomats in securing the Department’s information.  Look for my reports from the field as I experience this wonderful journey!

Gary R. Galloway has been the Deputy Director of the Office of Information Assurance (IRM/IA) since May 2007. He also is serving as Acting Director of IRM/IA’s Enterprise Risk Division. Prior to arriving in IRM/IA, Mr. Galloway was Deputy Director and Director for Business Technology of the Office of eDiplomacy from April 2003 – May 2007, serving as Acting Office Director from July 2005 – January 2006. He has been an employee of the Department of State since 1986 and has been with the Bureau of Information Resource Management since 1996. Mr. Galloway brings extensive knowledge of the Department’s IT infrastructure and a full understanding of the application of technology to IRM/IA’s mission of protecting the Department’s information systems and networks. Mr. Galloway began his career with the Department of Interior and worked briefly at the Office of Personnel Management and the Department of Labor prior to coming to State. He came to the State Department as a programmer analyst in the Bureau of Resource Management, rising to the position of Director of Systems Operations in 1993. His tenure in IRM began as a Senior Policy Advisor to the first Chief Information Officer in State, followed by tenure as a Senior Advisor to the Deputy CIO for Architecture, Planning and Regulation. Mr. Galloway is the recipient of numerous Department awards, including the Superior Honor Award in 2006 and the Meritorious Honor Award on multiple occasions. Mr. Galloway is an active member of the American Council for Technology (ACT) and a graduate of the prestigious Industry Advisory Council (IAC) IT Partners Program, winning the Outstanding Partner of the Year award for the Class of 2006. He is also a member of the Government Advisory Panel for IAC’s Information Security and Privacy Special Interest Group and the Symantec Government Symposium Advisory Board, in addition to serving as the Government Vice-Chair for the ACT-IAC 2009 Management of Change Conference. Mr. Galloway serves as a mentor for the ACT-IAC Voyager Program, and the Department of State Civil Service Mentoring Program. He is also a member of the Montgomery County Boys and Girls Club Board of Directors. Mr. Galloway is a member of the Association for Federal Information Resources Management, serving a co-chair of the eAFFIRM committee and has been a guest speaker for the American Electronics Association (AeA) and the Armed Forces Communications and Electronics Association (AFCEA). Mr. Galloway earned his Bachelor of Arts degree from the University of Pennsylvania, and was awarded a Master of Science degree in National Resource Strategy with an Information Strategies Concentration from the Industrial College of the Armed Forces, National Defense University. He is a native of Washington, D.C. and lives in Silver Spring, Maryland with his wife, Monroe, and son, Reginald who is a student at Princeton University.