| Information Assurance/IT Security Program |
 |
 |
|
Dramatic increases in computer connectivity are revolutionizing the way our government, our nation, and the world communicate and conduct business - the benefits have been enormous. However, with these benefits have come significant risks to our information technology (IT) systems and, more importantly, to the critical operations they support.
The Department of Transportation (DOT) relies heavily on the use of IT to conduct our business. Maintaining the security of these IT systems is vital to the mission of DOT. The Office of the Chief Information Officer (OCIO) is responsible for the overall management and guidance of the Department's IT Security Program. The OCIO develops and promulgates IT Security policy and guidance for DOT. The DOT Operating Administrations are responsible for the implementation of this policy in the management of their IT systems. The vision for the IT Security Program is:
| A World Class Program that Enables the Safety, Mobility, and Efficiency of the Critical Transportation Infrastructure |
Within the DOT, we are committed to a World Class IT Security Program that protects the confidentiality, integrity, and availability of our critical systems and data. Our program is formed on the basis of risk management principles - an organization must understand the business requirements for IT, identify the threat and associated vulnerabilities of IT operations, and implement cost-effective countermeasures to mitigate the risk. Our program consists of the following components:
- Agency Security Strategy - The goals for the IT Security Program are documented in the DOT performance plan, and are tied to the budget via the IT Capital Planning Process.
- Department-Wide Governance Structure - The policies and procedures for the IT Security program are outlined in the Department Information Resource Management Manual (DIRMM). These policies and procedures define the requirements for IT security, as derived from legislative requirements, federal policies and procedures.
- A Technical Framework - Technical security controls are those controls within a computer system or network that protect the system from attackers. They are reviewed during the certification and accreditation process and during audits. The Department is also currently integrating security standards as a component of the Enterprise Architecture Process.
- Security Management Programs - These programs define an organizational framework for identifying and assessing risks, deciding what policies and controls are needed, periodically evaluating the effectiveness of these policies and controls, and acting to address any identified weaknesses. Department-Wide Security Management Programs include Incident Response, Certification and Accreditation, Risk Management, Service Continuity, and Performance Measurement.
As shown in the illustration, the success of our program is enabled by people, process, and technology. Questions regarding our program should be directed to Philip Loranger, Deputy Chief Information Security Officer, at 202.366.5636. |
|
|
|
|
|
|
